The threats facing the healthcare industry have shifted dramatically in the 20 years since the attacks of Sept. 11, 2001. While bioterrorism remains a significant risk, cybersecurity has emerged as a preeminent concern as cyberterrorists and the proliferation of internet-connected devices continue to outpace the industry’s ability to protect itself. It’s been four years since the Healthcare Industry Cybersecurity Task Force issued the last major report to Congress detailing vulnerabilities facing the industry and recommendations for combating them. Most of the ideas would sound familiar to anyone who’s been following the issue closely, as it appears little has changed in the intervening years. “Based on my conversations with hundreds of hospital and health system leaders and board directors across the nation, all those leaders consistently view cybersecurity as a major enterprise risk issue and generally rank cyber risk within the top 3 enterprise risk issues, often many will cite it as their #1 risk concern,” John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association, said in an email. But many organizations don’t have enough money to upgrade their cybersecurity infrastructure—or aren’t allocating sizable portions of their budgets to those defenses. Nearly half of healthcare cybersecurity professionals said cybersecurity made up no more than 6% of a healthcare organization’s IT budget, according to a 2020 survey by the Healthcare Information and Management Systems Society. That figure is essentially unchanged from 2018, and some organizations have cut their cybersecurity funding in response to falling revenue during the pandemic. More than 60% of organizations don’t have an effective system in place to detect patient safety issues related to security incidents, according to HIMSS. Still, data on cybersecurity spending needs to be taken with a grain of salt, Riggi said. “There is not a specific formulaic approach to cyber expense characterization. For example, one organization may characterize firewall expenses as part of the cyber budget and another may characterize such an expense as part of the IT infrastructure budget,” he said.Setting priorities Congress established the task force under the Cybersecurity Act of 2015, directing HHS to convene a team of federal officials and private sector leaders to meet the growing challenge of cyberattacks targeting a fragmented and vulnerable healthcare system. “The healthcare industry in the United States is a mosaic, including very large health systems, single physician practices, public and private payers, research institutions, medical device developers and software companies, and a diverse and widespread patient population. Layered on top of this is a matrix of well-intentioned federal and state laws and regulations that can impede addressing issues across jurisdictions,” the report said. An overreliance on outdated legacy software and equipment and the rapid adoption of connected but susceptible devices and systems meant that healthcare cybersecurity was in a dismal state in 2017, the task force said at the time. Moreover, a dearth of cybersecurity professionals and resources had left health systems and insurers largely defenseless against the scourge of cybersecurity threats. “These organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information and the capability to act on that information,” the report said. The 21-person team put forth six priorities for addressing cybersecurity across the public and private sectors, including better information-sharing about threats. The task force also called for a new healthcare-specific cybersecurity framework, which hasn’t materialized yet. “HIMSS has been very vocal about the need to leverage the (National Institute of Standards and Technology’s) framework and we’ve called on NIST to work with the health sector to develop a health sector specific ‘subsection’ of the NIST Cyber Security Framework,” Tom Leary, senior vice president of government relations for HIMSS, said in an email. But since that has yet to happen, he said HIMSS has been working closely with NIST on education and outreach to the industry about the broader framework and how it could be applied to healthcare settings. Theresa Meadows, chief information officer for Cook Children’s Health Care System, agreed, noting that the healthcare industry has been working closely with NIST to make sure its standards account for the needs of providers and insurers. “There has been a lot of great work done there,” said Meadows, who co-chaired the HHS task force.
RANSOMWARE ATTACKS 34% healthcare organizations hit by ransomware attacks in the last year 65% percentage hit where criminals succeeded in encrypting their data 44% percentage hit that used backups to restore data 34% percentage hit who paid a ransom to get their data back 93% percentage of those who paid a ransom that got their data back.
Source: Sophos survey of Healthcare and Public Health organizations worldwide, January-February 2021.
As a stopgap solution, cybersecurity assessment companies layer the requirements of the Health Insurance Portability and Accountability Act’s Security Rule on top of a range of general frameworks like the one from NIST, said Dan Dodson, CEO of Fortified Health Security. “That’s what they’re assessing these organizations against,” he said. The task force also wanted changes to physician self-referral and anti-kickback rules to make it easier for large healthcare organizations to help smaller practices with their cybersecurity. The Trump administration signed off on changes allowing the latter in November, but it’s unclear whether providers are taking advantage of it, experts said.
Better coordination Despite some of the gaps that still exist, experts say the industry is making progress toward defending against cyberattacks. “The healthcare community is far and away more coordinated in our approach to cybersecurity information sharing,” Leary said. “What used to be one-off conversations with the FBI after an incident has occurred has evolved into an industry-wide approach to preparedness and response.” There have also been technology improvements that have helped the industry bolster its defenses against cyberthreats. “There has been significant technological advancement relative to cybersecurity around the protection of medical devices and IoT and IoMT,” Dobson said. “There’s lots of companies that are doing this using machine learning and behavioral analytics to identify and monitor the cyber elements around medical devices.” But it hasn’t been enough to address all of the problems. Providers, insurers and their business associates are on pace for a record number of data breaches this year, having already reported 430 to the federal government through the end of July. Healthcare had more data comprised in the first half of the year than any other industry, according to a report from the not-for-profit Identity Theft Resource Center. The American Hospital Association in May called on the federal government to play a bigger role in responding to ransomware attacks against the healthcare industry, urging a “coordinated campaign” against ransomware gangs. Hospitals also think the Food and Drug Administration needs to do more. “The AHA recognizes that the FDA has been very active in working with medical device manufacturers in promoting cybersecurity in their products from the design phase to lifetime support and promulgating related guidance. However, the latest cybersecurity guidance, still in draft form, remains just that—it is voluntary guidance and not mandatory. Since medical device manufacturers do not universally adhere to the FDA cybersecurity guidance, we would like to see that guidance finalized and made mandatory,” Riggi said. The Biden administration and Congress in recent months have also focused their attention on ransomware following a spate of new attacks. But there’s more the healthcare industry can do to protect itself from cybersecurity threats, even in the absence of federal action. While the federal government encourages hospitals and insurers to adopt the NIST framework, many organizations don’t. Health plans and providers must follow HIPAA’s requirements, but adopting more robust security standards is voluntary. About 3 in 4 healthcare organizations were following the security rule in 2019, while just 44% adhered to the cybersecurity framework, according to a 2020 report from security firm CynergisTek. “The most disturbing finding we found looking across all the data was the downward trend over three years in overall comformance,” the report said. Still, there’s no movement afoot to mandate that healthcare organizations adopt more robust standards, despite growing cybersecurity threats. But health plans and providers could avoid substantial fines and other penalties if they improve their cybersecurity stance under a recent amendment to the Health Information Technology for Economic and Clinical Health—HITECH—Act. “If you are not improving, you are falling behind managing your risks—the bad guys keep getting better, the technology more complex, and more of it is being deployed,” the CynergisTek report said. But it could be hard for providers and insurers to stem the tide without the expertise they need. “Just like every industry, we struggle finding, educating and keeping security talent. We partner with our vendors to help fill those gaps and they often become an extension of our cybersecurity department,” Greg Journey, director of information security at MetroHealth, said in an email.
Related Article Q&A: ‘Cybersecurity is everyone's job’ Q&A: Spurring innovation in emergency response Gimmie shelter: Rising tide of emergencies prompts need for broader preparedness
Source link : https://www.modernhealthcare.com/cybersecurity/cyberterrorism-and-rapidly-evolving-threat-landscape