How past healthcare breaches can help your future strategies

In the face of rising cyber threats, the healthcare sector is a hotbed for cyberattacks. Given the gravity of this situation we shed light on the contributing factors making healthcare organizations vulnerable, the role of legacy IT systems, common network monitoring mistakes, patterns in data breaches, and the financial implications of these attacks.

This article also addresses the complexities of partnerships and third-party relationships in influencing a healthcare system’s cyber risk profile.

What are some of the most prominent reasons why healthcare continues to be such a prime target for cybercriminals?

Healthcare is particularly vulnerable to cyberattacks which have experienced a spike in attacks due to inadequate security, the high likelihood to quickly consort to attackers’ payout demand, and sheer value of patient records possessed.

There are several contributing elements:

• Decades old technology combined with less than adequate readiness and planning around cyber emergencies.
• The crumbling ecosystem and large volume of network ports and devices used in hospitals make it very hard to stay on top of segmentation, zoning, and security.
• The workforce isn’t aware of cyber issues and incidents due to their limited understanding of online and personal cyber risks.
• The desire to disrupt convenient working solutions with the introduction of new technology that might require staff realignment does not exist.
• The remote/hybrid work arrangement has stretched the baseline attack surfaces of the organization even wider.
• Private identity and patient information are worth a large reward to attackers who are financially motivated.

How legacy IT systems contributed to the healthcare sector’s vulnerability to cyber-attacks, and why is modernization a critical need?

To be a leading healthcare organization re-imagination, innovation and adoption of cutting-edge medical technology is key! Although not everyone has kept pace as many health systems must deal with revenue shortfalls, delay/defer lifecycle upgrades of systems let alone fully modernize.

The rapid rate at which medical technology is becoming outdated makes the sector highly vulnerable to cyber-attacks. It is critically important to proactively rationalize new investments by phasing out end-of-life (EOL) and end-of-service (EOS) platforms.

What are the common mistakes that healthcare organizations make when monitoring their networks for threats?

As discussed above, many members of the workforce may not practice the necessary cyber hygiene rules while others lack knowledge to recognize and mitigate online threats impacting their work environment. Note, people aren’t solely to blame. The organization is also at fault for not adequately training and underscoring that cyber-security involves everyone and starts at the top of the organization. Here’s a link to an article addressing this - https://mailchi.mp/7f035efccde4/3-reasons-humans-are-the-best-phishing-defense?e=[UNIQID]

Extrapolating from the most significant healthcare data breaches, what patterns or commonalities emerge that could help organizations prevent future attacks?

I stay tuned to important messaging provided by the federal Cybersecurity and Infrastructure Security Agency (CISA). The agency recently highlighted the patterns of bad practices, noting that such practices are “dangerous and significantly elevate risk to national security, national economic security and national public health and safety.”

CISA also noted that each of these practices “is especially egregious in technologies accessible from the Internet”. As such healthcare organizations must:

(1) Embrace plans to shift away from unsupported (or end-of-life) software in service of critical infrastructure and national critical functions (NCF), and

(2) move to password-less, multi-factor, multi-device vouching services to deter malicious Initial Access or Remote Code Execution (RCE) to prevent entry into the critical infrastructure and NCF space.

What financial repercussions do healthcare organizations face due to data breaches, especially considering the potential fines under GDPR and the costs associated with ransomware attacks?

The GDPR states explicitly that some violations are more severe than others. Ranging in fines from 2% (or up to €10M) to 4% (or up to €20M) of an organization’s worldwide revenue from the preceding financial year, whichever amount is higher. These are just the fines pertinent to the breach of protected data of EU subjects, the costs can mount to several tens of millions where a large healthcare entity must recover from a breach or theft of large swaths of data following a successful ransomware attack.

How do partnerships with other businesses and vendors affect a healthcare system’s risk profile, and how can healthcare organizations ensure their partners can mitigate cyber threats?

With the growing dependence on third-party supply chain relationships, the occurrence of incidents is forever great; and the estimated direct financial exposure to an incident has grown exponentially. To lawmakers, corporations, and customers, the functions performed by key vendors, business associates, partners, affiliates, or technology hosting services are often indistinguishable from those performed by the core business.

Consequently, when cyber gaps are exploited at third parties, healthcare systems face the associated financial, reputational, and regulatory risks which alter the organization’s risk profile. As an example, exposures created from a business associate’s use, storage, and/or communication of information in a manner that is not adequately protected from accidental or malicious alteration, destruction, and unauthorized access leads to direct cyber impact to the covered entity. A medical devices supplier or a pharma manufacturer crippled by a successful cyber-attack can result in failure to supply critical devices, parts, medicine or services due to the inability to adequately manage a disruptive event, resulting in adverse impact.

US-based organizations could avoid non-compliance with laws, regulations, or ethical standards, including conflict of interest, resulting in censure from regulators, litigations, and/or adverse impacts by adopting proper compliance framework, such as The HITRUST Common Security Framework (HITRUST CSF) that provides structure for practices, accountabilities, and sufficiently resourced cybersecurity program to serves to data confidentiality and privacy obligations.

Richard Freiberg

Profitability Consultant

Richard Freiberg CPA PC

Phone (980)339-3352

Cell (914)393-0033

www.rmfreibergcpa.com

https://www.dhirubhai.net/in/richardfreiberg791654/

Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today's challenging environment

?