The global COVID-19 pandemic has had far-reaching implications for the healthcare industry that are still only beginning to be felt. Individual hospital systems faced unprecedented stresses when surges in virus activity increased demand for emergency care and intensive care unit (ICU) beds. At the same time, hospitals were forced to cancel revenue-generating elective procedures. Meanwhile, the rapid adoption of telehealth platforms and other digital technologies tested patients’ and providers’ ability to navigate change. In many ways, the pandemic has served as a forcing function, propelling the entire industry towards new care delivery and reimbursement models.
Change that’s this sweeping doesn’t usually take place without discomfort. Along with the rapid evolution of the technical landscape in healthcare came a wave of heightened cybercriminal activity. Ransomware operators took advantage of hospitals’ pressing need for uptime during the pandemic’s chaotic early days to launch a wave of attacks specifically targeting organizations on the front lines of the fight against the virus. And data breach costs in healthcare soared to an all-time high of $9.23 million per incident, making them more expensive — by far — than in any other industry.
The healthcare industry’s current cybersecurity challenges are impacted by general IT trends and industry-specific factors alike. As in many other sectors, the rapid (and often overly hasty) adoption of remote work has increased the likelihood of human error and misconfigurations. The suddenness of the shift often meant that new security tools were deployed without sustainable plans for ongoing administration and maintenance. And the global cybersecurity skills shortage is impacting healthcare alongside many other industries.
High-Value Data Creates Unique Cybersecurity Risks
For criminals, Protected Health Information (PHI) is among the most valuable types of data. When put up for sale on the black market, a single patient record can fetch upwards of $1,000 (depending on how complete it is). This is more than 50 times more than what a credit or debit card number sells for.
In addition, today’s ransomware operators are well aware that uptime is mission-critical for healthcare organizations, and there will always be an incentive to pay if the quality of patient care — or human lives — are at stake in the aftermath of an attack. Hospitals were early targets for ransomware attacks, and it’s known among criminals that they sometimes paid up.
Supply chain-based attacks on medical devices and hospital IT systems also have the potential to cause enormous harm. In the industry’s current business climate, payers, providers and pharmaceutical companies are increasingly open to outsourcing. As each of these organizations works with more vendors, they’re exchanging increasing amounts of data, granting more access to internal applications, and often relinquishing visibility and control.
Growing Need for Interoperability Amplifies Challenges
The trend towards patient-centric healthcare solutions will almost certainly demand the creation of more partnerships, and along with this, additional data exchange. Innovative solutions like hospital-at-home services, whose popularity exploded during the pandemic, require the delivery of supplies as well as the coordination of care and visit schedules. So do new clinical trial models that involve remote monitoring and mailing drugs directly to the patient rather than administering therapeutics onsite. Healthcare organizations generally don’t have the necessary shipping and logistics expertise in-house to be able to benefit from such innovative new business models without bringing in partners. Building out these vendor relationships inevitably involves the exchange of sensitive data including PHI.
Healthcare organizations now play an ever-growing role in a complex data exchange ecosystem, which inherently increases cyber risk. New regulations like the Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule mandate that healthcare providers and payers make patient data accessible to third-party application developers through the use of standardized data formats and APIs. This further expands the scope of information flows, and thus, the size of the attack surface. And the adoption of remote patient monitoring (RPM) and wearable technologies means that patient data is now moving in multiple directions at once.
First and Foremost, Ensure Good Governance
Having moved from paper charts to electronic medical records (EMR) to cloud data platforms, the healthcare industry has been in a state of ongoing transformation for quite some time. The events of 2020 and 2021 have only accelerated the pace of change and increased its centrality to clinical workflows.
Given that so many new initiatives are likely to be in flight within healthcare organizations in the coming months and years, exercising good governance from each project’s outset is of the utmost importance. Security practitioners need to understand how to build data protection into each novel business and clinical process from the very start.
It’s critical to secure data and applications throughout the entirety of end-to-end processes, which requires in-depth knowledge of how the organization operates, what its goals are and how it seeks to improve the quality of patient care. Each time a new initiative is started, security should be built in from the ground up. This means defining policies and security requirements carefully and implementing the proper controls. It also means ensuring that connected devices – including those used for patient care – were designed with security in mind.
The healthcare industry will continue to be dynamic. As patient-centric care expands, the current trends are likely to progress and intensify. It’s vital that healthcare organizations extend the parameters of their security programs to encompass the new business and clinical processes that they’re creating. It’s also essential that stakeholders understand the new risks that come with the expansion of the health data ecosystem. Threat modeling can help illustrate emerging risks so that organizations can address them proactively.
Interested in learning more about how BTB Security helps organizations, including those in highly regulated industries, cultivate a stronger security posture and future-focused IT strategy? Check out our Governance, Risk and Compliance Services or schedule a free consultation with a security expert from our team today.