Healthcare’s Most Dangerous Cybersecurity Threat

Healthcare providers face a tsunami of cybersecurity threats—from opportunistic attacks on unpatched vulnerabilities in internet-facing systems to clever “social engineering” gambits that induce unsuspecting users to click on perimeter-compromising emails as well as text messages seemingly from a known colleague with a request to respond.

And those threats are inflicting significant damage. The FBI reported that more than 40 million patient records were compromised by hackers in 2021. That means compromises have more than tripled since 2018.

Worse yet, the average cost of a healthcare security breach is by far the highest among all sectors. According to IBM, that per-incident cost rose a startling 29.5% from $7.13 million in 2020 to $9.23 million in 2021. No other sector’s per-incident costs come close. In fact, the sector with the second highest per-incident costs—financial services—actually saw its per-incident cost decrease from $5.85 million to $5.72 million.

Multiple factors account for the magnitude of risk healthcare providers face. These factors include:

• The high value of personal health information (PHI) on the open market.
• The large “attack surface” inherent in healthcare environments that spans multiple networked locations and includes large numbers of medical devices and vendor partners.
• An ever-changing portfolio of medical devices that vary greatly in vintage and vulnerability.
• Extensive interconnectedness with other healthcare entities.

But the most dangerous cybersecurity threat to any healthcare provider is its dearth of cybersecurity resources. Four out of ten providers spend 6% or less of their IT budget on security. That’s significantly lower than the broader average of 10%. And a remarkable 23% don’t even have a dedicated cybersecurity budget “carve-out.”

Worse yet, no amount of money can compensate for the current dearth of available cybersecurity talent. About 600,000 jobs open up for cybersecurity workers every year in the U.S. across all sectors. Unfortunately, the observers at MIT Technology Review claim that less than 25% of the applicants for those positions are qualified. And the worldwide shortfall of cybersecurity professionals has been estimated at about 3.5 million.

“It’s impossible to outbid big tech companies for cybersecurity talent,” says one VP/CIO at a provider organization operating a 350-bed hospital and several associated clinics. “It’s especially difficult to find people who combine technical competency with the soft skills they need to effectively communicate with our staff.”  

Given such big challenges and such problematic resourcing, it’s no wonder that providers seek healthcare IT consulting partners who can deliver the expertise and services they so desperately need.

The Three-Fold Risk Mitigation Challenge

Effective mitigation of cybersecurity risk requires smart, decisive action on three fronts:

Guarding the perimeter

Perimeter defense has historically been the primary focus of healthcare cybersecurity teams. And with good reason. After all, if you can stop the enemy at the border, your territory will be safe.

Perimeter defenses take many forms, including:

• Antivirus/anti-malware to identify and remove any malicious code attackers attempt to inject into endpoint systems.
• Access controls such as strong passwords, multifactor authentication, and VPNs.
• Vulnerability management that helps IT staff identify known software vulnerabilities in internet-facing systems.
• Endpoint detection and response (EDR) that alerts cybersecurity staff about potential indicators of an active attack.

Given the continued evolution of social engineering, healthcare cybersecurity leaders also now see user education as a key component of perimeter defense. “People love to click on things,” says the director of IT security at a large physician-owned provider network. “If you don’t address that problem, you’ll always be vulnerable to ransomware.”

Internal vigilance

No perimeter is 100% impenetrable. And insiders such as employees and contractors present a risk, too. That’s why effective cybersecurity also requires the ability to quickly identify and neutralize active threats that have bypassed perimeter defenses.

To achieve requisite levels of internal vigilance, healthcare organizations need:

• Comprehensive, up-to-date threat intelligence that keeps them informed about the latest attack techniques of both cybercriminals and state actors—as well as the tell-tale indicators that an attack may already be underway.
• Monitoring technologies such as security information and event management (SIEM) and extended detection and response (XDR) that can detect attack indicators anywhere across endpoints, networks, and/or clouds.
• Threat response capabilities in the form of both hands-on professionals and automated actions.

Healthcare organizations can also protect themselves against threats that get past the perimeter through encryption, granular segmentation of administrative privileges, air gapping, and other best practices.

Recovery preparation

Even with great perimeter defense and intensive internal vigilance, a cyberattack can still be successful. Healthcare organizations must therefore further mitigate their risk by preparing for recovery from a successful attack. Such recovery measures can include:

• Operational continuity. Healthcare providers must make plans to recover their digital operations using backup systems. They must also rigorously test these continuity plans to ensure that their backup data isn’t compromised by the same attack that compromised their primary systems.
• Operational playbook. While IT and vendors recover digital operations, the work must still be done. The playbook is a defined process to allow an organization to work manually if a system (e.g., EMR, billing, etc.)  is shut down. Yearly tests of the manual process should be part of this mitigation so that staff know what to do if/when a system is rendered useless for a period of time.
• Cyber Insurance. Healthcare providers can indemnify themselves against the financial consequences of a breach. This indemnification typically requires that they meet the stringent standards of cyber insurers.
• Payment contingencies. Healthcare providers should determine in advance under what conditions they would pay a ransom demand and, if so, put in place the mechanisms necessary to make such a payment in cryptocurrency. They must also bear in mind, however, that threat actors do not always honor their promises to provide relief upon payment.

The Role of Healthcare IT Consulting

With such an extensive and complex cybersecurity agenda on their plates, it’s no wonder healthcare providers are turning to skilled, specialized partners for assistance. That assistance can include:

• Current-state assessment. The right healthcare IT consulting partner can audit an organization’s cybersecurity posture, engage in adversarial testing to empirically validate (or invalidate) an organization’s assumptions about its exposure to risk, and pinpoint areas in particularly urgent need of improvement.
• Cybersecurity expertise. Healthcare organizations can leverage a consulting partner’s field-proven insights across a wide range of issues—from security operations (SecOps) workflows and access permissions to vendor certification and user training—to remediate shortfalls in their current risk mitigation capabilities.
• Virtual CISO. Responsibility for cybersecurity at healthcare organizations often falls to CIOs or VPs of IT who have many other imperatives competing for their attention. A full-service consulting partner can provide qualified CISO oversight on an “as-a-service” basis, filling this problematic management gap with just the right cost/benefit ratio.
• Project management. Healthcare organizations often need expert guidance and experienced leadership to help them achieve specific near-term cybersecurity objectives. A well-scoped partner engagement is ideal for fulfilling these clearly defined objectives.
• Operational playbook. The organization can benefit from an expert consulting partner who has the operational expertise to craft the playbook, run mock drills for manual work during a system outage, create/update policies for a manual operation, as well as provide training and guidance to the organization.
  

While general-purpose cybersecurity specialists can theoretically address some of these issues, healthcare organizations are best served by a consulting partner with deep knowledge of the healthcare sector. Healthcare-specific expertise is vital for addressing the vulnerabilities and risks specific to providers: regulatory mandates regarding PHI, a growing number of intelligent medical devices connecting to the network, extended networks connecting satellite clinics and practices, etc.

Just as important, a true healthcare IT consultant knows how to aggressively mitigate risk without impinging on every provider’s primary goal: excellent patient care.

“You can’t effectively secure a healthcare provider’s clinical and administrative processes if you don’t fully understand those processes,” says Sheryl Zarozny, vice president of consulting services at Change Healthcare. “An intimate understanding of healthcare provider processes is also essential if you’re going to protect those processes from the potential adverse impact of poorly conceived cybersecurity measures.”