The real cost of healthcare cybersecurity breaches

With each step towards digitalization, from cloud computing to electronic records, the healthcare sector faces mounting risks that threaten not just the privacy but the very wellbeing of patients.

In this Help Net Security interview, Taylor Lehmann, Director, Office of the CISO, Google Cloud, discusses the critical conversation surrounding the ethical and legal responsibilities that healthcare providers must navigate in the wake of a data breach. He explores the severe implications of cyber threats that go far beyond financial loss, potentially endangering lives and eroding public trust in healthcare systems.

Lehmann also shines a light on the operational repercussions of cyberattacks, the transformative impact of cloud technology on health data security, and the measures necessary to bolster defenses against these evolving threats.

Can you discuss the ethical and legal implications for healthcare providers in the event of a data breach?

Historically weak protections for sensitive, valuable data and hard-to-secure legacy technology have made healthcare an easy, appealing target for attackers. The impact of cyber breaches in this industry can have serious repercussions for individuals, in large part because of the sensitive personal and health data they collect and store, and the fact that many systems used in a care setting directly support the safety of medical procedures and sustain life.

Healthcare providers are in a unique position as compared to other industries – they have an ethical and legal obligation to protect patient data and safeguard patient care from cyber threats. Healthcare delivery is the one of very few industries where there is a direct connection between security, resilience, and the safety of human life.

In one instance, a health system temporarily diverted ambulances and shut down its IT systems to restore its network following a cyberattack. Under varying circumstances, threat actors could have stolen passwords, medical records, social security numbers, or other personally identifiable information.

On the legal front, healthcare providers are subject to an intricate web of data protection laws and regulations, such as HIPAA in the United States or GDPR in the EU. Non-compliance with these regulations can lead to hefty criminal and civil fines and penalties for organizations. Lawsuits from breach victims seeking damages for medical identity theft, financial losses, potential loss of life, and emotional distress can also have a substantial legal, financial, and reputational impact.

Operational impacts due to cyber attacks are affecting patient safety. Could you give some examples of how these attacks are impacting healthcare delivery?

Cyber attacks against healthcare and life sciences institutions can directly affect a patient’s well-being. In addition to the financial loss that can occur, cyber attacks can disrupt operations, damage reputations, and even threaten public health. For example, a ransomware attack on a pharmaceutical company could delay the release of a new drug, which could have a serious impact on patients who need it.

While there has yet to be a definitive patient fatality due to a cyber attack, CISA found that successful ransomware attacks in 2020-2021 on hospitals reduced their ability to care for patients. In June, St. Margaret’s Health, the only hospital in the small, rural community of Spring Valley, Illinois, permanently closed its doors, in part because of the insurmountable costs to restore hospital services following a 2021 ransomware attack.

To put it gently, the trendlines are not in our favor. While St. Margaret’s Health is the first healthcare facility to cite a cyber attack as one (of a few) reasons to permanently cease operations; indicators say that it is unlikely to be the last. In 2022, we saw an increasing number of alleged deaths due to cyber attacks against hospitals.

The effects of this are insurmountable. A hospital closing its doors could directly impact residents’ ability to get critical care.

Threat actors know that our health systems are vulnerable, and they don’t care about hurting the vulnerable people they treat. To put an end to the growing, existential threat that healthcare faces, it will take creativity, innovation, partnership, and a willingness to change the current state of IT security and risk management in healthcare.

How has the transition to cloud computing changed the cybersecurity landscape for healthcare organizations?

Public clouds can play an important role in helping healthcare and life sciences organizations become more secure. Forrester recently found that organizations are increasingly investing in cloud technologies as cloud providers have improved their security. The inherent, better security in the cloud, combined with regulatory motivation and widespread community efforts, can allow healthcare providers to scale their IT infrastructure to meet growing demands quickly.

That said, one poorly managed credential in the cloud could make all the difference in how a day in the life of a healthcare organization is going to go. Managing this growing surface area by performing proper cloud deployment and upkeep will continue to be a challenge for healthcare organizations in the foreseeable future – but is critical and will have a strong ROI in the long run, if done correctly. Over the last quarter, Google Cloud data shows that over half of all initial access attacks on the cloud came from users having weak or no passwords across all industries. Once attackers are in they deploy ransomware and also increasingly extort data to destroy, sell or use as leverage to compel a response or payment of some type.

What measures are healthcare entities implementing to safeguard their cloud-stored data, and where do you see room for improvement?

Healthcare organizations should continue to improve their identity and access management (IAM) systems to ensure user credentials are defined, set up, and monitored. This will help reduce the likelihood of credential theft by providing security teams with an early warning of suspicious activity. Organizations should use multifactor authentication (MFA) to ensure that credentials that are stolen and not detected by their IAM protocols do not lead to breaches.

Additionally, passkeys are increasingly a great tool to help reduce the likelihood of credential theft by requiring a user to have a physical device like a cellphone, not just login credentials to get into the system. Continuously assessing and reducing access for users and services to the minimum necessary and providing just-in-time access to highly sensitive resources will help keep organization’s running safely.

Healthcare institutions must focus on security hygiene, including cloud security, and educating their entire workforce on cyber threats. Otherwise, these organizations can fall victim to these relatively common – and preventable – cyber attacks.

Given that a significant percentage of healthcare organizations plan to adopt cloud technologies soon, what are the top cybersecurity considerations they should consider?

1. Build guardrails into your environment and personnel training to ensure everyone practices good cloud hygiene, which should be monitored and enforced.

2. Effective and robust authentication tools should be used across the organization, and specifically, MFA should be set up for key resources to ensure that stolen credentials do not lead to proper, sufficient authentication. Workspace administrators should also implement appropriate session expiration for key cloud services to help mitigate threats like “real-time” data access.

3. Maintain data backups, and test business continuity capabilities, to successfully recover production environments from ransomware, data deletion, and related attacks. Keep backup data isolated. For critical data, keep offline backups for additional redundancy. Periodically test system resiliency by performing “whiteboard” or live business continuity tests to ensure infrastructure destruction or similar attacks don’t affect production services.

4. Run regular vulnerability scans against cloud instances and perform penetration testing against key cloud-hosted web applications. Patch any identified vulnerabilities in native services, third-party software, and web apps in a timely fashion.

5. Extend detection and response platforms to cover more systems where critical services are being provided before attackers can take action following a successful compromise.

6. Leverage machine learning and artificial intelligence to move faster and more confidently in defending one’s organization.

Are current healthcare cybersecurity policies and regulations sufficient to tackle cybersecurity challenges, or is there a need for new frameworks?

We’re seeing a shift as many have realized protecting the confidentiality of sensitive information isn’t enough to keep organization’s and their customers safe. While well intentioned, healthcare security laws and regulations haven’t kept pace with the rate organization’s consume new technologies and attackers discover ways to affect them. Many new laws and regulations are being proposed to address some of the concerns voiced by the healthcare security community, including those that seek to increase the amount of security threat intelligence that is being shared, drive adoption of new security models like zero trust, improve the security of supply chains for software and data, and others.

Encouragingly, we are also seeing shifts in regulatory attention to include safety as a critical outcome of these efforts. For example, the Omnibus Appropriations Act of 2023 includes two significant provisions related to the security of connected medical devices, including a new Federal Drug Administration requirement that connected medical devices be cyber secure and stay that way once they enter the market. Failure to do so would allow the FDA to apply enforcement and prevent these devices from reaching the market. The EU has similar regulations.

In addition, the FDA signaled in its draft Computer Software Assurance model last year that a risk-based approach to managing quality, security, and safety of medical devices was coming. The guidance made it clear that security, alongside safety and quality, must be considered in the design and implementation of these systems.

These regulations are a strong starting point towards creating a safer and more secure and resilient healthcare system in the US and as others adopt similar measures internationally – but these regulatory efforts must be coupled with industry collaboration and information sharing to drive impactful, lasting change.