A doctor might describe the condition of cybersecurity in healthcare 2022 as "critical." In a little over two years, healthcare IT has seen a decade's worth of changes. From a security point of view, most have been for the worse.
More valuable personally identifiable information (PII) motivates attackers and upcoming changes to the Health Insurance Portability and Accountability Act (HIPAA) create new risks for organizations. Telehealth and remote working leave defenders with a greater attack surface to cover. Ransomware is beginning to turn deadly. And as hospitals and clinics go digital, many of the legacy issues plaguing healthcare security have compounded. Thanks to vaccines COVID-19 might be less of an issue than it was, but the security problems it created have stuck around.
Case in point: last year saw a 19 percent increase in HIPAA breaches. Now, with over 70 data breaches of 500 or more records in May alone, this year looks even worse. (This is a record not seen since June 2021.) Behind these figures is real suffering. Those in need of healthcare face delays due to cybercrime or risk having their PII stolen. Meanwhile, affected hospitals, clinics, and other providers are experiencing financial and reputational ruin.
From Morphisec's 2021 Consumer Healthcare Cybersecurity Threat Index, we know that for a midsize hospital, the average shutdown period following a breach is 10 hours. The average cost of this downtime is over $45,000 per hour. This doesn't account for the losses incurred as a result of patients who will switch providers after an attack.
With the costs of a cyber incident rising for providers, attack vectors and targets have changed. It used to be the case that most healthcare breaches came from insider threats like an employee losing a laptop or a malicious individual compromising information from inside. But these days, most threats (76 percent) come from either vulnerable or accessible web applications.
To better understand today's healthcare cybersecurity threat landscape, Morphisec spoke to a panel of US healthcare security leaders during our Healthcare Cybersecurity Virtual Summit. Here's a snapshot of who spoke.
Soaring Breach Rates Are Hitting Hospital Bottom Lines
For cybercriminals, big and small healthcare organizations are both primary targets now. With the going rate for a single patient record up to $250 on the dark web, this level of threat is not surprising. Attacks against healthcare institutions have been soaring for a while. But it's not the potential cost of network breaches that makes non-IT stakeholders take note. It's the ongoing cost of insuring them.
For healthcare organizations of every type, cyber insurance is becoming extremely expensive. All Morphisec panelists reported a dramatic increase in their insurance premiums, regardless of whether they’d been breached or not. For some organizations, the price of coverage has increased by over 100 percent. Meanwhile, the scope of coverage appears to be decreasing, and the requirements for having it are getting more demanding. Insurers may cover some of the costs of a cyber attack, i.e., a ransom payment, but remediation is typically left to the affected institution. Overall, the average breached healthcare organization faces around $8 million in costs.
There is one positive result from more expensive cybercrime. As non-technical healthcare executives realize the immediate costs of a weak security posture, they’re paying more attention to what IT teams need to fix things. In response, the healthcare security leaders Morphisec spoke to are finding it easier to get buy-in from leaders when shifting towards a more proactive posture. This makes sense. After all, the more expensive reactive security becomes, the more stopping attacks becomes a leadership priority.
Human Factors and Zero Day Threats = Major Worries
According to a 2021 survey from the Healthcare Information and Management Systems Society, 71 percent of healthcare breaches start with a phishing attack. Backing up this finding, one of our panelists reported that almost 2 percent of all emails that got through their filters were phishing attempts.
The phishing threat means two things for healthcare cybersecurity in 2022. Firstly, the number one risk factor for any provider is people. So proactive security awareness training is vital. Secondly, security is not just the responsibility of one individual or team within a healthcare organization. Instead, cybersecurity is a process that requires everyone’s involvement.
Our panelists reported healthcare leaders are more conscious of these human aspects of cyber risk than ever. But advocating for new initiatives can still be more challenging than it should be.
There are two fundamental roadblocks to healthcare keeping pace with frameworks like NIST (the National Institute of Standards and Technology) and responding to new threat types: downtime and culture. Deploying a new security solution or patching an application must happen without time offline. Morphisec’s panelists reported many healthcare organizations are also used to a slow pace of change. Rapid adoption is not common for most providers.
Another core concern for Morphisec’s panelists is stopping zero-day threats. Last year, Google's Project Zero uncovered a record number of never before seen threats: 80—more than double 2020's number. These are probably the tip of the iceberg compared to what's out there. Healthcare security teams are responding by prioritizing patching. For legacy applications they can't patch, they focus on siloing them from their networks.
Although patch management is complex, Morphisec’s panel found virtualization makes it less so. They agreed that in virtualized environments, it’s much easier to deploy and roll back patches as needed. As Tom Merkle, Chief Information Officer at Houston Eye Associates, noted, "It's much better to deal with a bad patch than to pick up the pieces after a breach.”
EDR Struggles to Balance Productivity and Protection
Finding the right mix between security and productivity is a constant struggle for security professionals in every sector. And using endpoint detection and response (EDR) solutions to protect healthcare endpoints means striking a particularly delicate balance.
Alert settings must be relaxed enough to let people do their jobs effectively, but tight enough to spot unusual behavior. Healthcare has no tolerance for downtime, and there’s no set formula to get this right. However, as Morphisec’s guests explained, there are positive steps security teams can take. One factor for achieving a good balance comes from understanding and engaging endpoint users.
Some alert situations like those created by multi-factor authentication (MFA) misuse can be particularly challenging to get right. If reluctant healthcare staff get locked out of their accounts, it can create major problems for IT teams and patients alike. Our panelists reported that it's important to bring MFA requirements in gradually to increase MFA adoption and make alerts more straightforward to calibrate. Start with new network users and slowly make MFA a requirement for accessing more services.
Morphisec panelist Justin Bancroft, System Security Administrator for Shannon Medical Center, said education was another crucial ingredient for a great security/productivity balance with EDR. He found users are often disconnected from their networks. And because they rarely understand the consequences of particular changes to their network, like an application firewall going down, it's critical to tell them ahead of time what's happening with any security or parameter change. He remarked, "We probably spend half our time educating people or learning how things work."
Another crucial component of EDR in healthcare is deploying solutions that don't strain resources. Many healthcare IT processes happen on lightweight endpoints with applications running in virtual desktop infrastructure (VDI) environments. This means there’s no room for solutions that degrade performance. After recalling a situation when his organization’s VDI was brought down by a log storm coinciding with an antivirus update, panelist Billy Sainz, IT Manager at Citizens Medical Center, stated "if a product isn't lightweight and doesn't do its job, we are going to look for something else."
Cybersecurity in Healthcare 2022 is Only Getting Harder
Healthcare cyber leaders know cybersecurity is critical for a functioning healthcare environment. Their jobs have never been more essential for patient care and their organization's success as their challenges keep increasing.
New technology promises to alleviate some of today’s challenges. Chief amongst them is preventing the advanced attacks that are so costly in patient health, patient trust, remediation expenses, and lawsuits. Moving Target Defense (MTD) technology uniquely stops advanced attacks such as zero days, ransomware, supply chain attacks, and others that target memory at runtime, rather than the operating system or disc. MTD uses an ultra-lightweight agent that has negligible effects on system performance, requires no maintenance, no additional headcount, and crucially for healthcare providers, requires no downtime to install or maintain. To learn more, read the free white paper—The Ultimate Ransomware Strategy: Zero Trust + Moving Target Defense.