Healthcare IT & Cybersecurity
Health care organizations continually face evolving cyberthreats that can put patient safety at risk. It’s essential to recognize that health cybersecurity is not just an IT issue – it encompasses every level of healthcare, from the CEO to clinicians. So, it’s not simply information – it’s about patient safety. Instead, it’s critical to view cybersecurity as patient safety, enterprise risk, and strategic priority and instill it into the hospital’s existing enterprise, risk management, governance, and business continuity framework.
Table Of Contents
Why Health Care Gets Hit More
Health care organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation.
Stolen health records may sell up to 10 times more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record. Hence, Healthcare IT Admins always needs to be on top of implementing proper cyber security mechanisms.
IBM Study – Hidden Figures – (Cost of Breach)
Mega breaches are classified as having more than 1 million records. In the past five years the number of breaches in this category has doubled from just nine mega breaches in 2013 to 16 mega breaches in 2017
What we learned includes:
- The average cost of mega breaches is nearly $40 million
- The estimated total cost of a mega-breach is $350 million
- Most of these breaches originated from malicious and criminal attacks
- The time required to detect and contain a mega breach was 365 days
The largest expense associated with mega breaches is for lost business, estimated at nearly $118 million.
Cyberattacks Threaten Patient Privacy And More
Cyberattacks on electronic health records and other systems also risk patient privacy because hackers access PHI and additional sensitive information. By failing to keep patient records private, your organization could face substantial penalties under HIPAA’s Privacy and Security Rules, as well as potential harm to its reputation within your community.
Patient safety and care is also jeopardized. Losing access to medical records and lifesaving medical devices, such as when a ransomware virus holds them hostage, will deter your ability to care for your patients effectively.
WannayCry Ransomware Attack:
Patient outcomes were threatened when Britain’s National Health Service was hit as part of the May 2017 “WannaCry” ransomware attack on computer systems in 150 countries, resulting in ambulances being diverted and surgeries being canceled. As I told Congress in July 2021,
“The impact of Wannacry on American hospitals and health systems was far less serious, which speaks to the tremendous efforts the field has made to improve cybersecurity and build incident-response capabilities.”
Healthcare Cybersecurity Needs to Step Up
In 2017, the Health Care Industry Cybersecurity (HCIC) Task Force established by HHS issued a report to Congress in which they claimed that healthcare cybersecurity is in critical condition. Since the onset of the COVID-19 pandemic, the rate of ransomware attacks has soared across all industries, and healthcare has been the disproportionate target of such attacks.
2020 HIMSS Cybersecurity Survey
The 2020 HIMSS Cybersecurity Survey revealed that 70% of hospitals surveyed had experienced a “significant security incident” within the past twelve months, including phishing and ransomware attacks that resulted in the following:
- Disruption of IT operations (28%)
- Disruption in Business Functions (25%)
- Data breaches (21%)
- Financial losses (20%)
Healthcare organizations are an inviting target for financially motivated threat actors because their broad attack surfaces make it easy for cybercriminals to find vulnerabilities and monetize their exploits.
HITECH Act (2009)
The passage of the HITECH Act in 2009 incentivized investments in healthcare IT to modernize the U.S. healthcare system, leading to unprecedented connectivity and an expansion in the usage of medical devices. Today, Electronic Health Record systems are the heart of the healthcare organization, connecting medical devices with other applications to provide a more holistic picture of patient well-being.
Additionally, the U.S. boasts an average of 10 to 15 networked medical devices per hospital bed, meaning large healthcare organizations face the herculean task of securing tens of thousands of medical devices, many of which are quite easy to hack. The digitization of healthcare infrastructure catalyzed major advancements in inpatient care but also created major opportunities for attack.
Ten Must-Dos for Healthcare IT Admins
Here are ten things Healthcare IT admins should do consistently to decrease the likelihood of a cyber attack:
- Establish a Security Culture.
- Protect Mobile Devices.
- Teach Team Members Good Computer Habits.
- Use a Firewall.
- Install and Maintain Anti-Virus Software.
- Institute a Regular and Consistent Back-Up/Data Recovery Process
- Control Access to Protected Health Information.
- Use Strong Passwords and Change Them Regularly.
- Limit Network Access
- Control Physical Access
Covid and Cyber-Security – Risks for Healthcare
Healthcare organizations are major targets for cyber-criminals—a threat that increased during the global COVID-19 pandemic and continues to be a challenge. Cybersecurity often takes a backseat to patient care as organizations have pivoted in dealing with it. Cyber-criminals capitalize on this reality and use phishing campaigns, ransomware, and other targeted attacks while healthcare is most vulnerable.
Tools to Ensure Cybersecurity for Healthcare IT Admins
GroupID Controlling access to resources by Groups and Users is one fundamental way of assuring cyber-attacks, if they happen, have limited scope. GroupID had led the charge in managing Active Directory, Azure AD, and Microsoft 365 environments for healthcare IT systems for over 20 years.
Keeping clinicians and the business side happy and productive shouldn’t be hard. Automating changes, delegating ownership down to the business owner, and leveraging best practices such as implementing lifecycle on groups, group memberships, and access control lists become easy.
With GroupID, when it comes to Managing Groups, Users, and Entitlements, you get:
- Enforced Group Attestation
- Seamless Group Lifecycle
- Streamlined Group-naming Policies
- Efficient Permissions Management
- Smart User Provisioning
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.