Healthcare cybersecurity is a strategic imperative for any organization in the medical industry — from healthcare providers to insurers to pharmaceutical, biotechnology and medical device companies. It involves a variety of measures to protect organizations from external and internal cyber attacks and ensure availability of medical services, proper operation of medical systems and equipment, preservation of confidentiality and integrity of patient data, and compliance with industry regulations.
An Industry Under Attack
The healthcare industry has historically been a primary target of cyber attacks. As of January 7, 2022, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) was investigating 860 data breaches reported in the preceding 24 months; each breach exposed protected health information (PHI) of 500 or more individuals. One hundred nineteen (or 13.8%) of these breaches involved “Business Associates”— vendors and other third parties who had access to sensitive patient data — with the largest breach affecting 3.25 million people. According to the 2021 Cost of a Data Breach Report by IBM and Ponemon Institute, the average cost of a healthcare breach was $9.23 million, more than twice the $4.24 million average for all industries.
Threat actors view healthcare organizations as attractive targets for at least three reasons:
- Healthcare organizations have an extensive and often unprotected attack surface. In addition to attack vectors common to all enterprises, healthcare organizations deal with a wide range of connected medical devices (Internet of Medical Things, IoMT), usage of personal endpoints that may lack adequate endpoint security at healthcare facilities (BYOD), and numerous third parties having access to sensitive patient data and critical assets in hospital settings. Further, the proliferation of home working and virtual doctor’s visits (telehealth) prompted by COVID-19 and the rapidly rolled out but not always properly secured supporting IT infrastructure have created even more opportunities for attackers.
- PHI data has high value on the black market. The value of PHI to threat actors is high, due to the richness of personal information that these records contain that can be used for identity theft, healthcare insurance fraud and other malicious activities. Therefore, each medical record can fetch hundreds of dollars on the black market — a lot more than a stolen credit card number, for example.
- Breaches cause material damage (hence, victims’ greater willingness to pay attackers to free themselves from ransomware). Disruption in the work of healthcare facilities and inaccessibility of patient data that may be required to perform critical procedures can, literally, cost lives. Plus, privacy regulations like HIPAA impose massive fines for PHI disclosure. Penalties for HIPAA violations related to “privacy, security, breach notification and electronic health care transactions” can reach $1.81 million per calendar year.
Types of Attacks
According to HHS Office of Information Security’s “2020: A Retrospective Look at Healthcare Cybersecurity,” ransomware attacks accounted for almost 50% of all healthcare data breaches. In 2021, threat actors extorted from healthcare organizations ransomware payments averaging $910,335, per BakerHostetler’s 2021 Data Security Incident Response Report.
In respect of specific attack types, the 2021 Verizon Data Breach Investigations Report states that 86% of covered healthcare breaches were caused by:
- Errors (including mis-delivery)
- Web application attacks
- System intrusions, including those involving credential theft
Cybersecurity Strategies and Regulations
To help healthcare organizations safeguard critical assets and data, government and industry bodies have published compliance mandates and recommendation frameworks, such as:
- General security and privacy:
- HHS and Healthcare and Public Sector Coordinating Councils’ “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” provides a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to help healthcare organizations reduce cyber risk.
- The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information (ePHI). The Security Rule mandates compliance with administrative, physical and technical safeguards to ensure ePHI’s confidentiality, integrity and security, including, among others, access control.
- NIST’s “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework” maps HIPAA Security Rule standards and implementation specifications to applicable NIST Cybersecurity Framework sub-categories.
- Protection from ransomware:
- HHS’s “Ransomware Fact Sheet” offers specific guidance for protection against ransomware and recovery — specifically in the context of HIPAA notification rules.
- CISA’s alert (AA21-131A) “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks” provides mitigation recommendations to reduce ransomware risks, including:
- Requiring multi-factor authentication for remote access
- Enabling strong spam filters to prevent phishing emails from reaching end users
- Implementing a user training program and simulated spear phishing attacks
- Filtering network traffic
- Updating software, including operating systems, applications and firmware
- Limiting access to resources over networks, especially by restricting RDP
- Setting antivirus or antimalware programs to conduct regular scans
- Ensuring user and process accounts are limited through account use policies, user account control and privileged account management
- Preventing unauthorized execution by:
- Implementing application allowlisting and Software Restriction Policies (SRPs)
- Disabling macros in Microsoft Office attachments
- Monitoring or blocking inbound connections from anonymization services (Tor) and post-exploitation tools (Cobalt Strike).
The importance of Protecting Data with Access, Credential Management and Privilege Controls
All healthcare cybersecurity frameworks and regulations place great importance on safeguarding access. For example, the NIST Cybersecurity Framework includes Access Control (PR.AC) and Protective Technology (PR.PT) in its “Protect” pillar. NIST prescribes that “access to assets and associated facilities” must be “limited to authorized users, processes, or devices, and to authorized activities and transactions.” This includes the following requirements specific to digital access:
- AC-1: Identities and credentials are managed for authorized devices and users.
- AC-3: Remote access is managed.
- AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties.
- PT-3: Incorporate the principle of least functionality by configuring systems to provide only essential capabilities. This is critical to limiting the area of attack and ensuring the least privilege principle.
Protecting access is foundational to implementing a Zero Trust model and the overall defense-in-depth strategy. So, 59% percent of health system CIOs surveyed by Black Book Market Research for their 2020 State of the Healthcare Industry Cybersecurity Report are shifting security strategies to address user authentication and access.
Some examples of specific measures to safeguard access and privilege include the following:
- Implementing adaptive multi-factor authentication and single sign-on to prevent incidents resulting from credential compromise
- Protecting access to privileged accounts to foil takeover attempts and prevent breaches
- Ensuring user and process accounts are limited through account use policies, user account control and privileged account management
- Combining the following approaches to block unpermitted application access to sensitive data to prevent ransomware encryption:
- Application allowlisting to only allow programs explicitly permitted by security policy to execute
- Prohibiting applications (other than those specified by policy) from accessing sensitive data, even if they are allowed to run
- Removing local admin rights and enforcing least privilege on endpoints to prevent privilege escalation and restrict lateral or vertical movement
- Cataloging software and putting in place specific execution and operation policies
- Applying SRPs or other controls to prevent programs from executing from common ransomware locations
- Securing remote third-party access to reduce the risk of breaches arising from compromise of vendors, contractors, business partners and other external parties.