Security

What Growing Federal Scrutiny of Healthcare Cybersecurity Means for Organizations

As the U.S. government aims to strengthen public and private cybersecurity processes, here’s what healthcare organizations need to know.

Mike Gregory

Mike Gregory is CDW's Healthcare Security Strategist and former Information Security Officer at Community Foundation of Northwest Indiana, Inc. He brings over 36 years’ experience in various information technology services, 16 years in healthcare. He has a great depth of understanding of information security and healthcare operations to drive initiatives in data protection, compliance and risk management, regulatory auditing and mature and privacy security programs.

Recovering from a ransomware attack will cost a healthcare organization $1.85 million, on average, and take about a week to resolve, according to Sophos’ most recent report.

Healthcare organizations are also more likely than organizations in other sectors to pay the ransom, but when they do, they may not get back all their data. And just 78 percent of healthcare organizations have cyber insurance coverage, according to Sophos’ “The State of Ransomware in Healthcare 2022.”

As healthcare systems face the daunting proliferation of cyberthreats and vulnerabilities, the federal government has continued to keep a close watch on the sector. The landscape has drastically evolved since HIPAA was signed into law in 1996.

This spring, the U.S. Senate introduced the PATCH Act, a bipartisan bill targeting medical device security. In a statement of support for the legislation, the American Hospital Association wrote, “Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals.”

With increased government scrutiny and a volatile threat landscape, healthcare organizations may also experience insurers demanding to see stronger cybersecurity controls in place, in response to major losses from cyber coverage during the pandemic. Purchasing cyber insurance without understanding the requirements or the extent of coverage needed could end up being more of a hindrance than a help.

Click the banner below for more HealthTech content on security and zero trust.

Challenges to Strengthening Cybersecurity in Healthcare

The federal government has been working to help industries beef up their controls, from funding nascent cybersecurity research in the 1970s to establishing the Cybersecurity and Infrastructure Security Agency in 2018 and passing the Cyber Incident Reporting for Critical Infrastructure Act in 2022. Ultimately, federal agencies depend on private network administrators to do their part in monitoring and maintaining security.

Governmental direction can positively impact cyber insurance for healthcare organizations, but at what cost? Many healthcare organizations, particularly in rural areas, do not have the funding needed to boost their cybersecurity.

IT shortages are also becoming more pronounced in healthcare, and this will only get worse.

Many healthcare systems can’t meet the demand to properly monitor and protect their data, perform forensic analysis or even recover from a major incident. This will certainly impact rural healthcare organizations, which already face a deficit in cybersecurity talent.

Some organizations that perform active threat hunting, detection and response activities are only able to do so for a portion of the day or a season of the year, such as when conducting an exercise to meet attestation requirements. That means they’re not doing a regular, complete job of monitoring for data protection.

Many organizations have turned to passive activities such as log aggregation and correlation, but they depend heavily on third-party assistance when threats are active or when speedy recovery is needed to keep operations running.

DISCOVER: Read the white paper on how incident response addresses evolving security threats.

Calculating Cybersecurity Costs to Healthcare Organizations

When a healthcare organization is hit by a cyberattack, there are additional costs that can be substantial, including the time and resources needed to perform forensics. Analysis can be complicated if local IT teams do not preserve evidence before moving into recovery.

There’s also the cost from personnel loss: A ransomware attack could result in resignations or firings, shrinking an already reduced workforce.

Ongoing legal fees can also affect organizations. And while losses in patient trust and future business are hard to calculate, they will nonetheless add even more to the cost of recovery.

It's likely that more healthcare organizations will turn to third-party cybersecurity professionals in search of programs and outcomes that they can afford. The cost of cybersecurity, if it's not tiered for smaller and larger organizations, will have a detrimental impact to healthcare.

Tips to Bolster Cybersecurity for Healthcare

Cybersecurity conversations should not be limited to IT departments; they must include business and operational stakeholders so that everyone is aligned. Transparency is key for any cybersecurity plan, not just with third-party partners but also within an organization.

In today's world, it is imperative to know the identity of users and devices that roam the network and have access to other resources within the environment. Organizations can minimize a ransomware attack’s impact in these ways:

Implement backups with best practices: That means air-gapped backups at multiple locations, and storing copies in multiple sites with frequent testing.
Have a structured program for regular software updates: This includes behavioral analytics, sunsetting old programs and microsegmentation of applications that do not play well within a network.
Rollout sensible restrictions: Think carefully about who should have access to what data.
Impose proper credential tracking: Identity is everything. Always know who is accessing your data.

Finally, should a cyberattack happen, have a path to an incident responder who can get to your organization in under two hours to stop the attack and help with recovery.

This article is part of HealthTech’s MonITor blog series. Please join the discussion on Twitter by using #WellnessIT.