Healthcare Cyber-Security: An Urgent Priority and a Shared Responsibility

From casual technology users to CIOs, most people know that data security is a big issue. For many years, we have all been warned – whether through company memos or external news media – to create stronger passwords, stay on guard against phishing and malware, and (for those in the IT field) to fortify our networks with stronger security protocols.

Yet, the cyber-attacks keep coming, and they’re often successful. Another high-profile incident in the healthcare industry occurred in February 2024, when one of the country’s largest clearinghouses for medical claims and payments was breached. While the system was offline, severe disruptions rippled through the American healthcare system: claims stagnated, providers faced cash shortages, and millions of consumers may have had their personal information leaked onto the dark web.

This major incident was just one example of daily attacks that plague the public and private sectors, and the healthcare industry, in particular. In 2023, 725 healthcare data breaches were reported to the U.S. Department of Health and Human Services, which tracks cases where 500 or more records were exposed. The constant threat of data breaches and the industry’s (often failed) attempts to deal with them contribute to higher costs and inefficiencies in the U.S. healthcare system.

Healthcare faces a massive challenge

When it comes to data security, the healthcare sector faces an even more difficult challenge than the rest of the world. That’s because, in the eyes of cyber-criminals, healthcare organizations are a treasure trove of secrets including patient’s names and addresses, medical records, financial data, Social Security numbers and more. At the same time, hackers know the critical nature of many healthcare services (i.e., the need to remain up and running 24/7) makes them more likely to acquiesce to demands such as paying a ransom.

Criminals rely on a range of tried-and-true methods to infiltrate company networks. They can include, among others, brute force password hacking, posing as a coworker through a spoofed email account, or phishing emails that dupe unsuspecting victims into sharing login info or installing malware. Unfortunately, as more corporate employees have learned to recognize these tactics, hackers’ methods are growing ever more sophisticated. Unlike the familiar (and obvious) scam emails riddled with poor spelling and grammar, today’s scams – some of which employ AI or voice duplication technology – can be quite convincing even to trained eyes and ears.  In particular, Large Language Models (LLMs) are able to create “deep fakes” of voices and even live interactive video that is practically indistinguishable from a genuine experience.

When the hackers succeed, the costs can be devastating. The breached organization may lose revenue during the business disruption; they may need to hire additional security experts to deal with the issue; and they may suffer longer-term reputational damage when customers learn of the breach. According to the IBM 2023 Cost of a Data Breach Report, the average global cost of a data breach was $4.45M, and the average in the United States was even higher at $9.48M.

As a whole, the healthcare industry has worked hard to counteract these threats, ensuring compliance with HIPAA guidelines and more specific security frameworks such as SOC2.

Nevertheless, many of today’s security tools are flawed, best practices remain open to interpretation, and rarely are robust defenses implemented consistently across every access point. Given the constant barrage of attacks that continue to compromise consumers’ private information every day, there’s clearly much more work to do.

Near-term: What companies can and should do now

While nearly every company employs some form of data security, the strength of their defenses can vary widely depending on budgets and in-house expertise. Regardless, there are certain security measures that no healthcare company can afford to forgo. For example:

• Use two-factor authentication methods across the organization, in every application, without exception. A traditional username and password screen can no longer be considered secure. In fact, this was determined to be the vulnerability hackers exploited in February’s massive clearinghouse breach.
• Practice vulnerability management. IT and security personnel should conduct proactive monitoring and testing to identify weak spots before hackers do. This practice should include deploying industry standard vulnerability scanning tools and remediating any detected vulnerabilities as quicky as possible within strict service-level agreements (SLAs).
• Invest in security-related professional development and training. This includes advanced training and certifications for IT personnel, as well as general security education requirements for all employees. Support the program with executive-level communications to ingrain cyber-security behaviors into the company culture.
• Require vendors and partners to adhere to the same high security standards as your company. Especially when network connections exist between two organizations, IT and security teams should interact to ensure security protocols are in place.
• Develop a robust response plan. Even the best security measures can’t guarantee complete protection, so it’s best to be prepared in the event of a breach. The playbook should identify key leaders of the incident response team, and contain steps to minimize data loss, analyze and eradicate malware, and communicate with stakeholders accordingly.

Longer-term: Advancements we should all pursue

Just as companies continue to fortify their networks, cyber-criminals are forever inventing new ways to break into corporate networks. After all, hackers are security specialists themselves; they simply work for the “bad guys.” To have a real chance of preventing breaches, healthcare organizations must make security a top priority, going beyond mere lip service and regulatory compliance to achieve the highest level of security they can. Here are our recommendations:

• Adopt the Health Information Trust Alliance (HITRUST) security framework, which is much more prescriptive than the guidelines of HIPAA or SOC2. Organizations should work toward HITRUST certification for all of their systems and facilities, and also ensure they have implemented and tested any other security frameworks required by their contracts and applicable regulations.
• Implement “zero trust” principles in your environment. Every application should fully authenticate every session, no matter where on the network they are. Doing so will mitigate the impact of any systems breach.
• Consider redundancy in vendor/partner agreements. Many companies rely on a single provider for various IT services, which can be a recipe for disaster if the vendor’s security is compromised. Healthcare organizations should explore backup agreements to ensure critical services can be quickly shifted to an alternate provider in an emergency, with little-to-no disruption in operations.
• Embrace emerging security technologies. The faster the healthcare industry can move away from using traditional login credentials, the better. Passwordless security solutions using biometrics (such as fingerprint scanners or facial recognition software) and/or auto-generated token codes are far more secure. While these technologies have received more attention in recent years, they have yet to achieve widespread adoption in the healthcare industry. The great news is that, once they are in place, passwordless security systems can actually make logging in quicker and easier for users, not more cumbersome.
• Go deeper with your layered security approach and leverage AI-enabled XDR platforms that can “learn” normal network traffic patterns and detect activity that is out of the ordinary. For example, a login from a user at a location that is atypical for that user, or a type of network traffic that is unusual.
• Make security part of the budgeting process to ensure it is properly funded. It cannot be an afterthought. Executives must face the facts that cyber-attacks are not rare occurrences – they are all but inevitable – and being sufficiently prepared is absolutely worth the cost.
• Establish partnerships with expert security service vendors. Even the largest companies can’t do everything alone. Partners with specialized security expertise and an objective viewpoint can provide invaluable support in assessing risks, testing security controls, establishing policies and procedures, and even mitigating security incidents.

The alarm bells have been sounding for years, and it’s time every company – especially those in the healthcare industry – give cyber-security the urgent attention it deserves. To reduce the frequency of data breaches, security can’t be an every-man-for-himself proposition; it’s a shared responsibility requiring collaboration between all stakeholders involved. That means companies must be willing to collaborate with each other on security protocols, educate all employees and engage them in a security culture, and help consumers understand how new security measures and behaviors benefit them. Equally important, we must dispense with the outdated mindset that heightened cyber-security creates a draconian burden for technology users. It’s quite the opposite. By finally getting security right, we can make significant progress toward a more efficient and lower-cost healthcare system for all.

For more information, contact us here.