One of the greatest perils the healthcare community must confront involves the ever-present danger of major information security threats. To make matters worse, these are not stagnant hazards; rather, they’re continuously shifting and evolving in response to each newly erected digital moat, palisade, or bulwark. So, as the industry’s information communication technology [ICT] infrastructure becomes more complex and sophisticated, so too do the malicious programs and people seeking entrance into such systems.
Fortunately, defensive systems and protocols have been raised in order to ward off the hoards of 21st-century barbarians. Chief amongst these measures is HITRUST, which has become the industry standard for regulating and mitigating risk. But what are the major cybersecurity risks in healthcare and how does HITRUST help prevent them?
Read on to discover the answers to these questions and more!
Cyber Security Risks in Healthcare
Over the past two decades, cybercriminal activity has continued to grow exponentially, becoming the fastest growing criminal activity in the United States. In fact, according to Cybersecurity Ventures:
Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers. Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
Unsurprisingly, the healthcare industry has become the prime target of cyberattacks. With its relatively recent transition from physical record-keeping to digital (in accordance with HIPAA’s mandates), healthcare providers and organizations have had to learn the digital landscape on the fly. As you might imagine, this was a messy transition, mistakes were made and breaches occurred frequently.
One particular problem with the gradual HIPAA rollout was that, until the additions of HITECH and HITRUST, there were few mechanisms and prescriptive compliance programs for ensuring the safety of the private health data. This resulted in almost every healthcare system having glaring security vulnerabilities or practicing unsound policies. The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute found that, in 2016, the healthcare industry was the most attacked by cybercriminals of any industry. Important findings include:
- Data breaches cost the healthcare sector $6.2 billion.
- Approximately 80% of healthcare institutions were hit with at least two data breaches, with nearly 50% of those being hit by at least five breaches.
- 89% of healthcare organizations had at least one data breach involving the loss or theft of patient data in the previous two years.
- 50% of healthcare organizations said the root cause of data breaches were due to a criminal attack.
The Costs of Breaches
Naturally, your first thought regarding the costs of a security breach might just involve the monetary cost, which is substantial but fail to paint the entire picture. A data breach in the healthcare industry can have severe ramifications, so it’s helpful to split the costs into one of three categories in order to gain a better understanding of how serious an information breach can be. Typically these costs are:
- Theft of Private Data – The most obvious consequence of a data intrusion. Healthcare providers store terabytes upon terabytes of stored data. In fact, “As much as 30% of the entire world’s stored data is generated in the healthcare industry. A single patient typically generates close to 80 megabytes each year in imaging and electronic medical record (EMR) data.” Such data can include payment details, personal information, market information, and account details. When an intrusion occurs all of this information can be purloined, damaging both the patients and the healthcare orgs.
- Decreased Patient Trust – This figure is far harder to quantify, but it’s no secret that a patient’s trust is incredibly important, particularly if you wish for them to remain clients. Few events can make them lose trust as quickly as the discovery that their private data has been lifted due to your alleged incompetence. Once their trust is gone, they can and will seek treatment elsewhere.
- Hidden Costs – In addition to the monetary costs that are more easily quantifiable, for every data breach there are dozens of smaller, more obscured costs that can plague a healthcare business for years on end. There are costs in labor, time, and monetary expense arising from:
- Restoration of lost data
- Forensic investigation
- Disruption to the business
- Updating your software
- Training employees
- Hiring more IT
The Most Common Cyber Security Risks in Healthcare
Although there are a variety of threats that any healthcare organization will face, there are some common ones that your business should be aware of. These include:
- Employee Negligence – As is often the case, human error is the main source of the problem. Employee unawareness and lack of education are the predominant security threats in the healthcare industry. Practically every survey on the matter reveals that a dearth of preparation, understanding, or plain common sense about security policies leads to breaches. All too often, employees fall prey to the common phishing attacks such as malware and ransomware out of sheer incompetence.
According to the previously mentioned Ponemon Institute study, “when healthcare organizations were asked what type of security incident worries them most, by far it is the negligent or careless employee (69 percent of respondents). Forty-five percent of respondents say it is cyber attackers and 30 percent say it is the use of insecure mobile devices. These findings are virtually unchanged since 2015. Insecure medical devices and system failures are the least problematic (9 percent and 13 percent of respondents, respectively).”
- Malware/Ransomware – In most phishing attacks, employees lower the virtual drawbridge to two primary types of attack:
- Malware – A type of software that will be embedded in links, downloads, or emails. It’s meant to look legitimate but often acts as a Trojan Horse of sorts, carrying malicious codes or programs that are intended to steal data, alter the system’s codes, or covertly spy on the system.
- Ransomware – A common variation of malware that, once clicked on, gains access to the security controls and is able to shut down and encrypt the system, making it unusable until a ransom is paid. Even upon payment, there’s no assurance that control will be returned.
- Mobile Device Insecurity – As mobile devices are used frequently and broadly, hackers find golden opportunities to shift the focus of their phishing attacks to the more vulnerable mobile devices. According Michael Covington, VP of product at Wandera, mobile device users are particularly exposed to phishing attacks. He states:
As people have shifted to using their mobile devices at an increasingly larger rate, hackers have sought to step up their game by tailoring phishing scams to mobile devices. In fact, “Mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender’s name — making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.”
- Cloud Services – In recent years, more and more healthcare companies have chosen to store their troves of private data in the cloud. Naturally, the security needs or vulnerabilities are far different from that of a physical server farm, and IT staff have been forced to adapt to new threats and develop and establish new defensive measures in response. Fidelis Cybersutiy’s Chief Scientist, Abdul Rahman, had this to say on the matter:
The main risk is a breach, and part of the beauty of the cloud from an adversary perspective is that they don’t need to spend reconnaissance time looking at on-premises components. We now get into a situation of how to monitor traffic and data to and from the cloud. It takes a lot more effort to defend that terrain than it does for them to attack it — the advantage is tipped in their favor, and I don’t think that’s going away.
- BYOD – Companies that fail to institute a “no bring your own device [BYOD] policy” leave their business vulnerable to Internet of Things [IOT] Attacks. Computers, laptops, smart watches, and mobile devices present two primary problems:
- Add potential openings that hackers could use to intrude upon the system, particularly if they use software that is out-of-date or hardware that is antiquated.
- They could unknowingly bring in malicious programs, creating a gateway for hackers to move to once the device is connected into the system.
How HITRUST Regulates Risk Management in the Healthcare Industry
HITRUST, the Health Information Trust Alliance, has long been the foremost data protection standards development and certification organization in the world of healthcare. It was the very first body to put together a prescriptive set of security standards, procedures, and actions in response to HIPAA and the threat of data intrusion. The organization compiled the Common Security Framework [CSF], which harmonizes various other compliance frameworks such as:
Together, these controls and actions help prevent common cybersecurity problems.
The CSF Framework
In order to properly cover such an expansive framework, the CSF was divided in 19 primary domains:
- Access Control
- Audit Logging & Monitoring
- Business Continuity & Disaster Recovery
- Configuration Management
- Data Protection & Privacy
- Education, Training & Awareness
- Endpoint Protection
- Incident Management
- Information Protection Program
- Mobile Device Security
- Network Protection
- Password Management
- Physical & Environmental Security
- Portable Media Security
- Risk Management
- Third-Party Security
- Transmission Protection
- Vulnerability Management
- Wireless Protection
Within these 19 domains are 135 specific controls meant to reduce a healthcare company’s cybersecurity risks. So, in order to be HITRUST CSF certified, your business must pass three separate Degrees of Assurance, demonstrating compliance with each and every one of the 135 controls. These three tiers are:
- Self Assessment – Your organization completes an internal CSF audit on its own based on the standardized framework. This allows you to measure your security, identify where you’re vulnerable, and create visibility on areas of compliance and noncompliance. Taking this step allows you to make changes and properly prepare for a third-party audit.
- CSF Validated – A third-party, HITRUST-approved assessor, such as RSI Security, comes in and reviews the work of the self-assessment and remediation. They run through the same tests and controls, judging your business’ compliance against the CSF framework. Once completed, should you pass, you will be issued a Validated Report.
- CSF Certified – Once remediation based on the CSF Validation occurs, a company will once more undergo a third-party audit, this time by HITRUST itself. The same tests and checks will occur. If HITRUST concludes that you have met all the requirements you will be granted a HITRUST CSF Certification.
Even after CSF Certification, your business isn’t done with the audits. Since the cybersecurity and technology world are continuously shifting, you will need to adapt to updates or changes. In fact, you will need to perform an audit every year to continue to retain that certification. Fortunately, the process will be faster and less costly since you will already be in compliance in most facets. As a result, only small remediation shifts or movements will likely be necessary.
HITRUST Threat Catalogue
In recent years, in order to add even greater oversight and risk management mechanisms, HITRUST announced the creation of a Threat Catalogue. This was intended to help create visibility on new, current, or future threats, and to align them with the HITRUST CSF risk factors and controls. According to HITRUST, the Threat Catalogue was created to perform for primary tasks:
- Identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
- Enumerate all reasonably anticipated threats to ePHI for a general healthcare organization
- Map HITRUST CSF control requirements to the enumerated threats
- Identify any additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives
Managing Your Cyber Security Risks
A data breach, even a small one, could potentially cost you millions of dollars and large swaths of your clientele. Therefore, it’s crucial that you educate your employees and take all the proper measures as outlined in HITRUST. There are far too many cybersecurity risks in healthcare to handle on your own. You need help. That’s where we come in.
At RSI Security, our goal is to help your healthcare organization navigate the tricky roads of cybersecurity and HIPAA compliance. We work with you to mitigate risks, improve your security, and attain HITRUST CSF certification. So, if you want to protect your business, partner with us and together we will begin to shore up your digital defenses and decrease your risks across every facet of your digital terrain.
Morgan, S. Cybersecurity Ventures. Cybercrime Damages $6 Trillion By 2021. (2017). https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
Ponemon Institute. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. (2016). https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf
NEJM Catalyst. Using it or Losing It? (2017). https://catalyst.nejm.org/case-data-scientists-inside-health-care/
Drolet, M. CSO. The Rise of Mobile Phishing Attacks and How to Combat Them. (2018). https://www.csoonline.com/article/3268109/the-rise-of-mobile-phishing-attacks-and-how-to-combat-them.html
Eddy, N. Healthcare IT News. 5 Cybersecurity Threats Healthcare Faces in 2019 and Beyond. (2019). https://www.healthcareitnews.com/news/5-cybersecurity-threats-healthcare-faces-2019-and-beyond
HITRUST. HITRUST Threat Catalogue Advances Healthcare Industry Cyber Risk Management, Improves Effectiveness of Organizational Risk Analyse. (2018). https://hitrustalliance.net/hitrust-threat-catalogue-advances-healthcare-industry-cyber-risk-management-improves-effectiveness-organizational-risk-analyses/