The Growing Importance of Cybersecurity in Healthcare: Challenges and Frameworks
The healthcare industry is a prime target for cybercriminals due to the vast amount of valuable and sensitive information it stores, including Social Security numbers, financial information, and medical research. According to IBM Security's "Cost of a Data Breach Report 2022," healthcare breaches hit a record high last year, with the average breach costing $10.1 million, an increase of nearly $1 million from the previous year. Healthcare has been the most expensive industry for breaches for 12 consecutive years, with costs rising by 41.6% since 2020. Financial organizations had the second highest costs, followed by pharmaceuticals, technology, and energy.
Why healthcare is the Favorite target for Cybercriminals
Cyberattacks highly target the healthcare industry due to their abundance of valuable information, including patients protected health information, financial data, personally identifying information, and medical research. In particular, stolen health records can fetch a much higher price than stolen credit card information on the dark web. To make matters worse, the cost of fixing a breach in the healthcare industry is nearly three times higher than in other industries.
The Impacts of Cyberattacks on Healthcare Organizations and Patients
Healthcare organizations face a significant risk of cyberattacks on their electronic health record and other systems, which can compromise patient privacy and lead to penalties under HIPAA’s Privacy and Security Rules. Such breaches can also damage the reputation of the organization in the community.
Furthermore, the patient's safety and care can be at risk when medical records or lifesaving devices are lost due to a ransomware virus or other attack. This can hinder the organization's ability to provide effective care to patients. In addition, hackers' access to patient data may alter information, intentionally or unintentionally, leading to potentially serious health outcomes.
An example of the impact of such attacks was seen in Fortified Health Security’s mid-year report stated that the healthcare sector suffered nearly 337 breaches in the first half of 2022 alone. Novant Health reported that a misconfiguration in Meta pixel code potentially led to the unauthorized disclosure of protected health information (PHI) of 1,362,296 individuals.
However, it is possible to reduce the risk of such attacks with appropriate planning and investment.
Common cybersecurity challenges in the healthcare industry
Legacy Systems Remain a Challenge - Many healthcare organizations continue to use outdated legacy systems that need to meet current security standards. These systems pose a significant risk to cybersecurity and data privacy, leaving healthcare providers vulnerable to cyberattacks and data breaches. Despite this, healthcare organizations must find ways to improve security measures even with legacy systems in place.
Balancing Privacy and Data Protection - Maintaining a balance between transparency, privacy, and security is a significant challenge in healthcare. Patients often value the benefits of sharing personal information, such as participating in clinical trials, but this burdens healthcare providers. With an increasing volume of data and a need to protect it from unauthorized access, healthcare organizations must implement robust data protection measures to maintain privacy and security.
Managing Complexity and Meeting Different Needs - Patients and healthcare providers have different priorities, creating a complex landscape for implementing new solutions and processes. Healthcare organizations must provide comprehensive training and document knowledge to address the learning curve associated with new solutions and strategies. Doing so can help manage complexity and ensure everyone understands their role in assuring cybersecurity.
Wearable Devices - Wearable devices are becoming increasingly popular, and healthcare organizations are collecting more medical data. These devices often contain and store vast amounts of sensitive data, requiring healthcare providers to consider how the devices are manufactured with security in mind. It's also essential to be aware of digital traces left behind, as sophisticated algorithms can cross-reference wearable-generated biometric data with other digital traces.
Compliance and Cybersecurity - The healthcare industry is particularly vulnerable to cybersecurity risks due to the high volume of sensitive personal data. Security regulations are more stringent in healthcare to protect patient data. Healthcare organizations must remain compliant with these regulations, keep up with cybersecurity best practices, and adapt their processes to ensure they are adequately protected against cyberattacks and data breaches.
3 Key Cybersecurity Frameworks for Healthcare Organizations
While HIPAA is a necessary framework for healthcare organizations, it's not the only one important. Other frameworks can have a significant impact, and it's important to consider them.
Framework 1: National Institute of Standards and Technology (NIST) Frameworks
While HIPAA is a regulatory requirement that healthcare organizations must comply with, NIST provides additional information security frameworks that offer a common language and systematic approach for understanding, managing, and communicating cybersecurity risks. These frameworks are designed to be flexible and adaptable to ever-changing needs. One example is NIST SP 800-66, which provides updated guidance for meeting the HIPAA Security Rule specifically for healthcare. As of 2022, NIST has updated its cybersecurity guidance to help healthcare organizations better protect patients' health information.
Framework 2: International Organization for Standardization (ISO) 27001
ISO standards provide guidelines and requirements that organizations can use to ensure quality and consistency. By implementing ISO standards, healthcare organizations can make a proactive commitment to the principles of quality, transparency, accountability, and safety. ISO 27001 allows organizations to establish an Information Security Management System (ISMS), which can be a valuable tool for building a security program from the ground up.
Framework 3: CIS Critical Security Controls
The CIS provides a prioritized approach to securing networks and systems based on the most common attack patterns. This framework provides a layered defense against cyber threats through an actionable approach. According to the U.S. Department of Health and Human Services, executing the initial 43 sub-controls can defend against the five major cyber attacks and provide a quick win for healthcare organizations.