Healthcare cybersecurity primer outlines defensive strategies

By John DeGaspari

A new primer on cybersecurity outlines the challenges that healthcare organizations face and steps they can take to defend themselves against cyberattacks.

The Workgroup for Electronic Data Interchange's (WEDI) "Perspectives on Cybersecurity in Healthcare" covers three prime areas of cybersecurity: the lifecycle of cyberattacks and defense; the anatomy of an attack; and building a culture of prevention.

To build that culture of prevention, the report recommends a strong cyberdefense strategy that addresses how to prepare for and monitor attacks and recover from breaches.

At a minimum, security architecture should be able to stall adversarial efforts, thwart attacks at each phase and facilitate a rapid response.

The report outlines three strategies:

Mitigate threats before they enter a network with basic controls, such as ensuring that operating systems and anti-malware, Web filtering and antivirus software on servers and endpoints are updated and patched to reduce the risk of vulnerabilities and infections. 

Discover threats that have entered or tried to enter systems. No organization can prevent every cyberattack, but it is important to build a response system that can alert your security staff, rapidly identify a breach and its scope, and notify other enforcement points so that a breach can be contained without extensive collateral damage.

Respond to any threats that have breached the network. In addition to deploying sandbox appliances, which can test and detect novel threats, organizations might need to deploy internal network firewalls and mitigate an attack once a network has already been breached.

"The frequency, scope and sophistication of cyberattacks are growing at a worrisome rate in healthcare," said Devin Jopp, president and CEO of WEDI, in a prepared statement.

WEDI reports that between 2010 and 2014, approximately 37 million healthcare records were compromised in data breaches. But in the first four months of 2015 alone, more than 99 million healthcare records have already been exposed through 93 separate attacks, according to Jopp. 

"The risk of cyberattacks is no longer limited to the IT desk--it is a key business issue that must be addressed by executive leadership teams in order to build that culture of prevention," he said.

Healthcare data is a high-value target for hackers, as the information is much richer than even bank accounts. 

Former president Bill Clinton in a keynote address for this year's America's Health Insurance Plans' AHIP Institute called attention to cybersecurity as a major technological challenge for healthcare to overcome.

Healthcare CEOs have been trying to prepare their organizations from cyberthreats. In a special cybersecurity report by FierceHealthIT, Roger Neal, vice president and chief information officer of (Duncan) Oklahoma Regional Hospital, acknowledged that most hospitals still struggle with maintaining security despite having programs in place to mitigate those concerns.

To learn more:
- read the WEDI report
- here's the report announcement