Assessments: Building a roadmap to healthcare security
Due in large part to a recent wave of ransomware attacks, concerns have been mounting lately over cybersecurity vulnerabilities in healthcare organizations. Rightfully so, as a study by the Ponemon Institute last year revealed that criminal attacks in healthcare have swollen 125 percent since 2010. Threats have become so severe that this spring United States Computer Emergency Readiness Team (US-CERT) issued an alert highlighting the risks posed by ransomware. Understandably, recent assaults on hospitals have many in the C-suite wringing their hands as anxieties over the safety of their patients’ data have left them scrambling to identify and secure potential liabilities within their organizations.
The increase in attacks can largely be attributed to the increasing value of healthcare data on the black market. A recent Brookings Institution study found that the per-record cost for healthcare data breaches is higher today than in any other industry at $363 per record. There is good reason for this high price tag. Unlike credit card data, which has a shelf life and can quickly be rendered useless by financial organizations when it is stolen or fraud is detected, healthcare information is not so easily erased and often remains available on the black market for life. Once cybercriminals have the data, they can make fraudulent claims on behalf of their victims and gain access to everything from prescriptions to medical devices, which they can then continue to resell on the black market. Add in a victim’s social security number or other personally identifiable information, and it becomes clear why susceptible healthcare institutions have become goldmines for criminals for both healthcare fraud and financial fraud.
Many organizations, despite having already performed risk assessments to satisfy their HIPAA compliance requirements, have not performed cyber risk assessments that are commensurate with the evolving risk landscape. For healthcare executives seeking assurances that their patients’ data and their organizations are adequately protected, institutions must improve their risk assessment processes. A cyber risk assessment helps institutions ensure that a risk assessment is performed not only to simply satisfy compliance requirements, but that it provides value to the organization by taking into account potential failures in processes, people, organizational culture, and information technology. Cyber risk impacts often go beyond affecting compliance, also adversely affecting other enterprise risk areas such as information, operations, reputation, technology, and finance. Once the cyber risk assessment is complete, teams can use the findings to develop security and risk mitigation strategies that reasonably address the unique culture, risk appetite, and risk management needs of the institution.
Improving your cyber risk posture
Below are a few critical actions to help healthcare organizations improve their cyber risk awareness and posture:
Cyber risk assessment – If your organization has not done so already, re-examine and update your current risk assessment process. Is it purely driven by compliance requirements or security, or does it take into account your organization’s information, culture, realistic, day-to-day use and access by your employees, legacy, current and planned technologies, and third parties? Does it adequately address that your organization uses information that is of monetary value to adversaries, thereby making you a target of value and increasing the sophistication of the threats? Performing a cyber risk assessment that reflects your organization’s risk profile allows for more informed discussions regarding risk appetite, selecting appropriate cybersecurity controls and information technologies, and acceptance of the residual risks.
- Cyber security assessment – Evaluate your current security governance processes, user awareness, and technologies. Determine whether your governance program (policies, procedures, processes, and user awareness) addresses all of your compliance requirements. Assess and perform security testing to determine whether there may be gaps in coverage with your existing security controls and technologies such as anti-malware, phishing, IDS/IPS, SIEM, encryption, DLP, vulnerability management, web security, patch and configuration management, mobile device security, etc. Determine whether the reporting and feedback produced by the technologies and the cyber security program are producing metrics that help to gauge the effectiveness and performance of the controls in mitigating the associated risks. And finally, determine whether the controls in place are sufficient based on your cyber risk assessment and the evolving threat landscape.
- Compliance assessment – Ensure that your regulatory, contractual, and other types of regulatory requirements are clearly defined. Depending on the institution, this may include requirements such as HIPAA, HITECH, FTC Red Flags, PCI DSS requirements, FERPA, and other various statutes at the federal, state, and international level. This review process helps to ensure that the information, communications, protection, and reporting requirements are addressed by your security, technology, and the scope of your enterprise and cyber risk management processes.
- Crisis management planning – As risk assessments factor in estimates of probability or likelihood of events or scenarios occurring, inevitably stuff happens. It’s critical for organization to have a clear strategy and process in the event of significant incidents or crises. That means not only having established and practiced incident handling or management procedures, but also having an exercised crisis management plan when things go from bad to worse, or certain thresholds are crossed. This includes elements such as assessing the extent of the potential impact, clearly defined roles and responsibilities, mitigation processes, and management of internal and external communications.
Today’s healthcare industry is a rapidly shifting landscape. Technology is advancing quickly and organizations are looking to connect more effectively and to share information more freely. It’s a complicated, arduous move, and the notion that healthcare organizations are becoming increasingly aware of their own cyber risk exposures is a good thing. Only by acknowledging the potential weaknesses hiding in their organization can they begin to make their organization more resilient, and make data sharing safer and secure for their patients, employees, and shareholders.