The Necessity of Prescribing Cyber Hygiene to Healthcare Providers

The Caduceus, a symbol dating back to ancient Greek mythology, holds significant symbolism in the medical profession. It is typically depicted as a staff with two entwined serpents and topped with wings. It is associated with the Greek god Hermes, who was considered a messenger between realms and a patron of commerce, trade, and travel. Over time, the Caduceus became linked to medicine due to its association with Hermes' ability to bring balance, communication, and harmony, which parallel the ideals of healing, restoration, and the physician's role in bridging the gap between illness and health.

It is time for some additional meaning to be attached to the Caduceus—namely, cyber-secure. For healthcare providers, there is a strong correlation between balance, communication, harmony, and implementing best practices around safeguarding patient data and maintaining operational uptime. Consider it a symbol similar to the future usage of the U.S. Cyber Trust Mark. A several-year-old Health Care Industry Cybersecurity Task Force report articulated the issue bluntly and accurately:

“If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs.?Our nation?must find a way to prevent our patients from being forced to choose between connectivity and security.”

The healthcare system is perpetually under attack from threat actors seeking to access the incredibly sensitive data held by providers and needed to perform most operational functions. IBM 's Cost of a Data Breach Report highlighted that, for 13?consecutive years, the healthcare industry had incurred the highest cost per data breach at $10.93 million, up 8.3% year-over-year and 53.3% since 2020. Furthermore, there is much money to be made by threat actors in attacking healthcare providers. The cost of a healthcare record can fetch upwards of $1000 on the dark web if the information is complete; in a largescale data dump versus a record-by-record sale, the average is closer to $250.

Immense challenges exist in protecting healthcare data, primarily because of the tremendous amount generated. A Forbes article reports that hospitals generate some 50 petabytes of data on a daily basis—one petabyte equals 1 million gigabytes—which is quite intensive to simultaneously process, store, have readily accessible, and safeguard. The demands for cybersecurity specialists, effective applications, and HIPAA compliance maintenance are, in some ways, outpacing supply—a cursory scan of the U.S. Department of Health and Human Services (HHS) data Breach Portal demonstrates the severity of the challenges facing healthcare providers and cybersecurity firms alike.

According to?the U.S. government’s OCR (Office for Civil Rights), healthcare providers reported 145 data breaches in Q1 of 2023. This mirrors closely the 707 incidents last year, in which 51.9 million records were stolen, roughly 73,408 records per incident. Extrapolating this further, approximately 21,288,320 records have been accessed, exfiltrated, encrypted, and/or made for sale through the 1st half of this year.

A hospital's cybersecurity framework must encompass multiple facets to safeguard against cyberattacks effectively. These include securing patient data and electronic health records through robust encryption and access controls, protecting medical equipment from unauthorized access and manipulation, ensuring network infrastructure resilience to prevent disruptions in critical healthcare services, implementing robust authentication methods to control personnel access, training staff to recognize and respond to phishing and social engineering attempts, establishing incident response plans to swiftly address breaches, fortifying telemedicine platforms to ensure patient privacy during remote consultations, regularly updating and patching software to mitigate vulnerabilities, and fostering a culture of cybersecurity awareness and compliance across the organization. This is complex to do.

And now, as more medical devices are internet enabled and operated via mobile applications, cybersecurity standards are being implemented. ISO 14971:2019 establishes a framework for applying risk management principles to medical devices throughout their lifecycle, encompassing risk identification, analysis, evaluation, and control. The standard aims to ensure that medical devices are designed, manufactured, and utilized to minimize risks to patients, users, and others while facilitating informed decision-making and fostering continual improvement in device safety and performance.

Because nearly every facet of the healthcare industry deals with highly sensitive, personal information, the exposure of which can put individual health at risk, there is no end to the vigilance and diligence required to safeguard patients and providers.

Healthcare providers require a three-pillar approach to address every aspect of an incident.?

1. Pre-Incident:?Comprehensive, proactive services tailored to meet the hospitals, clinics, and other healthcare services. Proactive solutions extend beyond the standard audit or compliance check to ensure optimal protection against all cyber threats in four categories: Advisory, Implementation, Training, and Service-Based.
2. Active Incident Prevention:?Healthcare providers require a fully managed, integrable cybersecurity solution powered by a 24/7/365 Security Operations Center (SOC). With platforms like ShadowSpear, teams can quickly detect threats against a monitored environment, eliminate those threats immediately with pre-execution blocking techniques and advanced XDR visibility, and respond to active threats with real-time human response.
3. Post Incident:?In the event of a data breach, organizations must partner with a Rapid Incident Response team prepared to secure their environment within minutes, identify and isolate the threat, and remediate the issues that allowed the incident to occur in the first place.