In the last decade, the healthcare industry has become one of the most targeted industries for cybercriminal activities. Cybercriminals have taken advantage of the information security talent gap, unpatched systems, poor security awareness culture, and sheer negligence to deploy ransomware attacks against important healthcare business systems. These cyberattacks have negatively affected over 100 million Americans, and its effects continue to cost enormous financial and reputational damages for healthcare organizations.

Due to its close proximity to very sensitive personal information, the healthcare industry has had to grapple with some of the most sophisticated cybercriminal activities in the U.S. marketplace. These cybercriminal activities have taken advantage of the rapid evolution of technological capabilities within the healthcare industry, including Artificial Intelligence and Cloud Computing. Unfortunately, these technological advancements have left healthcare professionals behind, as improper usage have widened attack surfaces across many healthcare organizations.

There is a myth that technical advancement guarantees the protection of  information assets. Contrary to such misconception, information security is a continuous and collaborative process which requires the effort of both external and internal parties. According to Statista, between 2009 and 2019, over 150 million U.S. residents were affected by healthcare related cyberattacks. Meanwhile, an IBM study portrayed that the cost of data breaches within the healthcare industry increased by 65% in 2019 alone – higher than the average cost of breaches in other industries.

It is evident that Protected Health Information (PHI) is a highly critical asset, which must be protected at all cost. Therefore, to achieve such goals, stakeholders must be familiar with information security practices for healthcare organizations.

1.   Development, Implementation, and Enforcement of Information Security Policies

Organizational Information Security Policies are detective, preventive, and corrective security controls. They are good deterrent measures against improper or negligent behavior within an organization. Maintaining the compliance status highlighted throughout an Information Security Policy ensures that a uniform set of rules are enforced on a firm-wide basis. Some examples of essential Information Security Policies include:

• BYOD (Bring-Your-Own-Device) policy
• Data storage policy
• Access control policy
• Patch management policy
• Password management policy

2.   Continuous Employee Awareness Training’s

As technology advances, humans continue to be the weakest link and are prone to error and negligence, which are capable of compromising the confidentiality, integrity, availability, and privacy of critical organizational assets.  aspect of information assets. Therefore, it is critical that every member of an organization understands how to detect, analyze, and mitigate malicious activities.

It is predominantly assumed that security awareness is a topic limited to employee onboarding sessions. However, information security is a shared responsibility, which should not be relegated to IT teams or leadership teams. A one-time security awareness program is insufficient to impose the importance of information security and to understand reputational damages and financial losses created by data breaches. Therefore, a continuous education for healthcare providers is imperative to fostering a healthy information security posture on an organizational level.

Some important areas to consider while creating a security awareness training in the healthcare industry include:

• Specify roles and responsibilities of employees, as it relates to data privacy and security procedures.
• Designate mandatory security awareness training with tabletop exercises.
• Identify the type of information within the organization and its location within the network.
• Update security awareness training materials annuals, to account for the changes in attacker tactics, techniques, and procedures.

3.   Risk Evaluation, Assessment, and System Auditing

The integration of IoT devices and interoperability with cloud providers have been trending within the healthcare space in the past five years; high tech integrations have added extra complexities to healthcare information systems. Due to emerging threat landscapes within such a complex computing environment, the identification of potential security risks are vital. Therefore, conducting risk assessments and system audits helps to uncover vulnerabilities at an early stage, thus reducing risk of exploitation.

Goldsky Security is equipped with a team of competent cybersecurity professionals, who are experts in healthcare-related risk assessment and system auditing procedures for industry regulations, including HIPAA, HITRUST, and NIST SP-800. Such detailed expertise is readily available to help healthcare organizations remain HIPAA compliant, despite the ever-changing threat landscape.

4.   Data Protection, Classification and Access Control Mechanisms

Asset classification is used to reflect the severity and prioritization level of an information, thus determining the appropriate access controls required to meet desired protection. Most industry-leading organizations are following asset management principles by classifying information assets with different labeling, such as restricted, confidential, secret, etc. However, in the healthcare industry this is a dynamic task due to the rapid changes in the medical needs of a patient.

Nonetheless, understanding what type of information assets and the systems that are present in an organization is vital to determining the proper access control mechanisms to introduce. A properly functioning access control will detect and prevent unauthorized access, which can be implemented on host-based systems (desktops, servers, or printers) and/or on network-based systems (routers, proxies, or servers).

Some access control principles that healthcare organizations can use to achieve a comprehensive information security framework include:

• System and network segmentation (VLAN, firewalls, proxies, etc.)
• Defense-in-depth and diversity-of-defense
• Least privilege
• Separation of duties

5.   Maintenance of Security Baseline and Standard Best Practices

A security baseline is used to form a standardized level of information security. This is the starting by which security best practices are developed and implemented on an organizational level. Thus, embedding a security baseline and standard best practices into a healthcare organization helps in the reinforcement of due diligence and due care as it relates to proper handling of sensitive data. All in all, establishing a security baseline helps to inform the development processes for information security policies and security awareness training programs. Although technology has its limitations, fostering a culture around security best practices acts as a first layer of defense against malicious activities, including cyberattacks. 

Final Thoughts

Technological advancements in the healthcare industry have presented us with incredible capabilities, which were able 20 years ago. However, such innovations have also introduced attack surfaces that continue to cause hefty risks for patients and healthcare providers alike. Therefore, healthcare organizations must endeavor to minimize avenues whereby attackers could take advantage of loopholes.

Unfortunately, throwing money at an information security challenge does not resolve it.  Information security practice is not a role, but a responsibility and a collaborative process required by all parties within a healthcare organization. All in all, future security incidents can be minimized by introducing organizational information security policies, procedures and continuous security awareness programs to help cultivate a digital security literacy culture among all employees.