Cyberattackers' interest in healthcare organizations continues to increase. In 2018, there were 284 breaches reported on the US Department of Health and Human Services (HHS) breach portal and 27 so far in 2019. According to InfoSec Institute, "nearly 95 percent of all medical and health care institutions have been victims of some form of cyberattack."
Most people think of healthcare and cyber-risk as related to the compromise of sensitive patient data. This is true, and it's also a fact that healthcare data is valued significantly higher than credit card data. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a US credit card number. Protecting this data is critical, and this is at the core of the long-standing Health Insurance Portability and Accountability Act (HIPAA) regulations, including the HIPAA Security Rule.
A high percentage of healthcare organizations successfully check the HIPAA compliance box. However, it's unhealthy to confuse being HIPAA compliant with being secure, especially as healthcare cyber threats today are broadening beyond data theft.
Cyber Threat Actors Have Been Expanding Their Scope
While plundering the troves of valuable healthcare data is still a high priority, cybercriminals have expanded their scope when it comes to attacking healthcare organizations. A once sole focus on data theft has expanded to include business disruption, extortion, and phishing scams targeting healthcare employees.
Healthcare was one of the most targeted industries in 2019 and the top industry for ransomware incidents in 2018 according to the "Beazley 2019 Breach Briefing." According to the report, the healthcare industry represented 34% of total ransomware incidents, more than double that of the next two industries — professional services and financial services. The proliferation of Internet-connected medical devices is also emerging as an area of growing concern. This is shown by the recent release of the Medical Device and Health IT Joint Security Plan.
The good news: This is all driving increased awareness of the need for a more focused and comprehensive approach on healthcare cybersecurity as opposed to healthcare compliance.
NIST Cybersecurity Framework and HICP
There is an increasing focus in healthcare on adopting the NIST Cybersecurity Framework to improve cybersecurity efforts, bolster defenses, and reduce risk. The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices to manage cyber-risk. The framework is based on a holistic approach to cybersecurity that includes these concepts: identify, protect, detect, respond, and recover.
There are two attractive attributes of the framework that healthcare organizations will find positive. First, it is very flexible and has applicability to organizations of all sizes, from small, three-person doctor's offices to the largest hospital systems. Second, it's voluntary!
The shift to the NIST Cybersecurity Framework will accelerate with Health and Human Services' announcement of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HICP is also similar to the NIST Framework in that it is voluntary and very flexible. In fact, HICP does a great job segmenting best practices that are applicable to small organizations versus midsize and large organizations.
Three steps all healthcare organizations can take right now to improve their cyber posture:
1. Embrace and align cybersecurity efforts to NIST and HICP. The shift in healthcare cyber focus from being compliance- and data-centric is happening rapidly. If you haven't started down the road of NIST and HICP, it's time to get moving. First, measure yourself against the NIST Cybersecurity Framework, which provides an excellent general baseline. Once you've done that, become more intimate with HICP and align where your organization is relative to these healthcare-specific best practices. Keep in mind that it doesn't matter as much where you are on this journey; what matters is that you're on it.
2. Revisit basic cyber hygiene practices. Fortunately, for healthcare companies, the flood of attacks targeting state and local government organizations has taken the spotlight off of healthcare. However, it's also exposed many organizations that continue to fall down on basics like vulnerability management, patching, and data backups. Revisit the basics and make sure you're covered.
3. Increase your use of threat intelligence and information sharing more broadly. Threat intelligence has become a critical component of cyber defenses for all companies. As a first step, if you're not consuming and sharing threat intelligence with healthcare peers via H-ISAC (Health Information Sharing and Analysis Center) you should. Importantly, because healthcare is heavily tied to other industries like financial services and government, you should explore whether you can participate in these communities and other cross-industry threat-sharing communities operated by those like Global Resilience Federation.
The trend of cyberattack frequency and severity should be concerning to all healthcare organizations. As we have seen in other industries, being compliant is not the same as being secure. The expanding focus on cybersecurity frameworks like HICP and the NIST Cybersecurity Framework is a positive step toward improving cybersecurity health.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Meet FPGA: The Tiny, Powerful, Hackable Bit of Silicon at the Heart of IoT."