In 2014, a business associate of a healthcare entity was notified by law enforcement that it had suffered a cyberattack to the company's information system. Unfortunately, the hackers were able to access and exfiltrate the health information of more than 6 million people from numerous entities served by the business associate. In addition to a fine issued by OCR, a related covered entity was sued and a multimillion-dollar settlement was reached. OCR placed the covered entity under a very detailed corrective action plan.
Six years later, cyberattacks have become not only more prevalent, but also more aggressive. According to recent research conducted by Check Point, the U.S. experienced an estimated 98% increase in ransomware attacks. Additionally, Check Point saw a 50% increase in the daily average of ransomware attacks in the third quarter of 2020 compared to the first half of the year. Microsoft is reporting the same observations. Healthcare is the hardest hit industry.
In the last month alone, according to OCR's "Wall of Shame", almost 7 million individuals have had their health information breached. This includes almost 70 healthcare organizations or their vendors in several states such as California, Colorado, Florida, Georgia, New York, Ohio, Pennsylvania, and others. Sixty-two of those healthcare organizations where the breaches occurred were healthcare providers, five involved business associates or vendors, and one was a health plan. A staggering 90% of these breaches were due to a hacking or IT incident involving email or network servers.
In one recent example, one of the largest health systems in the U.S. was hit with a crippling cyberattack. The large health system had system outages at all of their locations and was finally able to restore them a week or more later.
These news headlines remind us almost every day that cyberattacks are not going away anytime soon. It is more important than ever for healthcare organizations to engage in steps designed to prepare for, and respond to, network intrusions.
There are a number of steps a healthcare organization can take to minimize the risk of security incidents, such as develop a written incident response plan, incorporate security awareness and privacy training for all personnel who have access to protected health information, limit unnecessary or inappropriate access to protected health information, and implement specific policies and procedures regarding business associates, including use of business associate agreements and audits of business associates privacy training for personnel with access to protected health information and audits of business associate.
Importantly, organizations with health information should follow a security framework such as NIST SP 800-53, HITRUST Common Security Framework, or the Center for Internet Security 20 Critical Security Controls. Some specific prevention tips include the following:
- Employee Training and Education: Employees should be trained to detect creative and sophisticated phishing email campaigns, which pose the biggest threat and are nearly indistinguishable from legitimate emails. A well-educated and attentive workforce is the best tool to reduce risk. Make sure employees are fully aware of your organization's cybersecurity policies and recognize that you are a target of hackers who are continually looking to steal sensitive information from computer networks.
- Identity and Access Controls: Steps should be taken to protect access to systems and applications. This should include the use of complex passwords with robust policies and deployment of multi-factor authentication. This should also include restricting access to only those authorized individuals who "need to know" or "need to access" information in order to fulfill their job responsibilities.
- Asset Inventory: Establishing and maintaining an up-to-date inventory of software and hardware assets is essential to achieve the critical security goal of detecting changes within the environment or systems that require more complex security controls.
- Make a Data Map: Healthcare organizations should identify where relevant health information resides on its internal network. Creating a data map is the best way to start that analysis. It will also identify how data is processed internally, how it is secured, and how it can be deleted in compliance with internal document retention policies and the various data protection laws.
- Data Protection and Encryption: Encryption should be used to secure sensitive data both in transit and at rest. Additionally, systems should be deployed for creating backups, checking backups, and restoring backups of all vital applications and data in a separate and secure location. Ideally, backups should be "gapped" to ensure they cannot be accessed or corrupted by a malicious attacker.
- Deploy Endpoint Monitoring: As encryption has become weaponized through sophisticated ransomware attacks, one of the strongest elements of a layered defense is the use of advanced endpoint monitoring, with strong data analytics used in a heuristic manner.
- Vulnerability Management: Processes should be in place to continuously monitor the environment for security vulnerabilities, including application of security patches. Ensuring that patches are updated in a timely manner will reduce the vulnerabilities available to threat actors.
- Vendor Management: A vendor management plan should be developed to ensure due diligence and minimize risk through the lifecycle of the vendor relationship when engaging third parties to perform services. Specifically, if a service provider might have access to health information, include a provision in the service provider agreement that incorporates a Business Associate Agreement.
- Cyber Insurance: Obtain appropriate cyber insurance. The expenses of responding to a cyberattack can be substantial, and may involve deployment of tools to contain the attack, as well as forensics investigations to determine what happened, when it happened, and how it happened. Similarly, there may be costs associated with notifying potentially affected patients and regulators. This economic risk can be mitigated by the acquisition of appropriate cyber insurance.
While the above steps will help minimize the risk of a successful cyberattack, organizations should also be prepared to mitigate attacks by taking steps such as developing written incident response plans that are reviewed and revised regularly, developing crisis communication systems, and conducting periodic table top exercises to tests these measures
The rise in cyberattacks on the healthcare sector is becoming the next major public health crisis. Successful attacks and breaches can have huge financial implications, result in patient uncertainty, and, in a worst-case scenario, interfere with medical services. Fortunately, there are steps that healthcare organizations can take to bolster their cybersecurity posture and minimize the likelihood of such events occurring.
If you have any questions on this topic or would like additional information about the cyberthreat landscape for healthcare organizations, contact the authors of this post and subscribe to this blog for the latest updates.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.