Finding the right mix: Leveraging policy and incentives to improve healthcare cybersecurity

When businesses are hit by a cyberattack, it can mean a disruption in operations, lost revenue and customer dissatisfaction because their personal information is exposed. But for the healthcare sector, the impact is far greater; cyberattacks can be a matter of life or death.

Last year, a ransomware attack in Düsseldorf, Germany, disrupted a hospital’s ability to coordinate doctors, beds and treatments; halted surgeries and other procedures; limited hospital capacity and forced them to temporarily stop admitting new patients. With the emergency room shut down, a patient experiencing an aortic aneurysm was diverted to another hospital 20 miles away, delaying her treatment, which possibly contributed to her death.

While cyberattacks have not directly contributed to patient deaths in U.S. hospitals, they have impacted patient care and, in some cases, increased patient death rates in the aftermath. Hospitals have furloughed hundreds of workers, been locked out of computers used to administer cancer treatments and experienced disruptions accessing patient records. While patient diversions like the example above are often necessary to maintain the safety and integrity of patient care, such actions can have serious adverse consequences.

Growing cybersecurity threats in healthcare

The COVID-19 pandemic opened the floodgates to cybercriminals. Since March 2020, the FBI reports that there’s been a 400% increase in cyberattack complaints overall. Perhaps most prominently was the September 2020 cyberattack on Universal Health Services.A disproportionate number of these recent cyberattacks have been aimed at the healthcare sector.

In the early months of the pandemic, cyberattacks accounted for 79% of reported healthcare data breaches. In September 2020, there was the ransomware attack on Universal Health Services. In November and December 2020 alone, cyberattacks on healthcare targets spiked 45%, compared to just a 22% increase in other sectors. That pace is expected to continue, as Black Book Market research predicts that data breaches in the healthcare industry will triple in volume this year.

Cybercriminals see a great opportunity in healthcare. They can get up to $1,000 per stolen medical record, making protected health information (PHI) more lucrative than credit card data. They’ve found it easy to exploit hospitals and health systems. The growth of telehealth offerings, electronic health records and other platforms, and interconnection between a variety of medical devices and other applications has left a broad attack surface for cybercriminals. Now there are as many as 15 networked devices per hospital bed, and remote monitoring tools are adding to the millions of medical IoT devices, laptops and computers that must be secured.

But while investing in these digital transformation technologies, the healthcare sector has yet to put the corresponding resources into cybersecurity to protect them. A HIMSS survey revealed that healthcare providers’ cybersecurity budgets are only 6% or less of the total IT spend.

Instead of investing in stronger security solutions, many health systems have relied on cybersecurity insurance as a backstop. However, with the rise in attacks come skyrocketing insurance prices. During the last year, ransomware claims have increased by more than 300%, resulting in insurance policies premiums growing by up to 30% in some cases. And recent data shows that the rise in cyber insurance has failed to promote better cybersecurity practices or mitigate risks.

A three-pronged defense: Urgent action needed

In the wake of the Colonial Pipeline attack, the Department of Homeland Security’s (DHS) Transportation Security Administration issued a directive requiring cybersecurity breaches to be reported to federal authorities. They are moving beyond voluntary guidelines, preparing mandatory rules to protect pipeline systems from cyberattacks and laying out the actions that should be taken when one occurs.

Given the increasing scale and scope of threats against the healthcare sector – a critical infrastructure with grave implications related to cybersecurity – strong preventative measures are needed.

A three-pronged approach is required to mitigate risks for the healthcare industry:

• Increased efforts by the healthcare and cyber securityindustries
• More formal action by federal regulators
• Better collaboration among them all

Providers that have not done so already should adopt a zero-trust security architecture, which assumes that all users could be malicious and operates accordingly. Zero-trust security authenticates any access between two components within a network, and after authentication is completed, users, applications and devices are only given the minimum number of privileges they need to function to protect the network.

Other best practices should also be implemented, such as regularly updating software; identifying, monitoring, and segmenting connected medical devices; developing an incident response plan; and increasing security education across all stakeholders.

While a concerted focus by industry and within individual organizations will strengthen the security posture of hospitals and health systems, there also needs to be a new coordinated approach from the federal government. Simply put, if cybersecurity protocols are not mandated, they will not be prioritized.

To date, the privacy and security standards set by the U.S. Department of Health and Human Services (HHS) are mainly focused on compliance and penalize providers when breaches occur. More resources and incentives are needed to help healthcare organizations protect themselves from cyberattacks.

“It is vital that Congress and HHS identify a pathway for ensuring providers do not unduly shoulder the burden of protecting protected health information in situations outside their control,” wrote leaders of the College of Healthcare Information Management (CHIME) and the Association of Executives in Healthcare Information Security (AEHIS) in a letter to Sen. Mark Warner, D-Va.

To that end, lawmakers and policymakers must dedicate funding to support risk-based planning, strategies, and cybersecurity upgrades for healthcare. Equally important is the development of cohesive standards that strengthen the regulatory environment. But these must be easily navigated by healthcare organizations.

Planning and collaboration by both the federal government and the industry is also necessary, so that catastrophes like the Colonial Pipeline attack can be averted if a healthcare organization is hit by a serious cyber incident.