By: Kelly McLendon, SVP of Compliance & Regulatory Affairs at CompliancePro Solutions
Healthcare entities are prime targets for cyber-attacks, making the frequency of data breaches in the healthcare sector a cause for concern. In the first half of 2023 alone, there were approximately 295 reported breaches, according to data from the HHS Office for Civil Rights (OCR) breach portal. Similarly, in 2022, an average of 1.94 healthcare data breaches that involved 500 or more records were reported daily.
The impact of such breaches is not only measured in the number of compromised records but also in financial terms. According to the 2023 IBM Data Breach Report, the average cost of a data breach in the healthcare industry is approximately $10.1 million, surpassing the cost in any other industry. This underscores the urgent need for robust cybersecurity measures in healthcare organizations.
To address these challenges, the Cybersecurity Act of 2015 was enacted. The Act facilitates voluntary, private-public cybersecurity sharing of threat information. It also clarifies the role of the National Cybersecurity & Communications Information Center (NCCIC) in evaluating and responding to cybersecurity threats and risks.
Within the framework of the Act, the 405(d) Program plays a crucial role. It is a collaborative effort between the healthcare industry and the federal government to enhance the cybersecurity posture of the healthcare and public health (HPH) sector. The 405(d) Task Group has developed the "Health Industry Cybersecurity Practice (HICP): Managing Threat and Protecting Patients" practices to provide relevant information about security threats affecting the healthcare sector and to further strengthen it against cyber threats.
Top 5 Cybersecurity Threats
The HICP highlights five of the major threats and their potential impact on healthcare organizations. These include:
- Social Engineering: Involves manipulating individuals into revealing sensitive information or performing actions that compromise security. Malicious actors may employ malware delivery or credential attacks to gain unauthorized access to systems. Both types of attacks can significantly compromise an organization’s security, leading to data breaches and potential harm to patients’ privacy.
- Ransomware Attacks: These attacks are growing in the digital landscape. In this situation, information system assets are locked and held hostage, demanding payment or ransom for their release. Such attacks can disrupt normal healthcare operations, hindering crucial services like electronic billing for treatment. Additionally, they may result in breaches of sensitive patient information, leading to identity theft and the permanent loss of patient records.
- Loss or Theft of Equipment or Data: This can have severe consequences for healthcare organizations. It may lead to a breach of sensitive information, compromising patient privacy and potentially resulting in identity theft. This threat underscores the importance of robust physical security measures and data encryption to safeguard critical information.
- Insider, Accidental, or Malicious Data Loss: Insiders with access to sensitive data, whether intentional or unintentional, pose a significant risk to data security. Accidental or malicious data removal from an organization can lead to breaches of sensitive information and expose patients to identity theft. Implementing stringent access controls and continuous employee training are crucial steps to mitigate this threat.
- Attacks on Network Connected Medical Devices: With the increasing integration of medical devices into networked systems, attacks against these devices have become a grave concern. Such attacks can undermine patient safety, cause delays or disruptions in treatment, and jeopardize patient well-being. Securing networked medical devices through regular updates, strong authentication mechanisms, and isolation from critical systems is imperative to protect patient health.
To address these threats, it is crucial to have continuous training and education that enables healthcare organizations and their employees to effectively recognize and respond to these risks. This will enhance overall cybersecurity measures, reinforce best practices, and protect sensitive data and patient privacy, benefiting organizations and individuals.
HICP's 10 Mitigating Practices
The 405(d) Task Group has identified 10 Cybersecurity Practices encompassing personnel training and awareness, developing and implementing new processes, acquiring and customizing new technology, and cultivating a consistent, robust, and continually updated approach to cybersecurity. These recommendations have been designed to assist healthcare organizations in mitigating security threats and bolstering their resilience against cyber challenges. They encompass:
- Email Protection Systems: Strengthen email security through configuration, education, and phishing simulations to help prevent credential theft and malware attacks.
- Endpoint Protection Systems: Implement basic security controls for endpoints, including patching, firewalls, and multi-factor authentication to combat ransomware and device-related threats.
- Access Management: Control user access through role-based access, regular reviews, and immediate de-provisioning to address various cyber threats.
- Data Protection and Loss Prevention: Establish data classification policies, handling procedures, and workforce training to help safeguard against data breaches and losses.
- Asset Management: Maintain an up-to-date inventory of IT assets and securely decommission devices to mitigate social engineering and data loss risks.
- Network Management: Segment networks, enforce physical security, and employ intrusion prevention systems to protect against ransomware and device attacks.
- Vulnerability Management: Regularly scan for vulnerabilities, perform web application scans, and prioritize remediation to address cyber threats effectively.
- Incident Response: Develop a comprehensive incident response plan, participate in information-sharing organizations, and automate incident documentation and remediation.
- Network Connected Medical Devices: Ensure secure medical device practices are documented and updated to mitigate attacks on patient safety.
- Cybersecurity Oversight and Governance: Establish cybersecurity governance, policies and procedures. Also, conduct risk analysis and cybersecurity training to address various threats comprehensively.
Healthcare organizations have a responsibility to do everything they can to safeguard patient-protected health information (PHI) and meet necessary compliance. Learn how Steri-Safe® HIPAA Compliance Solutions can help you comply with HIPAA Privacy and Security Rule obligations.
Frequently Asked Questions
Does the 405(d) Program Replace the Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule?
The 405(d) Program does not replace the requirements of the HIPAA Security Rule. Instead, it complements HIPAA by providing additional guidelines and practices that can be implemented by healthcare organizations of all sizes and resource levels. While both 405(d) and HIPAA focus on safeguarding sensitive data, there are specific areas addressed within 405(d) practices that might need to be more robust in the HIPAA framework. These include breach determination and management, education and training, auditing and monitoring, vendor management, and other HIPAA controls.
How Does Cybersecurity Oversight and Governance Function in Healthcare?
Several factors help cybersecurity oversight and governance to operate in healthcare. These include effective leadership that embraces the program, a well-designed security plan with risk-based strategies, adequate funding, knowledgeable implementation leaders, and a capable staff to aid in continuous monitoring and risk remediation. This comprehensive approach ensures the organization is proactive in safeguarding patient data, critical systems, and countering cyber threats.