The Workgroup for Electronic Data Interchange (WEDI), a nonprofit authority on the use of health IT to create efficiencies in healthcare information exchange has released a new white paper exploring common vulnerabilities exploited by cybercriminals in today’s healthcare environment and the best practices organizations can implement to mitigate these. The white paper, “The Rampant Growth of Cybercrime in Healthcare, summarizes cybersecurity topics that were discussed at multi‐ stakeholder cybersecurity roundtables convened in November, 2015 and April, 2016 by WEDI and sponsored by Fortinet.
The 15-page document outlines how cybercrimes are more commonplace in the healthcare landscape given the high value of digital health records which have “attracted organized crime and government-sponsored entities that in turn are capable of launching sophisticated attacks to disrupt, disable, destroy or maliciously control digital technology and data of organizations. As the use of health IT becomes more widespread, cybersecurity must be more directly integrated into the fabric of healthcare and ultimately become an organizational asset that is perceived as commonplace and mission-critical as hygiene and patient safety procedures have become to quality care. No matter how high the walls that any one organization is able to erect against cybercriminals, the healthcare industry at large must coalesce as a united front to more collectively address how to implement a universal culture of cyberdefense and train a more resilient workforce to mitigate threats.
Best Practices for Mitigating The Risk of Cybercrime in Healthcare
In light of the cybersecurity challenges identifies, roundtable participants identified four best practices for mitigating the risk of cybercrime in healthcare:
1. Drive a cultural change in how cybersecurity is approached in healthcare, beginning with raising awareness to educate stakeholders around the risk and cost of cyberattacks.
Currently, cybersecurity is too often perceived as an issue that only concerns IT support staff, rather than a core business asset that critically impacts every department of an organization. The implementation and management of robust cybersecurity strategies must go beyond technical aspects to embrace the process of tackling human factors and driving culture change. Similar to the call to action spearheaded by the Institute of Medicine in the early 2000s to improve the quality of care, a paradigm shift is needed to fundamentally reframe cybersecurity as a national priority that concerns the value of care and patient health and safety.
While culture change must begin from within each healthcare organization to be more aggressively defensive, it must also extend beyond to the greater landscape of health and life sciences at large to encourage a more collective mindset. Currently, cybercrime is often a tragedy of the commons where fragmented self‐interests encourage organizations to circle their wagons, rather than transparently communicate and effectively coordinate a response to limit collateral damage to the broader healthcare community.
In today’s environment of insider threats targeting human vulnerabilities through social engineering, raising awareness among employees of the need to handle health data and devices with care is woefully insufficient – organizations must actively train and retrain staff at all levels with best practices in how to appropriately prevent, detect, respond, report, manage, mitigate and recover from cyber crimes.
2. Build the business case for cybersecurity and move it into the executive suite.
Healthcare organizations, particularly providers, are in desperate need of training and resources to achieve basic levels of protection. However, cybersecurity strategies are often perceived as cost‐prohibitive because organizations are not fully aware of their liability, risk or cost of cyberattacks. Without an accurate understanding of return‐on‐investment, executives may be unwilling to invest appropriate resources into building a secure IT infrastructure or hiring and retaining security professionals if they perceive greater value in other assets.
Accordingly, cybersecurity must be moved off the IT desk and into the C‐Suite so that strategies can be more effectively planned, executed and integrated by a Chief Security Officer (CSO). Given how many cyberattacks continue to be attributable to human error and behavior, employees at most healthcare organizations need a CSO whose department can oversee compliance with protocols, drive user training around how health data should be securely accessed, used, stored and shared according to best practices, and continuously monitor vulnerabilities that threat adversaries may seek to exploit.
3. Develop cybersecurity frameworks that provide a robust, forward‐facing roadmap to protect organizations in a changing environment.
To date, frameworks such as the National Institute of Standards and Technology (NIST) Framework for Critical Infrastructure Cybersecurity10 and the Health Information Trust Alliance (HITRUST) Risk Management Framework11 have provided an initial blueprint for existing standards, policies, procedures and principles to assess, establish, manage and improve cybersecurity programs. However, the majority of healthcare organizations are vulnerable to cyberattack methodologies conducted today – and largely unprepared for the threats that may arise in the future.
NIST and HITRUST frameworks are helpful in providing the initial groundwork for a strategic roadmap to address vulnerabilities, but organizations must execute additional tactical steps such as proactive patch management, legacy decommissioning and realignment of systems. As mobile and cloud‐based technologies become more pervasive in healthcare, it will be increasingly important for organizations to adopt a multi‐layer network security approach that ensures that data is protected, segmented and monitored.
In the current environment, organizations need a common set of best practices and standards for data to be safely and securely shared. On the one hand, the decentralization of care delivery and the growing liquidity of health data between different settings are redefining the arena that must be protected with more robust, end‐to‐end solutions. Organizations must expand beyond control of how data is received, used and stored internally to also address how data is managed externally across different endpoints and devices.
On the other hand, frameworks must also provide cost‐effective measures for organizations to adopt at scale. Regardless of the buy‐in from leadership, many small to mid‐size organizations do not have the budget to implement comprehensive cybersecurity solutions or retain enough trained staff when security professionals may be better compensated in other industries. It is therefore all the more important that organizations raise awareness around the importance and value of keeping health information safe, and to train employees around best practices in cybersecurity.
Ultimately, if cybersecurity practices are to be as commonplace and routine as handwashing and hygiene in healthcare, it is likely that processes will need to be incorporated into a common checklist for teams to rigorously follow.
4. Apply lessons learned from other industries.
To date, the healthcare industry has not been able to address cybersecurity as successfully as in other sectors. Roundtable participants observed that the financial industry was able to effectively mitigate threats in part because stakeholders worked together to develop a universal response in compliance with federal and state regulators. Although the financial environment is not necessarily as complex as healthcare in terms of the processes, technologies, systems, transactions or actors that must be assessed and audited, roundtable participants advised that the federal and state government play a more aggressive, strict and active role in certifying, regulating and enforcing security.
Under the current approach, many healthcare organizations fail to perform comprehensive risk assessments of security incidents despite the federal mandate. Risk assessments are a key first step to an effective cybersecurity strategy. After establishing the types of data accessed, stored and exchanged by different users, software and hardware, assessments help identify vulnerabilities and information that can be potentially manipulated. In turn, these insights inform the implementation of appropriate security and authentication protocols for personnel and systems, as well as the development of written incident response plans and recommended data governance agreements with other organizations.
“Fortinet detected more than 700,000 hacking attempts per minute against healthcare organizations in the fourth quarter of 2016. It’s clear that the attack surface is growing at exponential speeds as the industry faces a technological transformation with IoT devices and cloud applications providing new patient care delivery models,” said Susan Biddle, senior director of healthcare at Fortinet in a statement. “To mitigate these threats and gain greater control and visibility, healthcare providers should focus on people, processes and technology. By focusing on building a culture of cyber-awareness, conducting ongoing cyberthreat assessments, and deploying a security fabric architecture for centralized, end-to-end security, healthcare providers can better ensure that all devices and applications on their networks are protected with real-time threat intelligence.”