Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Todd Weller
Todd Weller

It's Not Healthy to Confuse Compliance with Security

Healthcare organizations should be alarmed by the frequency and severity of cyberattacks. Don't assume you're safe from them just because you're compliant with regulations.

Cyberattackers' interest in healthcare organizations continues to increase. In 2018, there were 284 breaches reported on the US Department of Health and Human Services (HHS) breach portal and 27 so far in 2019. According to InfoSec Institute, "nearly 95 percent of all medical and health care institutions have been victims of some form of cyberattack."

Most people think of healthcare and cyber-risk as related to the compromise of sensitive patient data. This is true, and it's also a fact that healthcare data is valued significantly higher than credit card data. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a US credit card number. Protecting this data is critical, and this is at the core of the long-standing Health Insurance Portability and Accountability Act (HIPAA) regulations, including the HIPAA Security Rule.

A high percentage of healthcare organizations successfully check the HIPAA compliance box. However, it's unhealthy to confuse being HIPAA compliant with being secure, especially as healthcare cyber threats today are broadening beyond data theft.

Cyber Threat Actors Have Been Expanding Their Scope
While plundering the troves of valuable healthcare data is still a high priority, cybercriminals have expanded their scope when it comes to attacking healthcare organizations. A once sole focus on data theft has expanded to include business disruption, extortion, and phishing scams targeting healthcare employees. 

Healthcare was one of the most targeted industries in 2019 and the top industry for ransomware incidents in 2018 according to the "Beazley 2019 Breach Briefing." According to the report, the healthcare industry represented 34% of total ransomware incidents, more than double that of the next two industries — professional services and financial services. The proliferation of Internet-connected medical devices is also emerging as an area of growing concern. This is shown by the recent release of the Medical Device and Health IT Joint Security Plan.

The good news: This is all driving increased awareness of the need for a more focused and comprehensive approach on healthcare cybersecurity as opposed to healthcare compliance.

NIST Cybersecurity Framework and HICP
There is an increasing focus in healthcare on adopting the NIST Cybersecurity Framework to improve cybersecurity efforts, bolster defenses, and reduce risk. The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices to manage cyber-risk. The framework is based on a holistic approach to cybersecurity that includes these concepts: identify, protect, detect, respond, and recover.

There are two attractive attributes of the framework that healthcare organizations will find positive. First, it is very flexible and has applicability to organizations of all sizes, from small, three-person doctor's offices to the largest hospital systems. Second, it's voluntary!

The shift to the NIST Cybersecurity Framework will accelerate with Health and Human Services' announcement of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HICP is also similar to the NIST Framework in that it is voluntary and very flexible. In fact, HICP does a great job segmenting best practices that are applicable to small organizations versus midsize and large organizations.

Three steps all healthcare organizations can take right now to improve their cyber posture:

1. Embrace and align cybersecurity efforts to NIST and HICP. The shift in healthcare cyber focus from being compliance- and data-centric is happening rapidly. If you haven't started down the road of NIST and HICP, it's time to get moving. First, measure yourself against the NIST Cybersecurity Framework, which provides an excellent general baseline. Once you've done that, become more intimate with HICP and align where your organization is relative to these healthcare-specific best practices. Keep in mind that it doesn't matter as much where you are on this journey; what matters is that you're on it.

2. Revisit basic cyber hygiene practices. Fortunately, for healthcare companies, the flood of attacks targeting state and local government organizations has taken the spotlight off of healthcare. However, it's also exposed many organizations that continue to fall down on basics like vulnerability management, patching, and data backups. Revisit the basics and make sure you're covered.

3. Increase your use of threat intelligence and information sharing more broadly. Threat intelligence has become a critical component of cyber defenses for all companies. As a first step, if you're not consuming and sharing threat intelligence with healthcare peers via H-ISAC (Health Information Sharing and Analysis Center) you should. Importantly, because healthcare is heavily tied to other industries like financial services and government, you should explore whether you can participate in these communities and other cross-industry threat-sharing communities operated by those like Global Resilience Federation.  

The trend of cyberattack frequency and severity should be concerning to all healthcare organizations. As we have seen in other industries, being compliant is not the same as being secure. The expanding focus on cybersecurity frameworks like HICP and the NIST Cybersecurity Framework is a positive step toward improving cybersecurity health.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."

Todd Weller, Chief Strategy Officer at Bandura Cyber, works with organizations of all sizes to improve their ability to use, operationalize, and take action with threat intelligence.  He brings over 20 years of cybersecurity industry experience with a unique blend ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
9/5/2019 | 4:57:32 PM
This is such an important topic and covered so well in this article
Confusion is clearly not good.  I would go further to say that there are too many enterprise risk and/or security leaders - and general business executives - who use compliance as an excuse.  Meaning, "I've compiled so now we are legally covered."  The world needs neither of those two situations.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...