Health data breaches reached a record high last year, affecting nearly 50 million patient records, and a recent attack on one of the country's largest hospital systems, CommonSpirit Health, makes clear that providers remain a top target of cyber criminals.
Cyber thieves are lured by the large volumes of data found in healthcare systems. Often stored along with patients' health information are credit card, bank account and Social Security numbers, as well as intellectual property related to medical research and innovation.
Valuable stolen health records have consistently made the industry the highest-cost sector for data breaches, ahead of financial organizations and pharmaceuticals.
"Hospitals are now laser-focused on preparing for these disruptive ransomware attacks," said John Riggi, an FBI veteran and senior adviser for cybersecurity and risk at the American Hospital Association.
For health systems and medical groups stepping up their defenses against an attack, here are top recommendations from cybersecurity experts for how to protect your organization:
Start at the top
Cybersecurity should be a top priority for an organization's leadership and board, who must understand that the threat is an enterprise risk issue, according to Riggi. An attack brings financial, legal and regulatory risks and, most importantly, may threaten care delivery and patient safety. "If it's not a priority for the boss, it is not a priority for the organization," Riggi said.
Empower the staff
All employees need to have a sense of urgency about the impact of cyber threats and practice good cyber hygiene, as they would medical hygiene, in order to protect patients, said Riggi. Leverage the culture of care that exists within healthcare, and empower staff to identify, report and stop attacks, he said. One of the main ways to do that is by not clicking on phishing emails. More than 90% of successful cyberattacks start with a phishing email, according to the Cybersecurity and Infrastructure Security Agency, or CISA.
Eliminate organizational silos
The more that teams within a hospital or system work closely together, the better they will be at finding areas that could be vulnerable to a cyberattack. "Siloed organizations end up becoming a breeding ground for risk," said Brad Parks, chief product and marketing officer at Morpheus Data, a cloud management platform company. "Addressing cyberattacks has as much to do with people and processes as it does tools and technology."
Mandate multi-factor authentication
The White House advises the nation's critical infrastructure, including healthcare organizations, to require that system users provide more than one verification factor to gain access. In addition to a username and password, another piece of information might be a code sent to a user's phone. From there, the AHA recommends forcing password changes periodically. Biometrics such as an eye scan or facial recognition are less common in healthcare but are starting to be used as well.
Embed security everywhere
Parks suggests software developers at healthcare systems build security and governance into processes across the organization from day one. Further, increasing automation can help eliminate risk because it reduces the chance of human error, he said. "The easiest problem to fix is the one you never had," said Parks.
Segment off systems
Providers must make sure that critical medical devices are separated from the broader network by digital firewalls that can prevent the spread of ransomware or malware between systems, the experts said. "One of the most important controls in any clinical environment is you need to be segmenting off those devices from your administrative networks, where you would have the laptops, where you would have the iPads," said Resilience Insurance Chief Risk Officer Richard Seiersen, a former general manager of cybersecurity and privacy for GE Healthcare.
Employ intrusion detection
Riggi recommends the use of intrusion detection systems, which are highly sophisticated technical tools that can detect malware or software that is exhibiting anomalous or malicious behavior. Such tools can determine, for example, if a piece of software is communicating with an IP address that it should not be contacting, or attempting to access a main directory to capture credentials. “It’s very important to have an added layer of malware detection that is based on the behavior of software,” Riggi said.
Back up, encrypt, patch, plan
Organizations are advised to back up and encrypt data, employ patch management to ensure vulnerabilities are identified and addressed, frequently test cyber incident response plans, and integrate those plans into the overall emergency preparedness plan. Establishing relationships with the FBI and CISA before an event occurs is also encouraged.