- The biggest cybersecurity issue for hospitals is response and recovery from ransomware attacks, observed Fernando Martinez, senior vice president and chief digital officer at the Texas Hospital Association and president/CEO of Texas Hospital Association Foundation.
Organizations are struggling with such problems as where to get Bitcoin to pay the ransom, how to get decryption keys, and how to decrypt materials if they get the keys.
“Even after they pay the Bitcoin ransom, recovery can take weeks or months. The biggest threat is business interruption. A lot of smaller hospitals, certainly rural critical access care hospitals and some of the stand-alone hospitals, don’t operate at margins that allow them to deal with a lot of downtime. These incidents can literally put them out of business,” Martinez told HealthITSecurity.com.
In addition, health organizations are always trying to fend off attackers trying to steal protected health information (PHI).
“The industry is concerned about the harvesting of credentials to gain access to an organization’s network to exfiltrate data. Medical record information is more valuable than Social Security numbers and other PII. And protecting ePHI is major concern for healthcare organizations,” Martinez said.
For the healthcare industry and regulators, preventing data theft remains a top priority.
In a paper he co-authored with Bob Chaput, founder and CEO of Clearwater Compliance, Martinez noted that the Texas healthcare industry continues to be a target for data thieves. In the past 12 months, the Office for Civil Rights opened data breach investigations on 21 healthcare organizations in the state, affecting more than 437,000 individuals.
Because Texas is so large, the state has experienced all the examples of cyberattacks experienced throughout the country, ranging from incidents affecting rural critical access hospitals to large nonprofit and for-profit systems, Martinez said.
The Texas Hospital Association is working with its members on implementing cybersecurity best practices—the “block and tackle fundaments” of IT security through education and partnerships, he said.
As part of the education effort, the association sponsored the first annual Texas Health Care Security and Technology Conference, which was held April 19-20, 2018, in Austin, Texas. The conference was designed to bring together healthcare IT security experts from across Texas and beyond to share best practices in planning for and responding to cyberthreats. Participants included hospitals that had suffered recent ransomware attacks and other cyber incidents.
It became apparent from the discussions that organizations don’t realize where they are at risk because the level of due diligence in doing risk assessments is not where it should be, Martinez said.
One organization that suffered a ransomware attack two years ago still had not decrypted everything that had been encrypted by the attackers.
“It’s incredibly scary,” he added.
An attorney who specializes in cyber insurance told attendees that insurance companies may not cover breaches if they don’t think an organization has done the minimum to prepare for cyber incidents and protect information.
“A lot of the attendees were unaware of the level of due diligence that needs to take place at an organization in order to demonstrate to their insurer, should they have an incident, that they took appropriate steps to protect themselves,” he said.
The Texas Hospital Association has developed a simulated phishing email service for its member hospitals to train them on how to spot phishing emails and avoid falling for those exploits.
The association partners with companies that can help its members with cybersecurity best practices to avoid cyberattacks.
“One of the most basic block-and-tackle activities that hospitals can do to prepare for and avoid these incidents is conducting appropriate risks assessments, knowing where their data is, and knowing what risks there are to their data. This allows them to prepare and develop a plan to manage and mitigate those risks,” Martinez said.
“We believe very strongly in workforce education and awareness for our member hospitals, and we believe very strongly in the use of proper tools for identifying, developing, and managing risk mitigation activities at our member hospitals,” he said.
Cybersecurity is a team spot, Martinez observed.
“Everybody has an ownership in terms of dealing with cybersecurity threats and in developing a cybersecurity strategy. Everybody has to be involved with it—providers, hospitals, third-party vendors, business associates, and employees,” he added.
It is also important to get the boards of trustees involved in cybersecurity efforts at their organizations. Martinez related that he has been working in the healthcare industry for 40 years, including 20 years as a chief information officer in a variety of healthcare organizations.
“Nobody really talked about cybersecurity or was all that concerned about it before,” he said.
“There is a big difference in the last five years. All of a sudden hospital leaders are very interested. This is a top of mind concern for them. Cybersecurity threats keep them up at night. By extension, hospital boards and trustees are similarly lining up behind this particular risk profile for our organizations,” Martinez continued.
“We are seeing more and more trustees interested in this area and wanting to develop competence,” Martinez said.
He related that the association holds an annual conference for the trustees of their member hospitals, and the trustees want to know what their hospitals are doing to improve cybersecurity.
Martinez stressed that compliance with HIPAA and other regulations is not enough to protect healthcare organizations. Compliance is only one small part of a much broader information risk management picture.
“There are a lot of organizations that are compliant to HIPAA, compliant to FISMA, compliant to OCR guidelines, compliant to frameworks such as the NIST Cybersecurity Framework. That’s all wonderful. The problem is that in spite of being compliant, these organizations suffer cyber incidents,” Martinez maintained.
“The reason why compliance is inadequate is that if an organization has a control that has failed or fails to identify an area of risk and develop mitigation for it, the fact that they may be compliant with a standard or baseline is in no way an indicator of their level of preparedness,” he said.