Many leading healthcare organizations are adopting a top-down approach to cybersecurity where the senior management sets the tone for how the rest of the enterprise should respond to cyber risk.
Cyber attacks on healthcare systems have surged over the past few years. In fact, the highest percentage of data security incidents in 2015 occurred in the healthcare industry (23 percent), according to the latest Data Security Incident Response Report from national law firm, BakerHostetler.
In June 2016 alone, the Protenus Breach Barometer reported that a staggering 11 million patient records were breached. Meanwhile, the Ponemon Institute report, “Security beyond the Traditional Perimeter,” found that the health industry is not as adequately prepared as other industries such as financial services or retail, to monitor and reduce external threats. Often, healthcare organizations are aware of the costs of external attacks, but many lack the expertise and technology to stop them.
For cybercriminals, the healthcare industry has always been a valuable target. They know that in one clean swoop, they can gather the insurance details, credit card details, and medical history of millions of patients. Chief Information Security Officers (CISOs) at healthcare organizations are striving to outmaneuver these cybercriminals, but the perpetrators themselves are only becoming smarter and more sophisticated.
To combat this challenge, today’s healthcare organization, and particularly its IT function, must be able to effectively consolidate and correlate information from various vulnerability scanners, provide a business context to the reported risks, and manage remediation activities effectively.
Many leading healthcare organizations are adopting a top-down approach to cybersecurity where the senior management sets the tone for how the rest of the enterprise should respond to cyber risk. The leadership team takes responsibility for cyber risk management, develops sound policies and frameworks, and defines reporting lines clearly. They also ensure that the organization collaborates closely with its business associates to jointly mitigate cyber risk.
In line with these practices, here are five key defense strategies for healthcare organizations to combat cybercrime:
One of the first steps in cybersecurity management is to understand security risks in the context of the business. That requires the data security team to classify information assets in terms of their business significance. For instance, the vulnerabilities present in a user’s desktop would be far less critical than those present on a critical database server housing millions of patient records. Once the team understands which assets are most critical, they can prioritize their cybersecurity and threat mitigation efforts more effectively
The cybersecurity landscape is constantly evolving, which is why IT and security teams need to stay updated on the latest threats, threat agents, and attack vectors. This will enable them to devise better defenses, and also educate their staff on recent attacks and scams.
Once a new or potential threat element is identified and mapped to information assets, senior management needs to agree on the steps required to minimize these threats, and protect sensitive information. They also need to pitch in with more funds, if necessary, to ensure information security.
It is critical for healthcare security teams to implement appropriate controls around data segregation and infrastructure security. Continuous monitoring mechanisms are also important to ensure that the controls are effective and working in a desirable manner. Organizations would do well to leverage the HITRUST CSF - an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT), and government (NIST, FTC) mandates.
Another best practice is to invest in emerging technologies that enable the organization to automatically scan and secure data, log data modification activities as they occur, and immediately alert IT teams about unusual or unauthorized behavior. Organizations would also benefit by implementing an enterprise security incident detection and response program as part of their larger cybersecurity plan. Additionally, crisis management must be integrated into the business resilience strategy, and steps should be taken to find out what can be done organizationally to tackle different types of breaches.
After the introduction of the HIPAA Omnibus rule, the business associates and vendors of covered entities have become just as accountable for securing Protected Health Information (PHI) as the covered entities themselves. In fact, under the Omnibus rule, business associates can face direct civil liability for a breach. However, it is the responsibility of the covered entities to have controls in place to ensure that their business associates are safeguarding PHI effectively.
Establishing a robust due diligence program to monitor business associates gives organizations the risk intelligence they need to protect their business against fraudulent transactions. For a new business associate, a quarterly review process would be ideal, and as the relationship strengthens, the reviews can be semi-annual or annual. It is also important for organizations to monitor the effectiveness of the due diligence program, especially as new risks, controls, and vulnerabilities emerge.
Right from the beginning, relevant stakeholders and senior management must be kept informed about IT policies and controls, especially those critical to cybersecurity. Healthcare CISOs should establish granular governance and reporting mechanisms that provide an in-depth view of the organization’s IT assets and ecosystem. These mechanisms and tools should be able to handle all risk and compliance related reporting requirements across business operations, and also deliver security risk intelligence in a way that makes sense to business heads and senior management.
With the IT landscape in healthcare organizations growing increasingly complex, it is critical that data security teams choose the right processes and tools to safeguard the enterprise from potential breaches. A comprehensive risk management and mitigation program plays an important role in helping the organization stay one step ahead of cybercriminals, and resolving threats and vulnerabilities before they snowball into larger issues. With the appropriate defense strategies in place, healthcare organizations can become more “cyber risk intelligent” and keep data breaches at bay.