Though it’s often “highly sophisticated” or “nation-state” attackers that make headlines, the truth is that healthcare’s most overlooked cybersecurity threats are within the IT ecosystem. In fact, according to Verizon’s 2021 Data Breach Investigations Report, nearly 40 percent of all global security incidents in 2020 were caused by inside actors. These insider threats are often not malicious in nature, but accidental errors, such as employees clicking on phishing links, using weak passwords, or improperly storing sensitive files.
And while those activities, unfortunately, happen across every industry, the stakes are much higher in healthcare. Through more than three decades working in the healthcare space, I’ve seen first-hand how outages can routinely put hospitals and patients in extremely dangerous positions, and breaches can result in the exposure of highly sensitive data. Just last month, the personal information of more than 200,00 patients of a major provider was compromised after multiple employee email accounts were hacked.
COVID-19 is only compounding the problem, as attackers are attempting to pounce on overworked health IT teams when they’re most vulnerable. From December 2020 to February 2021 alone, there was a 189% increase in phishing attacks targeting pharmacies and hospitals amidst the vaccine rollout.
But the biggest problem of all? The security industry and healthcare organizations have taken their eyes off the ball.
For a number of years, cybersecurity has suffered from the axiom, “It’s not a matter of if you’ll be attacked, but when,” a perspective that has led many to argue that attack prevention is a lost cause, and an organization’s resources are better spent on remediation. But considering all that healthcare organizations have at stake — for example, Universal Health Services lost $67 million due to a cyberattack last September — overlooking prevention isn’t just defeatist, it’s dangerous.
The Case for Investing in Prevention
Business leaders and technical teams often have competing priorities when it comes to cybersecurity. Boards and executives tend to see security as a cost center that takes away from profits. But it’s imperative that healthcare CIOs, CISOs, and IT teams make the business case to invest in cybersecurity, particularly prevention.
Cybersecurity Ventures predicts cybersecurity clean-ups will cost around $6 trillion globally in 2021 and up to $10.5 trillion by 2025. And the average fine levied by the Office of Civil Rights (OCD) for a reported healthcare breach reported by a single organization runs between $400,000 – $800,000. Cybercrime expenses include revenue and IP loss, productivity loss, and very often, massive reputational damage. Simply put, a breach can financially break an organization.
By prioritizing cybersecurity prevention and training, healthcare organizations can significantly lessen the risks of a breach and all its damages.
Three Ways Healthcare Organizations Can Work to Prevent Insider Threats
1. Prioritize staff education (without burning out employees)
Research shows that employees who receive security awareness training are significantly better at recognizing security threats than those who have not. Further, cybersecurity training programs are particularly effective at helping employees identify things like phishing and social engineering scams. This year’s Verizon DBIR report found that more than a third of all breaches involved phishing.
Training should be required for all users. Cybersecurity impacts the entire organization. No one is exempt from this responsibility or immune to vulnerabilities. The real key to success lies in designing training programs that don’t lead to increased burnout, which is already a major issue in healthcare while maintaining continuity and currency. Ultimately training should be part of any continuing education (CE) curriculum.
2. Improve IT hygiene
Many security issues are caused by either a basic hygiene issue that could and should have been identified and fixed with the correct level of visibility and control or by simple human error. Protecting an organization from the impact of any attack — including insider threats — comes down to ensuring security defenses are up-to-date and appropriately configured, and by directing employee behavior towards best practices. Is everything patched? Are security tools up to date? Is there complete visibility into all endpoints within your perimeter? With more staff working from home, can you apply the same visibility and protection to all of your employees, regardless of their location? How fast can you monitor and remediate?
3. Implement a Zero Trust approach
Given the surge in telemedicine and remote work, the perimeter is gone, and traditional approaches to cybersecurity will no longer suffice. The focus needs to be on the “5 Ps”: Policy, People, Process, Products, and Third-Party vendors.
With a modernized Zero Trust approach, organizations continuously verify the access of each single user or device. By default, no one is trusted. Identity-awareness, perimeter definition, and multi-factor authentication (MFA) technologies are primary components of the enterprise-scale visibility and monitoring process. This extra layer of security can greatly reduce risk exposure and prevent breaches.
The healthcare industry is a prime target for attackers, but there’s no reason to have a head-in-the-sand attitude. By taking these steps, healthcare organizations can immediately improve their security posture and minimize the risk of potential breaches.
About Sanjay Joshi
Sanjay Joshi is Global CIO, Healthcare and Life Sciences at Tanium. Based in Seattle, he has spanned the gamut of life-sciences from clinical and biotechnology research to healthcare informatics to medical devices. Sanjay is currently focused on data, policy and process approaches for security, trust and privacy using scalable systems, data and cloud infrastructures for devices, genomics, proteomics, microbiomics, imaging, the phenotype (EMR), and their interoperability, and trust along the customers’ journey.
