Sayanta is Assistant Vice President of Claims at Marsh & McLennan Companies in the United Arab Emirates/UAE. As part of the Certified Cyber Insurance Specialist (CCIS) course, he completed a complex assignment on cyber risk in the healthcare industry.
Digital technologies make it easier and more efficient to deliver patient care and provide better outcomes. However, the rise of digital technologies and the growing interconnectedness between various legacy healthcare systems come with increasing healthcare cybersecurity threats.
The attack surface of healthcare organizations today spans beyond handling phishing or ransomware threats within their organization. Cyberattacks come in many forms, from ransomware to theft of personal information, with varying degrees of impact depending on the size of the facility. Cyber security risks in healthcare involve greater scope, including personnel, the protection of digital assets and patient privacy, and vulnerabilities in legacy systems or other technologies in use.
What are the key cyber concerns facing the healthcare industry?
Maintaining the security of Protected Health Information (PHI) is critical because it is personal, sensitive data that is protected by federal law, and its unauthorized access or disclosure can have significant negative consequences for individuals, including potential harm to their physical and mental health, financial well-being, and overall privacy. For malicious cyber actors, this data, therefore, presents a treasure trove of opportunities and they can leverage their sensitivity to squeeze, for example, higher ransom payments out of affected organizations.
Curbing internal threats is a key concern for many businesses. According to the Ponemon Institute’s 2020 Cost of Insider Threats, global organizations reported that
the annual cost of insider threats is $11.45 million.
An insider threat in the Healthcare and Public Health (HPH) Sector arises when a person or a contractor within a healthcare organization has access to assets or inside information concerning the organization’s security practices, data, and computer systems.
For example, an internal threat actor may be a “malicious insider” – an employee or contractor who uses their access to an organization’s systems and data to intentionally cause harm or steal sensitive information. They may steal trade secrets, sabotage systems, or defraud the organization. Alternatively, an internal threat actor could be an “inside agent”. These are not employees of the organization, but they have been granted authorized access to the organization’s systems and data. They may be consultants, vendors, or business partners who have legitimate access to the organization’s systems and data, but who use that access for nefarious purposes.
Managing And Mitigating Internal Threats
Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention.
- Revise cybersecurity policies and invest in employee security awareness training. This will help prevent employee negligence and carelessness and encourage better employee cyber hygiene. A recent report by HIPAA Journal found that 27% of employees saw security policies less than once a year and 39% received security awareness training less than once a year.
- Limit privileged access and establish role-based access control. This will give insureds better insights into who has access to sensitive data and systems, reducing the risk of mismanaged access and accidental or intentional data breaches.
- Back up data and deploy data loss prevention tools. This will provide better protection against data loss due to hardware failures, accidental deletion, or other unexpected internal events.
- Implement zero-trust & MFA models; Manage endpoint devices across the corporate network. This will minimize risks associated with Shadow IT (the use of IT systems, services, or software within an organization without the knowledge or approval of the organization’s IT department) and Bring Your Own Device (‘BYOD’) models. BYOD can be a subset of shadow IT risk because employees may use their personal devices to access or store company data or use unauthorized applications or services, which can bypass the organization’s established security controls and governance processes. For example, an employee may use a company laptop to access their personal email account. The company’s phishing detection software may not alert the employee to suspicious emails and malicious files may accidentally be downloaded onto the device, spreading to other parts of the organization’s network. This is an example of an internal threat stemming from shadow IT. Insureds who ensure their connected devices meet security standards and are updated with security patches will reduce the risk of internal security vulnerabilities.
Insider threats can also take the form of third parties, who play a vital role in healthcare supply chains, as they are often granted access to healthcare organization systems. In fact, 94% of organizations give third parties access to their systems. In 72% of case studies, third-party vendors were provided with elevated permissions on these systems.
In the healthcare industry, attackers often leverage third-party vulnerabilities to gain access to sensitive information, while defenders try to keep these bad actors out. One such attempt by defenders is the Health Insurance Portability and Accountability Act (HIPAA), a law formulated to help protect patient data and secure healthcare organizations.
A 2020 survey found that 54% of healthcare vendors experienced a data breach of PHI, but only 36% of them notified providers because they were afraid to lose their business. This lack of accountability and transparency should worry healthcare providers and those whose PHI they collect or manage. Despite HIPAA regulations, cybersecurity attacks and data breaches targeting healthcare remain a serious and increasing threat. With a robust third-party risk management system, healthcare organizations can detect, identify, and remediate cybersecurity threats within their vendor ecosystem, protect valuable patient information, and even optimize their vendor relationships. This system should include due diligence and risk assessments on all vendors.
Effective Vendor Management
- Due Diligence: allows healthcare organizations to gauge the security risk posed by each vendor to the organization’s cybersecurity and data security. Due diligence is usually done through vendor questionnaires that assess and compare a vendor’s security setup to industry standards.
- Risk Assessment: evaluate the relationship and risks based on the services they provide and devise plans to address those risks. Both short-term and long-term measures must be implemented to eliminate immediate threats.
Digital Environment and New Emerging Technologies in Healthcare Industry
Over the last decade, technologies have been driving the healthcare industry through various innovations in how we find, prevent, and cure diseases. This would not have happened without the massive growth of AI-driven technologies and digitization of healthcare workflows, as a response to more savage global conditions, as well as the rising demand for accessible and quality medical service. Other key technologies impacting the healthcare industry include the evolution of remote care and telemedicine and extended reality in healthcare settings.
As we press on into the future, it is critical to remain mindful of the trends driving healthcare technology in 2023. Although legacy software and infrastructure are critical to the success of modern hospitals and care centers, it is important that we consider how those systems can integrate with newer technologies or how they may eventually be replaced with more reliable systems. The focus should be on improving performance, productivity, efficiency, and security without sacrificing reliability or accessibility.
While these technologies, especially Remote Care allow medical practice from anywhere, any time, and from any device, they are simultaneously driving up the cyber risk.
Case Study: Cyber Risk in the Healthcare industry
2 million patients’ data was exposed in a cyberattack on Shields, a healthcare service provider, that impacted almost 60 affiliated healthcare facilities including some well-known hospitals, medical centers, and clinics. An unknown actor gained access to Shields’ systems between March 7-21 2022. On March 28, Shields was alerted to suspicious activity and found that certain data was acquired by the unknown actor within that time frame. Although no evidence of identity theft or fraud has been uncovered so far, the information impacted was private and personal, including full names and addresses, Social Security numbers, medical diagnosis, and billing information.
Insurance professionals need to be aware of cyber risk in the healthcare industry in order to effectively advise their insureds on how to protect themselves and their patients from these threats. Cyber attacks can have serious consequences for healthcare organizations, including the loss or theft of sensitive patient data, financial losses, and damage to reputation. By understanding the unique vulnerabilities and risks faced by the healthcare industry, insurance professionals can help their clients develop effective risk management strategies and ensure that they have the appropriate insurance coverage in place to protect against cyber incidents.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.