*This is part of a series of fireside chats with Clearwater Compliance and SecureWorks. For more on healthcare and cybersecurity, click here.
A quick look at the news will reveal an unsettling reality – the healthcare industry is increasingly in the crosshairs of attackers looking to make money. The threats come in a variety of forms, from ransomware such as WannaCry to vulnerabilities in IoT devices. Addressing the challenges of protecting such an environment requires a proactive approach to security that goes beyond simple regulatory compliance. In this fireside chat with SecureWorks’ Cliff Kittle, we will take a look at how healthcare organizations need to approach cybersecurity, and what this shift in mindset should look like.
Q: What are some of the biggest cybersecurity challenges facing healthcare organizations today?
A: Where to begin. Healthcare organizations are facing a number of challenges caused by limited cybersecurity budgets, the value of electronic health records in the underworld, the ever-growing ecosystem of partners with that data, and lost or stolen devices. In ‘The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data’, Ponemon Institute found that in the data breaches they examined, 50 percent of healthcare organizations said the breach was a criminal attack while 41 percent said it was caused by a third-party snafu. Thirty-nine percent attributed the breach to a lost or stolen device. In addition to that, accidental data leaks and theft by insiders poses a problem as well.i
And that’s just part of it. With the expansion of the Internet, digitized data not specifically addressed by the HIPAA (Health Insurance Portability and Accountability Act) regulation has also become a target. Data related to clinical trials and the intellectual property shared by the drug manufacturer has great value, and the healthcare delivery organization’s cash is at risk as threat actors see to re-route electronic payments to the organization’s partners as well.
Q: We have seen recently examples of healthcare organizations impacted by ransomware attacks such as WannaCry. Is the healthcare industry in particular being targeted by ransomware criminals?
A: The WannaCry attack was not specifically aimed at the healthcare industry, but the perceived weakness of the average healthcare organization’s security defense is a lure for ransomware attackers. Hospitals need continuous availability to accurate patient data in order to provide necessary patient treatment and ensure the safety of the patient. The latter is becoming more of a focal point as the ransomware attacks to continue to increase. With the Office for Civil Rights classifying ransomware attacks as presumed breaches that must be assessedii according to the HIPAA Breach Notification Rule, the onus to have a sound incident response/contingency plan becomes increasingly important. The loss of availability to patient data and its disruption to the daily operations of an HDO (healthcare delivery organization), makes them an ideal target for ransomware attackers who can penetrate their security and hold that data for a ransom that has a greater probability of being paid.
Q: Why hasn’t HIPAA compliance been enough to stave off attacks?
A: HIPAA is not a ceiling for security, it is really just a baseline. It was passed in order to provide guidance for protecting the security and privacy of personal health data. At the time, the industry was still digitizing healthcare records, and much of the guidance in the regulation is based on the IT environments of the time. The challenges of today’s environment is not to simply meet HIPAA’s requirements, but expand the organization defenses to meet their current security needs. HIPAA does not consider data outside of electronic health information – such as intellectual property and financial information – and also does not require more than basic security controls.iii
Q: So the focus for healthcare organizations can’t end with complying with HIPAA. What should their mindset be strategically?
A: Security has to be baked into every business process in order for healthcare organizations to address the risks they face. The approach they take should not be compliance-focused; compliance should be viewed as a piece of a security program focused on vulnerability management, risk assessments, and incident response. Each of these should be a continuous program that contributes to the overall information security program itself. They should also be expanded appropriately to include the ecosystem of partners the organization deals with as well.
Q: How does this relate to the ‘Doctrine of Maneuver Warfare’?
A: The Health & Human Services’ Office for Civil Rights is stressing the changes necessary to build a strong information security program using a framework such as NIST 800-53.iv Any program must be built on principles that can be applied to each objective and the strategy for achieving that objective. According to industry analysts, the objectives of an information security program are:
• Enabling an organization to prevent as much as possible successful infiltration of their infrastructure;
• Quickly detecting any successful infiltration;
• Respond to such an infiltration in a manner that provides the best possible opportunity to minimize the compromise and mitigate its impact on the daily operations of the organization;
• Learn from that experience such that the organization is better able to predict future attacks.
In other words, be proactive and able to improvise when the unexpected occurs, adapt to the new situation based on the threat being posed, and overcome the obstacles to restoring the security posture while maintaining the availability of the data necessary to provide the best patient outcome and maintain the safety of the patient. The principles of “The Doctrine of Maneuver Warfare” are just such principles on which to build the program and apply the controls to provide the strongest possible security posture while enabling the organization to be proactive in making the changes necessary to address the continuous evolution of the threat actor and the attack vectors being developed.
i The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data’, Ponemon Institute, May 2016
iii The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
iv HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf