- As healthcare data breaches increase in frequency and become more intricate in types of attacks, organizations must ensure that their healthcare cybersecurity measures appropriately match, according to the Workgroup for Electronic Data Interchange (WEDI).
WEDI conducted multi-stakeholder cybersecurity roundtables in November 2015 and April 2016, discussing how healthcare stakeholders can best improve their cybersecurity efforts. Those discussions, along with recommendations for stronger cybersecurity, were presented in a recent WEDI white paper titled “The Rampant Growth of Cybercrime in Healthcare.”
“Despite heavy investment and implementation of health information technology (e.g. electronic health record systems, databases, registries, repositories, connected medical/personal devices and other software) organizations are increasingly vulnerable because they do not have sufficient cybersecurity resources, processes or encryption measures in place,” report authors explained.
Citing research from the Brookings Institute, WEDI stated that 90 percent of healthcare organizations reported having a data breach within the past two years. That trend is also only likely to increase, WEDI noted.
“Chronic underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” the report stressed. “While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.”
Roundtable participants made the following recommendations for organizations to improve their overall approach to healthcare cybersecurity:
- Drive a cultural change in how cybersecurity is approached in healthcare, beginning with raising awareness to educate stakeholders around the risk and cost of cyberattacks
- Build the business case for cybersecurity and move it into the executive suite
- Develop cybersecurity frameworks that provide a robust, forward‐facing roadmap to protect organizations in a changing environment.
- Apply lessons learned from other industries
In terms of culture change, WEDI explained that cybersecurity cannot just be perceived as an IT issue. Implementing strong cybersecurity measures “must go beyond technical aspects to embrace the process of tackling human factors and driving culture change.”
Employees at all levels must be educated on how to properly handle health data and devices. Staff members should also be actively trained and retrained so they know how to “prevent, detect, respond, report, manage, mitigate and recover from cyber crimes.”
Cybersecurity must also be integrated into the C-suite, the roundtables determined. Upper management needs to understand why cybersecurity is a worthwhile investment. Building a secure IT infrastructure, along with hiring and retaining security professionals are becoming more critical for healthcare stakeholders.
“Given how many cyberattacks continue to be attributable to human error and behavior, employees at most healthcare organizations need a [chief security officer] whose department can oversee compliance with protocols, drive user training around how health data should be securely accessed, used, stored and shared according to best practices, and continuously monitor vulnerabilities that threat adversaries may seek to exploit,” WEDI wrote.
Cybersecurity frameworks, such as the ones developed by NIST or HITRUST, can also be important for healthcare. These can provide the initial groundwork for how healthcare entities need to address their vulnerabilities. Furthermore, these frameworks can help organizations in proactive patch management, legacy decommissioning and realignment of systems.
“As mobile and cloud‐based technologies become more pervasive in healthcare, it will be increasingly important for organizations to adopt a multi‐layer network security approach that ensures that data is protected, segmented and monitored,” report authors stated.
Security frameworks also need to be flexible so organizations can continue to update their protections as the threats also evolve.
“[Disaster recovery plan] procedures can be particularly useful for cyberattacks (such as ransomware incidents where data or systems are being held hostage) because of the discrete steps developed to limit the magnitude of loss, minimize the duration of service interruptions, control and repair the damage, recover data, relocate and migrate information, and prepare personnel to respond appropriately,” WEDI maintained.
Finally, healthcare can adopt cybersecurity lessons from other industries, such as finance. Healthcare often lags behind other sectors with its cybersecurity measures, with roundtable participants specifically noting that healthcare risk assessments can be lackluster.
“Although the financial environment is not necessarily as complex as healthcare in terms of the processes, technologies, systems, transactions or actors that must be assessed and audited, roundtable participants advised that the federal and state government play a more aggressive, strict and active role in certifying, regulating and enforcing security,” explained WEDI.
Overall, cybersecurity must be more thoroughly integrated into healthcare organizations’ fabric, according to WEDI. It needs to be seen as “mission critical,” and cyber hygiene should be a top priority.
“No matter how high the walls that any one organization is able to erect against cybercriminals, the healthcare industry at large must coalesce as a united front to more collectively address how to implement a universal culture of cyber defense and train a more resilient workforce to mitigate threats.”