Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Todd Weller
Todd Weller

It's Not Healthy to Confuse Compliance with Security

Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don't assume you're safe from them just because you're compliant with regulations.

Cyberattackers' interest in healthcare organizations continues to increase. In 2018, there were 284 breaches reported on the US Department of Health and Human Services (HHS) breach portal and 27 so far in 2019. According to InfoSec Institute, "nearly 95 percent of all medical and health care institutions have been victims of some form of cyberattack."

Most people think of healthcare and cyber-risk as related to the compromise of sensitive patient data. This is true, and it's also a fact that healthcare data is valued significantly higher than credit card data. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a US credit card number. Protecting this data is critical, and this is at the core of the long-standing Health Insurance Portability and Accountability Act (HIPAA) regulations, including the HIPAA Security Rule.

A high percentage of healthcare organizations successfully check the HIPAA compliance box. However, it's unhealthy to confuse being HIPAA compliant with being secure, especially as healthcare cyber threats today are broadening beyond data theft.

Cyber Threat Actors Have Been Expanding Their Scope
While plundering the troves of valuable healthcare data is still a high priority, cybercriminals have expanded their scope when it comes to attacking healthcare organizations. A once sole focus on data theft has expanded to include business disruption, extortion, and phishing scams targeting healthcare employees. 

Healthcare was one of the most targeted industries in 2019 and the top industry for ransomware incidents in 2018 according to the "Beazley 2019 Breach Briefing." According to the report, the healthcare industry represented 34% of total ransomware incidents, more than double that of the next two industries — professional services and financial services. The proliferation of Internet-connected medical devices is also emerging as an area of growing concern. This is shown by the recent release of the Medical Device and Health IT Joint Security Plan.

The good news: This is all driving increased awareness of the need for a more focused and comprehensive approach on healthcare cybersecurity as opposed to healthcare compliance.

NIST Cybersecurity Framework and HICP
There is an increasing focus in healthcare on adopting the NIST Cybersecurity Framework to improve cybersecurity efforts, bolster defenses, and reduce risk. The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices to manage cyber-risk. The framework is based on a holistic approach to cybersecurity that includes these concepts: identify, protect, detect, respond, and recover.

There are two attractive attributes of the framework that healthcare organizations will find positive. First, it is very flexible and has applicability to organizations of all sizes, from small, three-person doctor's offices to the largest hospital systems. Second, it's voluntary!

The shift to the NIST Cybersecurity Framework will accelerate with Health and Human Services' announcement of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HICP is also similar to the NIST Framework in that it is voluntary and very flexible. In fact, HICP does a great job segmenting best practices that are applicable to small organizations versus midsize and large organizations.

Three steps all healthcare organizations can take right now to improve their cyber posture:

1. Embrace and align cybersecurity efforts to NIST and HICP. The shift in healthcare cyber focus from being compliance- and data-centric is happening rapidly. If you haven't started down the road of NIST and HICP, it's time to get moving. First, measure yourself against the NIST Cybersecurity Framework, which provides an excellent general baseline. Once you've done that, become more intimate with HICP and align where your organization is relative to these healthcare-specific best practices. Keep in mind that it doesn't matter as much where you are on this journey; what matters is that you're on it.

2. Revisit basic cyber hygiene practices. Fortunately, for healthcare companies, the flood of attacks targeting state and local government organizations has taken the spotlight off of healthcare. However, it's also exposed many organizations that continue to fall down on basics like vulnerability management, patching, and data backups. Revisit the basics and make sure you're covered.

3. Increase your use of threat intelligence and information sharing more broadly. Threat intelligence has become a critical component of cyber defenses for all companies. As a first step, if you're not consuming and sharing threat intelligence with healthcare peers via H-ISAC (Health Information Sharing and Analysis Center) you should. Importantly, because healthcare is heavily tied to other industries like financial services and government, you should explore whether you can participate in these communities and other cross-industry threat-sharing communities operated by those like Global Resilience Federation.  

The trend of cyberattack frequency and severity should be concerning to all healthcare organizations. As we have seen in other industries, being compliant is not the same as being secure. The expanding focus on cybersecurity frameworks like HICP and the NIST Cybersecurity Framework is a positive step toward improving cybersecurity health.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Todd Weller, Chief Strategy Officer at Bandura Cyber, works with organizations of all sizes to improve their ability to use, operationalize, and take action with threat intelligence.  He brings over 20 years of cybersecurity industry experience with a unique blend ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
9/5/2019 | 4:57:32 PM
This is such an important topic and covered so well in this article
Confusion is clearly not good.  I would go further to say that there are too many enterprise risk and/or security leaders - and general business executives - who use compliance as an excuse.  Meaning, "I've compiled so now we are legally covered."  The world needs neither of those two situations.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...