Navigating the complexities of healthcare cybersecurity

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

With cyberattacks skyrocketing at an alarming rate, healthcare organizations are scrambling to implement effective measures to prevent these threats. According to the U.S. Department of Health and Human Services, over the past four years, healthcare data breaches have increased by 239% and ransomware attacks increased by 278%. IBM’s 2023 Cost of Data Breach Study revealed that in 2023 alone, over 88 million individuals were affected by security breaches, underscoring the urgent need for robust cybersecurity measures.

Despite the clear and present danger, the healthcare industry continues to struggle with implementing effective cybersecurity practices. Whether it was the Tricare data breach in 2011, Shields Healthcare in 2022 or most recently with United Healthcare, these high-profile attacks have caused significant disruption, financial deficits and loss of patients’ trust whose personal information was accessed. Healthcare is a critical part of everyday life, so why have organizations been slow to adopt better solutions?

The answer may seem simple, but it is quite complex. Healthcare is a highly regulated industry with slim operating margins. The cost of just one breach is nearly $11 million according to IBM’s 2023 Cost of A Data Breach Study. Thus, organizations are taking a methodical approach to implementing security frameworks by establishing a dedicated Chief Information Security Officer (CISO), internal team and consulting partner as a foundational layer. From there, fundamental cybersecurity practices like vigilant patch management, mitigation of software supply chain risks, deployment of antivirus solutions, and ongoing employee training are built into the framework.

Rajan Kohli

CEO of CitiusTech.

Key steps for healthcare enterprise security

Even with a dedicated security team and framework in place, healthcare organizations face challenges due to stringent regulatory compliance guidelines, the sensitive nature of patient data, a complex, interdependent ecosystem of providers, cloud and AI technology adoption and more. There are five imperatives that organizations can take to reduce the risk of a cyberattack.

1. Locking down the cloud

With more data being stored off-premise, it is essential that healthcare IT teams follow regulatory requirements in creating a security control framework that outlines how data is sent to the cloud, the encryption format and who has access to it. While cloud service providers may provide security measures for keeping data secure, integrating further controls is essential. This can be done through automating security in Dev SecOps or control for multi-cloud scenarios in case of a failure or attack. Physical security at the data center location is equally important as HCA Healthcare discovered. In 2023 a theft at an external storage location leaked over 11 million records containing patient contact information and upcoming appointment dates.

Organizations must prioritize the formulation of comprehensive data retention strategies and contingency plans. It is vital to conduct comprehensive security reviews of the architecture of their cloud-deployed and publicly exposed applications. Resilient cloud-based solutions tailored to combat ransomware attacks swiftly and facilitate the swift restoration of normal operations safeguard both operations and the interests of patients.

2. Eliminating unpatched device risk

A healthcare system consists of multiple devices from laptops to MRIs to patient monitors. An IT team is responsible for protecting each of these endpoints as well as the various software programs of electronic medical records and insurance payment systems. This equates to thousands, if not millions, of points of entries an attacker could target. Updating legacy systems and pinpointing un-patched aging vulnerabilities must be one of the first steps. Teams can create a close ended governance program for finding and fixing these areas, prioritized by level of risk.

When security practices and programs are not updated, this results in disastrous ransomware attacks as seen earlier in 2024 with Change Healthcare. According to testimony before Congress, the attack – which leaked thousands of patient records – was due to the lack of multifactor authentication (MFA) on particular servers, a vulnerability that could have been detected.

3. Stopping malicious inside threats

Implementing enhanced security operations that are based on the principles of zero trust such as segmentation, identity and behavior will prevent threats coming from inside the network.

It also proactively stops any threats that have breached the initial edge of defenses. These threats can also come in the form of partnerships with third-party vendors. The Department of Health and Human Services Health Sector Cybersecurity Coordination Center has alerted organizations about a vulnerability in the file transfer program MOVEit. Russian cyberattackers targeted this platform in 2023 where millions of records were exposed. CISOs must ensure each vendor has passed HIPAA audits and earned the HITRUST certification before implementing any services.

4. Ensuring regulatory compliance

There are several regulations and compliance points that a healthcare organization must follow regarding patient data. With each country having different regulations, it is a challenge to keep abreast of it all. Additionally, as new devices, software or digital transformation projects occur, these will introduce a new set of risks. Working with a healthcare consulting partner who can monitor for risks and regulatory changes can help to keep the security framework tight.

For instance, Kaiser Permanente announced a data breach in April 2024 that impacted over 13 million Americans. While not considered a typical breach, patient data was shared with third-party advertisers due to an incorrect tracking code that tracked website use and navigation. Consulting partners can help CISOs better monitor and audit IT systems can help to uncover these issues.

5. Adopting new technologies

GenAI is the newest technology that every organization is scrambling to incorporate into their technology stack. Previously, companies took their time in the adoption of new technologies, but GenAI’s popularity is driving faster implementations without full consideration.

In healthcare, AI usage is both a risk and a benefit. On the plus side, it enhances the cybersecurity framework, proactively monitoring and flagging issues. Repetitive tasks can be automated, freeing up the CISO and security team to handle other tasks to strengthen the cybersecurity framework. However, it must be said that AI also brings risk to an organization. Hackers use AI to refine phishing scams, generate more sophisticated attacks and create deep fake threats. When selecting GenAI solutions, it is best to choose those that monitor quality and trust as well as being built specifically for the healthcare industry.

Additionally, if an employee uses AI tools that are not approved by the security team, it opens the organization up to further risk. This shadow IT problem – usually coupled with poor employee adherence to IT governance control – layers in another threat surface that CISOs and team find difficult to pinpoint. CISOs must create a culture of security amongst all employees. Those organizations that invest in comprehensive security training platforms are seeing significant value as employees become the first line of defense.

How one organization prevented threats

In the case of a leading oncology treatment technology provider, this company implemented a cybersecurity framework using these key steps to thwart attacks. This organization required that various radiation clinics use their proprietary system. Rather than sending staff to each location, the provider utilized a cloud-based solution to protect against vulnerabilities throughout the software’s lifecycle. Using insights from threat-modeling and prior cyber risk assessments, the team understood where it is needed to build a stronger security infrastructure.

The provider worked with partners to architect and build a centralized treatment planning solution which incorporated a robust security testing framework including static tests and assessments of third-party libraries. The data analytics determined how to assign severity threat levels and vulnerability mitigation paths. As a result, the oncology technology provider has mitigated over 100 security vulnerabilities, scanned 1.5 million lines of code and detected – and rebuffed – over 250 cybersecurity threats. The implementation of the security framework consisting of the five key elements successfully secured this infrastructure.

Safety in the connected world

Technology has transformed healthcare. Gone are the days of paper records and notes. Everything is online, automated and, unfortunately, vulnerable to security risks. When healthcare CISOs, teams and consulting partners work together, a tighter security framework is put in place that decreases the overall cybersecurity risk. By taking these key steps, healthcare organizations can minimize attack surfaces. The result: A healthcare organization that can provide patients with the right treatment in a timely manner without hiccups or shutdowns.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Rajan Kohli is CEO of CitiusTech.