Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
Over the last year, healthcare cybersecurity incidents have become increasingly common. A healthcare cybersecurity report entitled “A Matter of Life and Death: The State of Critical Access Management in Health care” by Securelink revealed the healthcare industry suffers four times more cyberattacks than any other industry. During the 2020 pandemic, the healthcare industry saw an increase in healthcare security breaches by 55%. The same study found that 44% of all healthcare and pharmaceutical organizations experienced a data breach caused by a third party within 12 months.
The Cost of a Healthcare Security Breach is More Than Financial
According to the report by Securelink, a healthcare security breach potentially exposes the data of 26 million people in the US. In 2020, the health care system saw infiltration of more than 29 million data records. Even with security breaches on the rise, only 41% of these groups have a comprehensive inventory of all third parties’ access to their network. With such high stakes, a data breach poses tremendous compliance and reputational risk.
The SecureLink report explains as health care organizations become more reliant on third parties, securing critical assets becomes increasingly imperative. The same report, created by the Ponemon Institute, elaborates that not investing in optimal cybersecurity can lead to hefty fines and long-term damage to their reputation. Data breaches can ultimately shut down entire health care systems and compromise patient care, sometimes making a breach a matter of life or death.
How Healthcare Organizations Can Promote Safe Operations and Secure Patient Data
To ensure healthcare cybersecurity, organizations can implement user access management systems, which automate the process of reviewing, monitoring, and auditing access rights for both internal employees and external vendors. Access management solutions streamline the process of managing permissions from third parties. They also secure critical access points. There are three pillars of critical access management:
- Access governance – systems and processes to ensure the policy is adhered to as closely as possible.
- Access controls – mechanisms to reduce risk, heighten visibility, and increase friction when granting access rights and privileges to third parties.
- Access monitoring – observation and analysis of what happened while a user was in session.
Limiting network and user access across applications can help mitigate portions of health care data breaches. This limitation includes implementing zero-trust network access, regularly reviewing access rights among users and vendors, and monitoring application access. This can be a burden financially and time-consuming, but it’s becoming vital.
Takeaways of CynergisTek’s Annual Report on Healthcare Cybersecurity
Cybersecurity readiness is a long-term project that requires consistent attention and proactive action to keep up with the latest threats. Given current trends and data from CynergisTek’s 2021 report, healthcare organizations should concentrate on the following:
- Conduct enterprise-level exercises and drills, test all areas of the organization’s cyber-resilience. To ensure a successful response, practice on a large scale. Hire an outside service to conduct regular “audits” where you invite a controlled breach to test your security.
- Especially since the challenges imposed by COVID can cause supply issues, supply to needed parts and services continues to be a growing issue across the board, posing a potential vulnerability with far-reaching and unpredictable consequences. Security leaders need to assess the current investments and form a plan of action to address this vulnerability that includes, at the very least, a risk-based assessment of critical third-party vendors based on access, data held or accessed, and services provided.
- The automation of security functions and the validation of technical controls for people and processes are essential components of any solid security strategy. Because security automation can detect, investigate, and even remediate cyber events and threats in near-real-time, it is crucial to prioritize automation that can be manually diagrammed. Then, gradually implement that automation and roll out training to effectively leverage the tools so that the appropriate people can follow the proper procedures.
- Network segmentation is a concern of every organization. Network segmentation divides a network into multiple segments or subnets, each acting as its own small network, and each limiting access to the larger network. By dividing web servers, databases servers, and standard user machines into their respective segments, authorized access can only be restricted to the intended audience, creating an environment of “least privilege.” Once inside an unrestrictive network, cybercriminals exploit unsegmented networks to insert and propagate malware throughout the entire network.
Future of Healthcare Cybersecurity
Attacks are becoming more advanced and frequent. They’re becoming increasingly difficult to detect. Healthcare organizations are encouraged to keep up and implement up-to-date security measures to keep their organization, clients, and patients’ PHI safe.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.