10 Cybersecurity Best Practices for Healthcare
 

It’s a tough time for cybersecurity professionals in healthcare. In the United States, 2021 saw an all-time high both in the number of data breaches reported to the U.S. Department of Health and Human Services (679) and the number of individuals affected (45 million).[1]Many healthcare organizations have suffered ransomware attacks while dealing with the pandemic, with the impact reaching beyond finance and operations to affect clinical care, according to Ponemon Research. In fact, more than half of organizations hit by ransomware reported longer hospital stays and delayed medical procedures.[2] 

These challenges have coincided with increased investments in cloud-based services as well as infrastructure to support telehealth in the wake of COVID-19. Yet, cybersecurity has typically made up less than 6% of overall IT budgets, according to the nonprofit Healthcare Information and Management Systems Society (HIMSS).[3] While cybersecurity investment is more recently seen to be increasing across all sectors, healthcare organizations still have to cherry-pick their security investments. Most have prioritized upgrading existing security solutions, acquiring new solutions and hiring more staff; efforts such as cybersecurity awareness training and penetration testing have received less investment. 

With resources constrained but the number and severity of healthcare cybersecurity threats only increasing, it’s never been more important for organizations to assess where they are at risk and adopt best practices including the following: 

Increase investment in cybersecurity. The average cost of a data breach in healthcare — detecting it, notifying those impacted and responding appropriately, plus suffering from lost business — is a staggering $9.2 million globally. That’s more than double the average for other industries, according to IBM,[4] warranting a second look by healthcare executives at the cost/benefit of investing in cybersecurity.

Integrate security solutions. Organizations that leverage a single cybersecurity product or platform run the risk of establishing a “security monoculture” that attackers can easily exploit. But trying to integrate multiple best-of-breed security solutions can add friction to the user experience — no small matter in the emergency department or intensive care unit — while proving costly and complex. Solutions built on a foundation of integrated security technologies, such as those offered by Mimecast and its partners, offer greater access to timely threat intelligence and enable the creation of automated remediation processes that span multiple issues.

Improve visibility into connected devices. A majority of organizations have legacy operating systems in place, according to HIMSS, and many run on mission-critical medical devices. One in five have devices running Windows XP, which Microsoft no longer supports. According to Ponemon, only about a third of organizations can locate all their medical devices and know when each operating system is out of date. With the average hospital bed in the United States connected to up to 15 devices,[5] and with more care moving outside the four walls of the hospital to outpatient facilities and even patients’ homes, it’s more important than ever for organizations to gain visibility into the vulnerabilities that connected devices pose. 

Adopt zero trust security. From physicians to facilities workers to a range of third-party partners, the typical healthcare organization is full of contractors. Under a zero-trust security model, no user or device is recognized by the network unless it is verified. Solutions such as identity governance and administration (IGA) and privileged access management (PAM) help to ensure that the right users have access to the right systems at the right time — and cannot access what they don’t need to do their job.

Build cyber resilience. Healthcare is more susceptible to cyberattacks than other industries — in part, because criminals can use the patient information in medical records to set up a line of credit or take out a loan.[6] Globally, healthcare organizations face about 625 attacks each week, or almost four per hour.[7] Organizations must accept that data breaches, ransomware attacks and phishing attempts will sometimes succeed. A cyber resilience strategy has a twofold focus: Respond to the attack at hand and ensure business continuity by providing continuous access to email and other critical systems when servers are down. 

Embrace a threat-centric approach. As with building cyber resilience, taking a threat-centric or threat-informed approach to cybersecurity assumes that threats exist and pose a risk to an organization. This approach has three general components: Modeling monitors, systems and devices to identify vulnerabilities; hunting actively for endpoints that could be exploited; and gathering intelligence through a combination of commercial, open-source and government threat feeds. Through this approach, organizations are better equipped to respond to threats and minimize their vulnerabilities.[8]

Modernize cloud infrastructure. Research from IBM has shown that organizations with a more proactive cloud strategy can contain data breaches 77 days faster. Taking steps such as migrating off legacy cloud solutions, updating security policies and access controls, requiring user verification before connecting to cloud-based services, and closing gaps due to cloud misconfigurations can reduce the likelihood of a breach and make it easier to identify where and when a breach occurred. 

Ensure HIPAA compliance. Though the HIPAA Security Rule doesn’t explicitly require email archiving, it does require covered entities such as health systems and health plans to retain “electronic communications” for a minimum of six years. The rule also requires access, audit and encryption controls to be in place to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). Email archiving and secure messaging can ensure HIPAA compliance while also supporting cyber resilience.

Use AI to recognize and act on threats. Mimecast research shows that companies need to detect cyberattacks in less than one minute, investigate them in less than 10 minutes and remediate them in less than an hour. Otherwise, attackers can spread across networks, gaining a foothold, achieving persistence and probing system resources. Given the potential for hackers to take life-saving systems offline and disrupt entire facilities, rapid response is even more crucial in healthcare. Artificial intelligence (AI) and machine learning systems can detect threats faster than human analysts — especially in smaller healthcare organizations with limited IT resources or cybersecurity expertise. 

Leverage automation. There are three important benefits of automation from a cybersecurity perspective. Automation can standardize repetitive business processes, such as device or user authorization, which are prone to human error. It can allow organizations to conduct more risk assessments, especially as they continue to contract with third parties. And it can start a remediation process immediately upon recognizing a threat, saving precious time and enabling cybersecurity teams to spring into action.

The Bottom Line

Business continuity has always been a priority for hospitals and health systems providing 24/7 care — and cyberattacks increasingly threaten healthcare’s ability to uphold that mission. Developing a robust cybersecurity strategy and implementing multiple layers of security will protect organizations from more cyberattacks and help them maintain operations and patient care in the event that an attack occurs. Dive deeper into Mimecast’s approach to the healthcare sector’s cybersecurity challenges and solutions.

[1] “Healthcare data breaches hit all-time high in 2021, impacting 45M people,” Fierce Healthcare

[2] “Ponemon Research Report: The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” Ponemon Institute

[3] “2021 HIMSS Healthcare Cybersecurity Survey,” Health Information and Management Systems Society

[4] “Cost of a Data Breach Report 2021,” IBM

[5] “Medical Devices Are the Next Security Nightmare,” Wired

[6] “What hackers actually do with your stolen medical records,” The Advisory Board

[7] “Healthcare Accounts for 79% of All Reported Breaches, Attacks Rise 45%,” Health IT Security 

[8] “Healthcare Cybersecurity Report 2021-2022,” Herjavec Group