The healthcare industry relies on connected devices to deliver patient care, and power hospital operations. These devices – from infusion pumps and MRIs to video cameras and HVAC systems need to be protected from cyberattacks such as ransomware. Additionally, these devices may include protected healthcare information (PHI) that need to be secured.
In order to ensure patient safety and protect all of these devices from abuse and attack, healthcare organizations need a whole hospital cybersecurity strategy. A whole hospital healthcare cybersecurity strategy ensures that every connected medical device and any device that includes data that qualifies as Protected Healthcare Information (PHI) or Personally Identifiable Information (PII) is secured.
As this article explains, the proliferation of connected devices makes it challenging to develop healthcare cybersecurity strategies that address all security requirements related to PHI, and can protect them against attacks to ensure patient safety. But with the right tools and methodologies, organizations can overcome these challenges to ensure they meet–or, even better, surpass–the minimal data security and privacy mandates that apply to PHI and PII in healthcare.
What is healthcare cybersecurity?
Healthcare cybersecurity measures are the tools and strategies that healthcare organizations use to ensure patient safety and maintain the privacy of sensitive healthcare data. Healthcare cybersecurity ensures that sensitive healthcare data stays restricted, and can only be accessed by parties like a patient’s doctor.
Healthcare cybersecurity protects healthcare organizations from external threats, like ransomware or hackers seeking to steal sensitive personal information to sell on the Dark Web. It also safeguards information against internal threats: these include malicious internal actors like disgruntled employees of a hospital, as well as users who inadvertently place sensitive information at risk. For example, hospital employees who fall prey to phishing schemes could risk hackers gaining access to sensitive patient information.
To deliver complete protection against data security risks, healthcare cybersecurity must be able to enforce data protection requirements over any and all systems used by medical organizations. For example, in a hospital, healthcare cybersecurity tools typically need to protect the following:
- Prescribing systems, which hospital doctors use to generate and manage prescriptions.
- Practice management support systems, which store patient healthcare information.
- Clinical decision support systems, where doctors manage information related to patient care.
- Radiology information systems, which store medical images and radiology data associated with individual patients.
- Internet of Medical Things devices, such as infusion pumps and remote patient monitoring devices, which collect healthcare data from individuals.
- Operational Technology devices, such as HVAC systems and elevator control infrastructure, could impact hospital operations, delay medical procedures, or put patient safety at-risk if compromised.
- Internet of Things devices such as smart speakers and smart screens, which may also collect data that can be associated with individual patients. Plus, attackers may use these devices as an initial threat vector, and use lateral movement to move deeper into a network.
These connected devices are critical to patient safety or empowering hospital operations, have the potential to generate and store PHI or PII, and must be protected against cyber attacks and data exfiltration risks.
In addition to securing diverse types of systems, healthcare cybersecurity must address the needs of multiple stakeholders. Hospital staff members must understand healthcare cybersecurity policies and resources to ensure they manage sensitive data responsibly, and keep abreast of constantly evolving cyber threats. For example, HTM and biomedical teams can leverage insights from healthcare cybersecurity tools to help with their day to day tasks, such as locating medical devices, identifying those with vulnerabilities, and taking advantage of utilization details to better plan patching and maintenance work.
Vendors who supply digital services and resources to healthcare organizations, too, have a role to play in healthcare cybersecurity. They are responsible for following robust cybersecurity practices to protect data that is stored or managed within their systems and devices. The same is true of healthcare security and IT teams, who play the leading role in hardening IT systems that store PHI or PII, as well as in identifying and responding to cybersecurity attacks.
To understand what healthcare cybersecurity looks like in practice across various contexts, let’s look at a few common examples of specific systems and devices that healthcare cybersecurity strategies typically need to cover.
Although you may not think of email as a type of sensitive medical data storage system, the reality is that email inboxes store information like patient data. For that reason, email must be secured in order to meet mandates related to PHI and PII security.
In addition, email can be an attack vector for hackers who distribute malware or execute phishing campaigns via email. For that reason, it’s critical to secure email systems as part of healthcare cybersecurity in order to prevent the theft of private data.
Medical Devices
It’s common for hospitals and doctors’ offices to use a variety of medical devices to deliver healthcare. For example, nurses may use medical PC stations to keep track of patient records, or doctors might carry tablets to issue prescriptions.
If malicious actors gain physical access to these devices, they could access sensitive data stored within them or gain unauthorized access to other systems and data in the organization. They may even plant malware to carry out remote attacks later. Healthcare cybersecurity solutions must protect these devices against both types of threats.
Connected IoT devices
In addition to traditional IT devices, a wide variety of connected or smart devices are used across healthcare organizations, like Internet-controlled HVAC sensors and elevator controllers. If these devices aren’t properly monitored, secured, and patched as part of a healthcare cybersecurity strategy, they will be compromised.
Legacy systems
A legacy system is any type of system that is no longer supported by its manufacturer, but that is still in use: for example, an operating system that has reached its “end of life” date or an application whose vendor has gone out of business. Updating healthcare technology tends to be a complicated and expensive process. This means that healthcare organizations frequently depend on legacy systems until they find the time or resources to migrate to newer ones.
Legacy systems are vulnerable to attack because they no longer receive security updates or patches. Documentation about maintaining the systems is typically out of date.
Nonetheless, to protect against all potential cyber threats, healthcare cybersecurity tools must be able to protect data stored in legacy systems, even if support from the systems’ developers is no longer available.
Healthcare cybersecurity threats
For healthcare organizations today, it’s not a question of if they will face cyber attacks, but when. Breaches and attempted breaches against healthcare organizations are at an all-time high. That’s largely due to the fact that healthcare data presents such alluring targets for hackers, who encrypt sensitive data and hold it hostage for exorbitant ransoms.
Attackers use a variety of techniques in their efforts to access prized healthcare information. Some of these techniques include:
Malware
Malware is malicious software that gives attackers unauthorized access to systems or information stored on them. Malware enables threat actors to steal credentials, collect data, or gain control of systems in order to move laterally or cause disruption to services.
Ransomware
Ransomware is a special type of malware designed to encrypt data, rendering it unusable to the organization that owns it. After encryption occurs, attackers demand a ransom from the organization in order to decrypt the victim’s files. Unless the targeted organization has proper backups in place, it’s forced to choose between paying the ransom or suffering a major disruption to its operations.
Phishing
Phishing is a cyber attack technique in which threat actors trick users into sharing sensitive information. For instance, they might send emails impersonating IT staff or with malicious links to convince employees to share usernames and passwords. If the phishing attack succeeds, the hackers can then use the sensitive data to gain unauthorized access to systems and exfiltrate data, plant malware, or execute ransomware attacks.
Data exposure
Data exposure occurs when lost laptops, insecure physical systems, or IT breaches make sensitive information accessible to unauthorized parties. Data exposure is not an attack, per se, because it’s not the result of a malicious activity by hackers. But the end result–the exposure of sensitive information–is the same as it would be in the case of conventional cyber attacks.
Insider threats
Insiders, like hospital staff, have legitimate access to various systems. If employees intentionally or accidentally misuse those systems, they place sensitive data at risk. This is especially true if the systems are configured with excess permissions that grant internal users more access than they need.
System vulnerabilities
Unpatched software, out of date software, recalled devices, and banned devices could be subject to system vulnerabilities. Information about vulnerabilities is often published in public databases, recall information is available from manufacturers, and banned devices are available from organizations such as the FDA. Hackers can easily find and exploit these known vulnerabilities and vulnerable devices to plant malware or gain access to vulnerable systems, and place the entire organization at risk.
Healthcare cybersecurity best practices
Although every healthcare organization’s security risks and requirements are different, there are healthcare cybersecurity best practices that every healthcare organization should follow to mitigate the risk to patient safety and of the misuse of PHI and PII.
Achieve visibility
You can’t protect what you can’t see. For that reason, maintaining comprehensive and continuously up-to-date visibility across the whole hospital is the first step in healthcare cybersecurity.
Comprehensive visibility means knowing about all assets that are connected to your organization’s network, the services those assets provide, the data those devices collect, manage or access, and which security safeguards are (or aren’t) in place to protect the devices. Visibility also ensures that you are aware of vulnerabilities that place devices, services, and data at risk. This way, you have a complete view of the attack surface and can assess for vulnerabilities and potential risks and monitor for threats.
Perform risk assessments
Risk assessments are systematic evaluations of healthcare cybersecurity vulnerabilities and threats that exist and the level of risk each one poses. Risk assessments may also be used to document measures that organizations have taken to prevent breaches.
Healthcare organizations should perform risk assessments on a regular basis–at least once a year, if not more often–as part of their security strategy and may be required to meet compliance requirements or to obtain cyber insurance. Risk assessment procedures should be updated whenever new devices or services are deployed.
Implement security controls
Security controls, meaning tools and procedures that organizations use to harden systems against attack, go a long way toward minimizing healthcare cybersecurity risks. Foundational security control measures include tools such as antivirus software, which can help to prevent malware attacks. Data backup and restoration platforms recover compromised data following a ransomware breach. Data encryption, network firewalls, incident response planning, and multi-factor authentication also help to establish baseline security defenses for healthcare systems.
Connected device security tools and solutions, such as Ordr, are also critical to discover and classify every device in healthcare systems, inspect East-West traffic for malware or communications to a malicious domain, and identify vulnerabilities within devices. In particular, within a healthcare environment, these connected device security tools MUST be designed to operate in a healthcare environment – for example, the discovery and vulnerability identification process cannot impact sensitive medical device operations. Therefore, these devices must offer an “agentless, passive” approach to security.
Zero Trust
Many modern healthcare organizations have adopted Zero Trust as a core cybersecurity strategy. With Zero Trust the minimum necessary permissions are put in place to control access to healthcare systems and data and reduce risk. Zero Trust principles can be applied to users, devices, data assets, and services in order to restrict communication and mitigate the risk of abuse.
An example of Zero Trust is the use of network access control (NAC) to control device and user access to the network and services. Another example is network segmentation, sometimes referred to as microsegmentation, a technique that isolates devices on the network and prevents unnecessary communications.
Educate staff
Education such as cybersecurity awareness training ensures that healthcare workers are aware of risk and follow best practices to protect patients, services, and data. Healthcare staff should know how to spot threats, like phishing emails, and to react appropriately. They must also be aware of the risks posed by both external and internal threats.
Staff education is also a means of spreading awareness of legal requirements related to healthcare cybersecurity, such as those imposed by HIPAA, so that workers can do their part to adhere to compliance rules.
Healthcare cybersecurity laws and regulations
HIPAA, or the Health Insurance Portability and Accountability Act, is the best-known of several laws and regulations that governing bodies created to enforce healthcare cybersecurity best practices. Although complying with these mandates is not the only reason why healthcare organizations should protect sensitive data, it’s often a core motivator. This means that a familiarity with healthcare laws and regulations is an important component of healthcare cybersecurity.
HIPAA contains several provisions that impact the security of healthcare data. One, known as the Privacy Rule and defined in 45 CFR Part 160 and Subparts A and E of Part 164, establishes permitted and required uses and disclosures of PHI. It also deems PHI to be individually identifiable, and therefore subject to specific security requirements.
In addition, 45 CFR Part 160 and Part 164, Subparts A and C set forth specific security requirements related to PHI that are stored electronically, since most healthcare data is stored this way today. These requirements are referred to as the HIPAA Security Rule. Finally, HIPAA imposes (in 45 CFR §§ 164.400-414) a Breach Notification Rule that generally requires organizations to notify affected users in the event of a cybersecurity breach involving PHI.
Beyond HIPAA, other legal regulations may apply to healthcare data. For example, 42 CFR Part 2 is a law that protects patient records created by programs that receive federal funding to treat substance use disorders. It establishes very specific and extensive privacy requirements related to PHI in this context.
Additionally, the National Institute of Standards and Technology’s (NIST) Framework provides guidance, guidelines, and practices for organizations to reduce their cybersecurity risk. Developed in 2014 and updated in 2018, the framework also helps organizations and businesses better manage risk and cybersecurity communications. Overall, the NIST framework gives organizations a common language and systemic methodology for risk management.
The framework itself is made of three components: core, tiers, and profiles. The core helps organizations manage and reduce risks in a way that compliments their current cybersecurity practices. The profiles allows organizations to identify areas where existing processes can be optimized and new processes can be implemented. Finally, the tiers asks organizations to consider how strictly their cybersecurity program will comply with NIST standards.
Likewise, the HHS 405(d) Health Industry Cybersecurity Practices (HICP), which is integrated into the NIST framework, lays out specific guidelines for healthcare cybersecurity standards. According to the HHS, the top threats for cybersecurity are:
- Email phishing
- Ransomware attacks
- Loss or theft of equipment
- Accidental or intentional data loss
- Connected medical device attacks that impact patient safety
Both the NIST framework and the HHS 405(d) operate to protect healthcare agencies and patients.
Protect Your Whole Hospital
Healthcare cybersecurity threats come in many forms and apply to a wide variety of systems. For that reason, healthcare organizations should establish a comprehensive cybersecurity strategy including protections that can defend all of their assets–ranging from conventional IT systems, Internet Medical of Things devices, and unsupported legacy systems to connected facilities devices, Internet of Things devices, and beyond–against all types of attacks, risks, and threats. Organizations must also maintain comprehensive visibility across the entire organization including high risk assets and whether they are secure. And they must be aware of specific regulatory mandates and implement protections necessary to comply.
Ordr can help with a whole hospital approach to healthcare cybersecurity. By automatically discovering and accurately classifying all connected devices that healthcare organizations depend on, we maintain a continuously updated inventory to provide comprehensive visibility into healthcare systems, vulnerabilities, and risk. In addition, Ordr can help organizations enforce healthcare cybersecurity best practices based on Zero Trust principals, helping organizations protect critical data and services, meet strict compliance and data privacy mandates and ultimately, ensure patient safety.
Interested in Learning More?
Subscribe today to stay informed and get regular updates from Ordr Cloud