Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Todd Weller
Todd Weller

It's Not Healthy to Confuse Compliance with Security

Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don't assume you're safe from them just because you're compliant with regulations.

Cyberattackers' interest in healthcare organizations continues to increase. In 2018, there were 284 breaches reported on the US Department of Health and Human Services (HHS) breach portal and 27 so far in 2019. According to InfoSec Institute, "nearly 95 percent of all medical and health care institutions have been victims of some form of cyberattack."

Most people think of healthcare and cyber-risk as related to the compromise of sensitive patient data. This is true, and it's also a fact that healthcare data is valued significantly higher than credit card data. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a US credit card number. Protecting this data is critical, and this is at the core of the long-standing Health Insurance Portability and Accountability Act (HIPAA) regulations, including the HIPAA Security Rule.

A high percentage of healthcare organizations successfully check the HIPAA compliance box. However, it's unhealthy to confuse being HIPAA compliant with being secure, especially as healthcare cyber threats today are broadening beyond data theft.

Cyber Threat Actors Have Been Expanding Their Scope
While plundering the troves of valuable healthcare data is still a high priority, cybercriminals have expanded their scope when it comes to attacking healthcare organizations. A once sole focus on data theft has expanded to include business disruption, extortion, and phishing scams targeting healthcare employees. 

Healthcare was one of the most targeted industries in 2019 and the top industry for ransomware incidents in 2018 according to the "Beazley 2019 Breach Briefing." According to the report, the healthcare industry represented 34% of total ransomware incidents, more than double that of the next two industries — professional services and financial services. The proliferation of Internet-connected medical devices is also emerging as an area of growing concern. This is shown by the recent release of the Medical Device and Health IT Joint Security Plan.

The good news: This is all driving increased awareness of the need for a more focused and comprehensive approach on healthcare cybersecurity as opposed to healthcare compliance.

NIST Cybersecurity Framework and HICP
There is an increasing focus in healthcare on adopting the NIST Cybersecurity Framework to improve cybersecurity efforts, bolster defenses, and reduce risk. The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices to manage cyber-risk. The framework is based on a holistic approach to cybersecurity that includes these concepts: identify, protect, detect, respond, and recover.

There are two attractive attributes of the framework that healthcare organizations will find positive. First, it is very flexible and has applicability to organizations of all sizes, from small, three-person doctor's offices to the largest hospital systems. Second, it's voluntary!

The shift to the NIST Cybersecurity Framework will accelerate with Health and Human Services' announcement of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HICP is also similar to the NIST Framework in that it is voluntary and very flexible. In fact, HICP does a great job segmenting best practices that are applicable to small organizations versus midsize and large organizations.

Three steps all healthcare organizations can take right now to improve their cyber posture:

1. Embrace and align cybersecurity efforts to NIST and HICP. The shift in healthcare cyber focus from being compliance- and data-centric is happening rapidly. If you haven't started down the road of NIST and HICP, it's time to get moving. First, measure yourself against the NIST Cybersecurity Framework, which provides an excellent general baseline. Once you've done that, become more intimate with HICP and align where your organization is relative to these healthcare-specific best practices. Keep in mind that it doesn't matter as much where you are on this journey; what matters is that you're on it.

2. Revisit basic cyber hygiene practices. Fortunately, for healthcare companies, the flood of attacks targeting state and local government organizations has taken the spotlight off of healthcare. However, it's also exposed many organizations that continue to fall down on basics like vulnerability management, patching, and data backups. Revisit the basics and make sure you're covered.

3. Increase your use of threat intelligence and information sharing more broadly. Threat intelligence has become a critical component of cyber defenses for all companies. As a first step, if you're not consuming and sharing threat intelligence with healthcare peers via H-ISAC (Health Information Sharing and Analysis Center) you should. Importantly, because healthcare is heavily tied to other industries like financial services and government, you should explore whether you can participate in these communities and other cross-industry threat-sharing communities operated by those like Global Resilience Federation.  

The trend of cyberattack frequency and severity should be concerning to all healthcare organizations. As we have seen in other industries, being compliant is not the same as being secure. The expanding focus on cybersecurity frameworks like HICP and the NIST Cybersecurity Framework is a positive step toward improving cybersecurity health.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Todd Weller, Chief Strategy Officer at Bandura Cyber, works with organizations of all sizes to improve their ability to use, operationalize, and take action with threat intelligence.  He brings over 20 years of cybersecurity industry experience with a unique blend ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
9/5/2019 | 4:57:32 PM
This is such an important topic and covered so well in this article
Confusion is clearly not good.  I would go further to say that there are too many enterprise risk and/or security leaders - and general business executives - who use compliance as an excuse.  Meaning, "I've compiled so now we are legally covered."  The world needs neither of those two situations.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...