Healthcare Information Technology (IT) risk and cyber events are becoming more prevalent. In the meantime, healthcare’s attack surface is expanding quickly. This is especially true as remote technologies, connected devices such as the Internet of Things (IoT), and digitization all become more commonplace industry-wide.
Of course, the pandemic only accelerated healthcare’s ongoing digitization.
Healthcare data records—unlike other Personally Identifiable Information (PII) present drastically higher monetary value for cybercriminals. A healthcare data record can sell for up to $250 on the dark web marketplace, compared to $5.40 for the next highest value record—a payment card number. Healthcare organizations are increasingly attractive to cybercriminals. And cybercriminals generally view healthcare organizations as having less robust defenses and as being more likely to pay ransom to resume operations safely.
Now more than ever, malware and ransomware are being used on a commercial scale by criminals who are highly organized, deeply skilled, and well-prepared regarding their attack strategies. Phishing and social engineering are commonplace as attack entry points, enabling breaches that exploit human vulnerability.
The good news is risks are addressable and preventable. The right tools, strategies, and training can keep patients’ and consumers’ personal data out of cybercriminals’ hands.
Here are three ways to navigate healthcare’s ongoing IT risk landscape from a place of preparedness:
1. Ensure Compliance with Regulations
Addressing complex healthcare IT data privacy and security requirements starts with a clear understanding of regulatory obligations. It is critical to ensure compliance with various regulations so that Protected Health Information (PHI) remains protected.
Four key federal regulations intended to protect data privacy are:
1. Health Insurance Portability and Accountability Act (HIPAA)—Enacted in 1996, HIPAA introduced privacy rules which govern how we treat patient data and security rules around our responsibility to protect that data. Violations of HIPAA’s privacy and security rules may lead to civil and criminal penalties. Existing regulations like HIPAA but also General Data Protection Regulation (GDPR) and state-level mandate the protection of PII and PHI.
2. Health Information Technology for Economic and Clinical Health Act (the HITECH Act)—Enacted in 2009, the HITECH ACT drives the adoption of electronic health records (EHRs) and digitization around efficiency. It also extends the concept of “covered entity” to Business Associates (BAs). Here, anyone who signs a BA now comes into the realm of being a “covered entity” and is subject to these rules. “Covered entities” under the HIPAA Privacy Rule typically include providers, health plans, healthcare clearinghouses, and by extension their third parties or “BAs” too.
3. HITECH Act Amendment—Enacted in 2021, this mandates that covered entities follow recognized security practices. It also incentivizes adoption of United States Department of Health and Human Services (HHS) and Office of Inspector General (OIG) recommended best practice IT risk frameworks. HITECH prescribes a best practice approach for an IT risk program for U.S. healthcare.
4. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)—Enacted in 2022, this law requires the Cybersecurity and Infrastructure Agency (CISA) to create and execute regulations requiring covered entities to report to CISA any covered cyber incidents and ransomware payments. Important to note is CIRCIA has been passed but is not yet in place. As the rules for CIRCIA emerge, the demands on critical infrastructure industries will increase.
2. Acknowledge Increasing Healthcare IT Risks in Healthcare Organizations
Healthcare IT incidents account for the most patient records breached and a large majority of breach events, as opposed to improper record disposal or loss.
During the COVID-19 pandemic, there has been a notably increased acceleration in the volume and severity of healthcare IT risk events. Although healthcare providers account for most of these events, BAs are increasingly experiencing them, too.
If you go back a little more than a decade, certain breach trends are noticeable. 2019 was a year with a significant uptick across the board—primarily tied to pandemic stress and increased activities of commercial-grade ransomware where groups were highly organized and productized. Here, criminals and other actors work to harm organizations, targeting providers and the BAs they rely on.
Breach Trends: HHS Office for Civil Rights Reported Breaches Reveal the Challenge
In addition to the finalized data, it is worthwhile to also consider the trends visible in the backlog of open cases. This indicates ongoing heightened risk. In fact, over 75 million records have been breached under current investigations, the overwhelming majority of which were caused by a hacking/IT incident.
Once this open backlog closes, 2021 and 2022 will show continued significant increases over the upwards of 35 million records and 661 events in 2020.
Phishing attacks like an email inviting you to click a link and social engineering are becoming much more pervasive methods cybercriminals use to access systems to install ransomware or exfiltrate data.
However, because not all organizations have robust resources in place, many backdoor vulnerabilities remain unpatched, open and exploitable due to programs not being as up-to-date as they should be.
During the first two months of 2023, events with breaches involving over 500 reported records impacted 5.3 million patients across 56 events. IT incidents are the cause of most of these incidents. Across these 56 events, mostly providers were affected. However, BA impacts still account for 35 percent of breached records and are steadily increasing.
3. Use Technology to Spark Thoughtful Implementation
Multiple frameworks—such as the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Health Information Trust Alliance (HITRUST) exist to recognize and control risks. However, careful implementation of these frameworks is required to execute them effectively and efficiently.
IT risk programs, third-party risk management, employee training, the right policies, and a controlled assessment process are equally critical, as is driving a culture of risk awareness where protection is on everyone’s mind—not just the Chief Information Security Officer’s (CISO).
When working to achieve your healthcare IT goals, technology solutions versus manual processes are essential.
IT risk management software designed to meet HHS/OIG best practices can drive risk identification and control mapping. It can also provide NIST and other frameworks with the workflow, assessments, and automation to implement them.
Dedicated risk management can help do this. Ideally, a single platform for IT risk can also extend capabilities to third parties and management of risk, policies, and attestations to policies in a completely integrated manner.
A single platform for IT Risk will also help drive many benefits such as managing BA and third-party risk, contracts, and assessments, ingesting external sources of potential breach warnings, and providing executive-level dashboards and reports.
Additionally, other technology solutions can help harden endpoints and attack surfaces and protect sensitive data. As new rules and guidelines come out, technology also allows you to identify where gaps exist, harden endpoints, and identify new vulnerabilities.
With healthcare’s attack surface becoming larger and more attractive to cyber attackers, the time is now to implement smart steps to ensure your organization remains protected. And that if a breach hits, you know exactly what to do next.
For more information on how SAI360’s modular SaaS solutions can drive efficiency, efficacy, and agility in your workplace, visit https://www.sai360.com/industries/healthcare-health-insurance.