Brian Nowak, Regional Account Executive, Healthcare Sales David Mauro, National Manager, Finance Practice
It seems as though we read about another healthcare organization falling victim to a cyberattack every week. It doesn’t matter if you’re an urban, rural, large or small healthcare entity – you are a target. The latest research suggests protected health information (PHI) can sell for up to $100 per file. We’ve now progressed from the “it won’t happen to us” approach to the “when it happens to us” reality. This has healthcare organizations wondering if they have taken the necessary steps to best protect PHI and ensure their incident response (IR) plans are viable, tested and thorough. It has also led to discussions about how we should be protecting PHI, and isn’t the incident response plan the same thing as our disaster recovery plan?
In March 2023, The Department of Health and Human Services (HHS), issued a concept paper on healthcare cybersecurity. In it, the HHS described its strategy by introducing four pillars designed to provide a framework for strengthening cybersecurity and awareness. The pillars include:
Provide Resources to Incentivize Implementation of Stronger Cybersecurity Protocols and Practices
Develop New Enforceable Cybersecurity Standards Through Greater Regulatory Enforcement and Accountability
Expand and Mature HHS’s One-stop Shop Offerings for Healthcare Sector Cybersecurity
The voluntary CPG pillar is split into two types of goals: Essential Goals and Enhanced Goals. For the purpose of this discussion, we’ve going to focus on the Essential Goals. Although they are currently voluntary, the Essential Goals set a minimum level of standards for healthcare organizations to follow. The Essential Goals include:
Mitigate Known Vulnerabilities: Ongoing mitigation of known vulnerabilities reduces the threat of a system exploitation.
This reduces the risk of zero-day vulnerabilities as we have seen throughout healthcare this past year. It also helps mitigate the risk of easy entry by threat actors. Keeping systems, especially legacy systems, updated in a timely manner is critical.
Developing as policy, with regular review and accountability, for ongoing timely remediation of known vulnerabilities is a best practice.
Email Security: Protecting email accounts from unauthorized access.
Social engineering and email compromise are known attack vectors.
Timely offboarding of prior employees who still have access, hardening password management policies and blocking the re-use of passwords are all critical.
Labeling external emails as such is a cost-effective approach that motivates users to pay attention.
Ongoing education for all staff on social engineering tactics and attempts like thread-jacking and business email compromise is important.
Multifactor Authentication (MFA): Adding a second layer of authentication beyond a password.
While not fool-proof, MFA thwarts a large percentage of attacks and helps mitigate risk.
Ongoing education for all staff on social engineering tactics and attempts such as MFA-fatigue is also important.
Basic Cybersecurity Training: Ongoing educational training for employees to recognize risk and practice secure behaviors.
Like all professional development, security awareness training, especially on emerging threats like AI and Deep Fake is essential.
To be effective, professional development must be ongoing and job-embedded.
There is also test-phishing, which can be leveraged to empirically show the user base is improving.
Strong Encryption: Protecting confidential information at rest and when transmitted.
Encryption is essential, on both the sending and receiving ends, , as well as in transit.
This blocks threat actors’ access to PHI and related critical confidential information.
Careful evaluation of vendors providing these tools is key, as well as maintaining regular inspection and patching.
Revoking Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates and Volunteers: Removing credentials for anyone who no longer requires access to a system(s) and application(s).
Social engineering and email compromise are known attack vectors.
Timely offboarding of prior employees who still have access, hardening password management policies and blocking the re-use of passwords are all critical.
Labeling external emails as such is a cost-effective approach that motivates users to pay attention.
Holding third-party vendors accountable to the same or similar controls as those you have is clearly a risk reducer and best practice. To earn your business, they must invest in protecting their brand and yours.
Basic Incident Planning and Preparedness: Developing and practicing a plan should a cyber incident is discovered. A disaster recovery plan is not an incident response plan.
Breaches are most likely inevitable, but not all breaches are created equal.
The difference between one that causes long-term harm and one that is quickly remediated in a time of crisis depends on proper preparation.
Undergoing IR Planning, developing an IR playbook and practicing real-life simulations works as a fire drill would for children in school, and reduces risk.
Unique Credentials: Ensuring the correct users have access to the right functions needed to do their jobs.
Separate User and Privileged Accounts: Privileged accounts are created for those who may require administrative rights to the network or application.
Having a zero-trust methodology for central admin accounts and requiring additional verification is critical to avoid escalation of privilege.
These approaches can be implemented through network configuration and layers of security with independent and additional verification requirements.
Vendor/Supplier Cybersecurity Requirements: Creating and ensuring compliance of cybersecurity standards for Business Associates. Cyber requirements may vary based on the services procured.
Holding third-party vendors accountable to the same or similar controls as those you have is clearly a risk reducer and best practice. To earn your business, they must invest in protecting their brand and yours.
The value of PHI has made healthcare one of the most attractive industries for cyberattacks. However, there are also other factors that play a role. The nature of healthcare requires the sharing of PHI between entities, which provides a greater opportunity for attackers to exploit. Healthcare providers may also lack the technical and financial resources to keep pace with the everchanging cyberthreats. Staffing shortages and the lack of cybersecurity training for all employees add to the challenge of protecting PHI.
The CPGs are a good start, but the responsibility ultimately remains with each healthcare provider to create a thorough cyberstrategy to protect PHI from an everchanging and sophisticated cybercriminals. Konica Minolta can help. We provide a wide portfolio of services to the healthcare industry through our healthcare practice. Learn more online.
Brian is a Healthcare Regional Account Executive for Konica Minolta. He has held senior leadership positions with Fortune 500 companies and has a background in business development, operations and compliance. Brian earned his MBA in Finance from Loyola University.
By continuing to use our site, you agree to our updated Privacy Policy
The voluntary CPG pillar is split into two types of goals: Essential Goals and Enhanced Goals. For the purpose of this discussion, we’ve going to focus on the Essential Goals. Although they are currently voluntary, the Essential Goals set a minimum level of standards for healthcare organizations to follow. The Essential Goals include:
USA
Global
