To keep patient data safe without bursting IT budgets, hospitals must implement solutions that are both effective and efficient.
The deployment of robust security solutions and services requires a thoughtful, multilayered strategy that addresses both local and remote patient environments while it also keeps up with the maturation of IT systems and cyberthreats.
By a wide margin, email has become the most common initial point of compromise for security incidents, with 62 percent of breaches resulting from a phishing email or similar attack. Attacks are also launched via organizational or third-party websites, hardware and software preloaded with malware, infected mobile or medical devices, and compromised cloud providers — but none of those attack vectors triggered more than 3.2 percent of the total number of breaches, according to the 2018 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey.
According to the survey, nearly half (47 percent) of attacks in 2017 were caught within a day, while another 21 percent were sniffed out within a week. Still, roughly 4 percent of attacks took between a week and a month to catch, while 5 percent took between one and three months to detect. A handful of attacks weren't caught for four, seven or even 12 months.
Somewhat worryingly, only 41 percent of attacks were caught by organizations' internal security teams. Most were caught by other team members and third-party vendors, and 3 percent of significant breaches were discovered and reported by the affected patients themselves.
Cyberattacks are such a problem for healthcare providers that the ECRI Institute ranks ransomware and other cybersecurity threats No. 1 in its “Top 10 Health Technology Hazards for 2018”, above issues such as missed alarms, improper cleaning of equipment and radiation exposure from imaging tools.
What can providers and hospitals do to minimize risks? HIPAA standards and other data safety regulations exist to help ensure organizations take steps to protect sensitive data against this growing array of cyberthreats. However, mere compliance is often not enough to keep patient data safe. Those standards and safety regulations should be seen as the bare minimum. To rise to the challenge of today's threat environment, healthcare providers must evolve and mature their security postures beyond what is required by external regulators.
A Robust Support Infrastructure In some instances, robust security will mean adopting new and advanced cybersecurity technologies. But healthcare organizations can often improve their security posture simply by improving processes, training users and better integrating existing technologies.
Healthcare providers looking to safeguard patient data more effectively should consider the following actions:
1. Start with Strategy by Getting Back to Basics
Advanced cybersecurity tools are wasted in IT environments where basic blocking and tackling steps are missed. For instance, in addition to implementing detailed firewall logging, organizations must also ensure that patch management is a part of their cybersecurity strategy. Password protection and access management are also critical.
Discussions with partners about cybersecurity strategies typically should begin with assessments of tools and tactics, such as firewalls, web and email security, and authentication controls (including two-factor authentication for remote access). Leaders must also prioritize policies around password management. When these relatively basic measures are lacking, it's nearly impossible for healthcare providers to take the next step in their cybersecurity evolution.
2. Segment Networks for Increased PHI Security
Much of the challenge of safeguarding patient data is simply a matter of keeping sensitive information cordoned off from the rest of the network, making it more difficult for cyberattackers to reach it. Organizations that utilize network segmentation as a strategy deploy firewalls, routers and virtual LANs to restrict access to specific areas of their IT networks.
Segmentation also helps ensure that only those individuals who truly need it can access the disparate networks. For instance, many health organizations segment nonmedical systems, such as financial and human resources applications, onto separate networks from those that house patient data. In some cases, such a strategy can even save institutions money, as it allows organizations to rightsize their security investments.
3. Update Existing Cybersecurity Tools Regularly
It's not enough to simply have cybersecurity systems in place. Organizations must also maintain and update these tools over time and ensure they have effective processes deployed to support them. For example, if a hospital installs an endpoint security tool but doesn't update that tool for three years, it likely won't be very effective at detecting and stopping newer, more advanced attacks.
Likewise, it's also important for hospitals to continually update processes, so when existing tools detect suspicious activities, IT employees are prepared and empowered to respond appropriately and immediately.
4. Assess Risks and Train Staff to Defend Them
Most data breaches in healthcare organizations begin with attacks on email. For instance, a recent report notes that slightly more than 64,000 patient records were exposed via email breaches in 2016, while in the fourth quarter of 2017 alone, 65,000 records were exposed in the same manner, a 467 percent increase overall. According to the HIMSS cybersecurity report, roughly 62 percent of healthcare organizations surveyed identified email as the most likely initial point of compromise.
While email security tools are important, hospitals and clinics must also make sure that employees are trained to sniff out phishing and spear phishing attempts. Some experts estimate advanced spear phishing attacks can cost businesses, on average, $140,000 per incident. Staff must learn to avoid clicking on suspicious links, inadvertently allowing malware onto the network. Phishing simulation and awareness campaigns can help healthcare cybersecurity managers better understand the current level of awareness among employees and provide targeted training as needed.
In a phishing simulation, IT or a third party sends faux phishing emails to employees and tracks who clicks on which links. Depending on how employees perform in the assessment, they can be directed to watch on-demand training videos or undergo more extensive educational programming.
5. Secure Productivity Tools Give Providers an Edge
Security and productivity have not always gone hand in hand. The thinking goes: An organization could completely protect its network by clamping down on access but destroy employee productivity in the process. Conversely, a hospital could theoretically boost productivity by offering all employees unfettered access to all systems but create a veritable feeding frenzy for malicious actors.
However, some emerging cybersecurity tools can actually enhance clinician and staff productivity, rather than detract from it. For instance, secure messaging solutions emerged in response to clinicians sending each other text messages with patient updates using personal devices — a potential violation of HIPAA. Now that clinicians and other staff have access to secure messaging tools and services, they're using the technology to enhance communication, improve support and accelerate records access.
Similarly, single sign-on solutions emerged as a way to control access and identity management in healthcare settings. But they also simplify workflows and increase physician and nurse face time with patients.
6. Integrate and Improve Cybersecurity Resources
All too often, hospitals and other healthcare organizations have a number of effective, up-to-date cybersecurity tools at their disposal, but the systems lack integration, which hamstrings the effectiveness of the tools. This is an area where a third-party partner can help.
In a typical engagement, hospital IT administrators might feel confident in their tools but ask a third-party solution architect to compare their cybersecurity environment to exemplary samples. During a cybersecurity gap analysis, the expert might find that existing firewall policies are not as effective as they could be or that password complexity standards should be raised.
A third-party partner can also help busy healthcare IT managers stay abreast of evolving cybersecurity solutions and explore which emerging and next-generation tools can help strengthen the organization's security posture and keep patient data safe.
Learn how to best prepare your healthcare organization for looming cyberthreats by reading the CDW white paper “Ensuring the Security of Patient Data.”