WASHINGTON, DC – At this Thursday's Halloween HIMSS Healthcare Cybersecurity Forum, attendees heard a frightening list of recent healthcare IT news headlines. These are all from October of this year.
The Health Sector Cybersecurity Coordination Center issued a warning this week about the Scattered Spider (aptly creepy and spooky). The cybercrime group leverages ransomware variants and AI to target healthcare with advanced social engineering exploits such as voice spoofing and deepfakes. A report released earlier this month by the Ponemon Institute showed that while cybersecurity budgets are finally increasing, they still haven't kept pace with disruptions caused by attacks, with 69% of health systems suffering a cyberattack. They said it had a negative impact on patient care. A separate October report released by the National Association of State Chief Information Officers found that 41% of respondents were unsure whether their teams could handle all the cybersecurity threats they faced, especially those leveraging AI. He said he was concerned about the attack. A survey from the same week showed that 44% of healthcare organizations still do not use basic multi-factor authentication for remote access, and the same percentage still lack an incident response plan. After a series of ransomware attacks exposed a lack of basic cyber hygiene controls, a group of Southern California providers this month will be fined 24 in civil fines as they settle with the HHS Office for Civil Rights over possible violations of HIPAA security rules. paid $1,000. In its settlement, OCR noted that large-scale ransomware-based breaches have increased by 264% since 2018.
Greg Garcia, executive director of the Health Sector Coordinating Council's Cybersecurity Working Group, said in the forum's opening keynote address that these challenges are not the sole responsibility of IT and information security professionals.
The scope of the modern cyber threat environment “is an issue for all of us,” Garcia said. In today's medical circulation system, a “digital, interconnected ecosystem” where “every point is transactional,” “it's not just cybersecurity personnel that's at risk. It's everyone.” he said.
As if we needed a reminder of the magnitude of the problem, on Thursday, the February 2024 Change Healthcare ransomware attack affected the protected health information of approximately 100 million Americans, officially It was mentioned many times that this was the largest medical breach in history.
Across the healthcare ecosystem – operational, financial, reputational, legal, regulatory, clinical, etc. – hospitals and health systems must “mobilize themselves” against cyber adversaries that are becoming more insidious and creative, and powered by artificial intelligence. Social engineering exploits are becoming increasingly sophisticated. And it becomes bolder and more relentless.
Garcia said the HSCC, along with 17 other departmental coordinating councils within the federal government, is working to help health care providers become stronger and better prepared “against a flexible and resilient enemy.” He said he was.
He noted that such preparedness may soon cease to be voluntary. He cited proposed rulemaking from HHS that could soon be released to require HIPAA-covered providers, as well as third parties and business partners, to implement basic cybersecurity protections. It was suggested that the medical industry is paying close attention to the notification.
More philosophically, Garcia is interested in helping health systems understand risk and think more creatively about security by design, default, and implementation, and the value of tight collaboration and defense in depth. I am.
“How do we act like a beehive or an ant colony?” he said. “Do you know how they act when an intruder is among them? Communication is telepathic.”
As healthcare organizations work to harden their defenses and map complex networks of critical data infrastructure, it's important to understand that “none of us are as smart as all of us put together.” He said.
Garcia was followed on stage in Washington, D.C. by Intermountain Chief Information Security Officer Eric Decker, a workgroup colleague and HSCC chair.
Mr. Decker provided additional perspective on the scope and risks of this challenge and offered some prescriptions for how healthcare organizations can enhance communication and collaboration to protect themselves from a relentless enemy.
Information security used to be about protecting the privacy and confidentiality of patient data. Of course, that still remains the case, but today protecting financial assets and, above all, protecting patient safety is even more urgent.
Additionally, he said, “This is a resiliency issue and we need to make sure we cover the bases around our digital stack and protect it from disruption.”
Of course, this is easier said than done, and health systems need to be “very meaningful about how they cover these bases.”
In a world where bad actors have a variety of vulnerable points of entry, including social engineering, third-party compromise, and system misconfigurations, it's easier than ever for cybercriminals to infiltrate and compromise control. Masu.
A lot is said about how smart the bad guys are, but often they're just taking advantage of the opportunities they're given. “Reconnaissance is sophisticated, attack is stupid,” Decker said.
For example, the massive Change Healthcare breach, which affected 100 million patients with debilitating ripple effects that lasted for months, required the absence of multi-factor authentication on legacy servers. It was all about a breakthrough.
Healthcare organizations must take an enterprise-wide approach to fend off eager cyber adversaries looking to find every weak link.
Quoting former National Cyber Director Chris Inglis, Decker said, “We have to create a system that says, 'To beat one, you have to beat all.'”
Like our body's immune response, “the whole system has to work,” he said.
Mike Miliard is the Editor-in-Chief of Healthcare IT News
Email the author: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.