Article

Cyberattacks Are Inevitable: 7 Hospital Practices to Get Ready

Ken Bradberry
CISSP, Chief Architect, QHR Health

Imagine getting a ransom note like this one for your hospital’s data. Perhaps you already have, and if you haven’t, you will. It’s inevitable. Your independent hospital will be attacked.

Seventy (70) percent of hospitals admitted their organization had experienced a “significant security incident” within the past 12 months, in the 2020 HIMSS Cybersecurity Security. By all accounts, the number has, and will continue to increase. Just since November 2020, cyberattacks against healthcare organizations have increased 45 percent. An average of two healthcare data breaches have been reported every day since March 2021.

 

 

Cyberattacks Are Costly

Just ask the UVM Medical Center in Burlington, Vermont. Highlights from the October 2020 ransomware attack are:

  • Hackers put malware on “more than 5,000 hospital computers and laptops that encrypted files and data on 1,300 servers.”
  • About 300 employees were furloughed or reassigned when the computer and phone systems were down.
  • Two months after the attack, the health system had “restored about 80 percent of the UVM Medical Center’s applications that power about 98 percent of function,” which compares favorably to the industry. Healthcare organizations take an “average of 236 days to detect a data breach and 93 days to mitigate the damage.”
  • The cost was approximately $1.5 million per day in lost revenue and expenses. The health center’s COO estimated the attack could cost a total of $64 million.

Knowing cyberattacks are inevitable, savvy independent hospitals are preparing. The seven things they’re doing to mitigate the damage are:

1. Know your environment. 

In addition to existing legal and regulatory obligations, building a capable security organization requires hospital IT leaders first have an in-depth understanding of their environment and the attack surface with an eye towards identifying potential vulnerabilities, including:

  • Security operational structure and practices
  • Infrastructure diagrams
  • Security/infrastructure solution inventory
  • Security response solution inventory
  • Solution configuration
  • Solution management protocol

2. Develop, test and periodically review your complete disaster recovery plan.

A complete disaster recovery plan ensures your hospital is prepared if an attack requires system restoration. Key components are:

  • Understanding the business impact of a disaster recovery event to align recovery time with the hospital’s needs.
  • Ensuring the infrastructure can support the recovery requirements by detailing application criticality and recovery requirements.
  • Clearly defining recovery processes and procedures so critical applications can be returned to service in a stable and expedient manner.
  • Protecting critical data and making sure all data can be recovered in a disaster or cybersecurity event as well as the integrity and recoverability of the data.
  • Creating a communications plan, with process and procedures designed to ensure the proper declaration of a disaster and how the IT team reports incidents and communicates to the business.

3. Adopt robust multi-factor authentication.

Multi-factor authentication (MFA) is “an authentication method that requires the user to provide two or more verification factors to gain access to a resource.” Chances are you already use MFA to bank online or even to access your cell phone. Given the cyber vulnerabilities of hospitals and the black market value of healthcare data, which is $10 to $1,000 per stolen medical record, MFA is a must for healthcare organizations.

4. Educate and train your staff.

The first line of defense against ransomware is caregiver training. Not only does education and training help prevent cyberattacks, cybersecurity insurers are increasingly asking hospitals to detail their programs as a condition of insurance.

Hospitals need a continuous program of education to ensure phishing attacks and other social engineering vulnerabilities are mitigated. Simulated phishing attempts should be sent to users with the purpose of testing and enhancing their knowledge and encouraging reporting of such activities.

5. Backups need to have location gap and air gap protection.

Increasingly, the most prepared hospitals are using cloud-based services for replicating backups, which ensures location gap and air gap protection – that is, an electronically disconnected or offline copy of your data that cannot be accessed – to guarantee backups are free from malware.

6. Test your security operations.

On average, it takes healthcare organizations 236 days to detect a cyberattack.

Active testing of your security operations allows not only the identification of potential inefficiencies between solutions and operations but also improves your security organization’s awareness, responsiveness, capability and familiarity for the eventuality of a real attack. Security operations testing can include:

7. Evolve to zero trust.

The traditional defense-in-depth security model relies on protecting a hospital or health system’s perimeter. Firewalls and virtual private networks (VPNs) lack the visibility and integration to support the end-to-end coverage and proactive response capabilities that protect against threats to protected health information (PHI) and access to vital healthcare applications and services.

That’s why the savviest healthcare organizations are moving to a Zero Trust model that verifies every request for access as if the network was uncontrolled. The guiding principles of Zero Trust are to first verify explicitly, always authenticating based on user identify, location, device health and data classification. Next, always assume the least privileged access and assume there is a breach until it can be proven otherwise.

QHR Health can help your hospital access your cybersecurity readiness and identify and mitigate potential vulnerabilities. To learn more, visit: https://qhr.com/solutions/hospital-technology-consulting/.