It’s just not about patient safety. It’s also about public safety and even national security.
—Errol Weiss, chief security officer, Health Information Sharing and Analysis Center (H-ISAC)
Introduction
In recent years, the healthcare sector has become increasingly in the crosshairs of cyber attackers. Chapter 3 of my book, Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM), delves into healthcare organizations’ critical and growing cyber risk landscape. This article provides an overview of the chapter and the factors contributing to the heightened cyber threats in healthcare. It offers insights into how executives and board members can begin to address these risks effectively.
The Growing Threat of Cyber Attacks in Healthcare
The healthcare industry has seen a significant increase in cyber-attacks over the past decade, with the FBI issuing warnings as early as 2014 about the sector’s vulnerability. The FBI’s Private Industry Notice (PIN) highlighted the industry’s transition from paper to electronic health https://santebarleyreview.com/news/becoming-the-perfect-storm-sante-13th-anniversary/records (EHRs), the higher financial value of medical records on the black market, and generally lax cybersecurity standards as critical factors driving this increased risk. Despite these early warnings, healthcare organizations remain prime targets for cybercriminals, with the situation worsening over time.
A University of Maryland study found that internet-connected devices are attacked by hackers every 39 seconds, underscoring the pervasive nature of cyber threats. Healthcare organizations are not immune to this reality. Surveys indicate that a significant portion of healthcare organizations experience cyber-attacks daily or weekly, yet many remain unaware of the frequency and severity of these threats. High-profile incidents, such as the ransomware attacks on Ascension Health, the Florida Department of Health, and the UK’s NHS, are stark reminders of the industry’s vulnerabilities.
The Expanding Attack Surface in Healthcare
One of the critical challenges facing healthcare organizations is the rapidly expanding attack surface. The adoption of EHRs, driven by the Centers for Medicare & Medicaid Services (CMS) incentive program, has led to a dramatic increase in the number of digital records and the systems that manage them. Between 2008 and 2017, the percentage of acute care hospitals using EHRs skyrocketed from 9% to 96%, significantly increasing the volume of electronic protected health information (ePHI) in circulation.
This surge in digital data has been accompanied by a proliferation of systems and devices that generate, transmit, and store this information. The Internet of Medical Things (IoMT), which includes everything from intelligent infusion pumps to real-time location tracking systems, has become increasingly prevalent, further expanding the potential points of vulnerability. The industry’s drive towards interoperability has also led to more data sharing with third-party partners, increasing the complexity and risk of managing ePHI.
Healthcare’s Lack of Preparedness
Despite the growing threats, the healthcare industry remains underprepared to address cybersecurity challenges. Several factors contribute to this lack of preparedness:
- Lack of Security Talent: Many healthcare organizations lack qualified cybersecurity personnel, leaving them vulnerable to sophisticated cyber threats.
- Legacy Equipment: A significant portion of the healthcare sector relies on outdated and unsupported systems, which are more susceptible to cyber-attacks.
- Premature Connectivity: The rush to implement EHRs and demonstrate meaningful use often resulted in cybersecurity being an afterthought, leaving systems exposed.
- Open Sharing Culture: The need for easy access to patient data for effective care delivery can conflict with the stringent security measures necessary to protect that data.
- Viewing cybersecurity as an IT Issue: Many organizations still treat cybersecurity as a technical problem rather than an enterprise-wide risk management issue, leading to reactive rather than proactive approaches.
- Lack of Risk Awareness: There is often a fundamental lack of understanding among healthcare professionals and leadership about the nature and severity of cyber risks.
Understanding Risk in Healthcare
To effectively manage cyber risk, healthcare executives and board members must first understand what risk entails. Risk in the context of cybersecurity is about the potential for loss or harm resulting from the compromise of an asset by a threat exploiting a vulnerability. In healthcare, these assets include not only data and systems but also patient safety and trust.
My chapter in Stop the Cyber Bleeding introduces the concept of a risk scenario, defined as the intersection of an asset, a threat, and a vulnerability. For example, a hospital’s patient data (asset) could be targeted by a cybercriminal (threat) exploiting an unpatched software operating system (vulnerability). Understanding these scenarios is crucial for assessing the likelihood and impact of potential cyber incidents and for developing appropriate controls to mitigate them.
Moving Beyond a Checklist Approach
One of the critical mistakes healthcare organizations make is relying on a checklist-based approach to cybersecurity. This approach, which focuses on implementing predefined controls, often fails to address an individual organization’s unique risks and vulnerabilities. I advocate a risk-based approach, which focuses on identifying and prioritizing the specific, unique risks the organization faces.
This approach begins with a thorough risk assessment, which includes an inventory of all assets, identification of threats and vulnerabilities associated with that asset, and an evaluation of the likelihood and impact of potential incidents. By understanding these factors, organizations can make informed decisions about where to invest resources to achieve the most significant risk reduction.
The Role of Leadership in ECRM
C-suite executives and board members do not need to be cybersecurity experts to lead effective ECRM efforts. They provide strategic oversight and leadership, ensuring the organization’s cybersecurity initiatives align with its business objectives. This strategic approach is essential for moving beyond reactive, tactical measures and towards a proactive, integrated ECRM program that supports the organization’s mission and values.
Ultimately, the goal is to develop an ECRM program that transcends current assets, threats, and controls, recognizing that these elements will evolve. By focusing on strategic alignment and risk-based decision-making, healthcare leaders can ensure that their organizations are protected against current cyber threats and well-positioned to adapt to future challenges.
Conclusion
Stop the Cyber Bleeding presents the healthcare sector’s cyber risk landscape—fraught with vulnerabilities, expanding attack surfaces, and a general lack of preparedness. To protect themselves effectively, healthcare organizations must adopt a holistic, risk-based approach to ECRM, guided by strategic leadership and informed by a deep understanding of their unique risks. Only then can they hope to stop the cyber bleeding and safeguard the future of patient care.
Order your copy of Stop the Cyber Bleeding today to learn more about the healthcare cyber risk landscape and, more importantly, what to do about it.