The danger of cybercrime and security breaches looms over the healthcare industry like a slow-moving storm.
As of mid-December, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) had received 541 notices of data breaches affecting more than 500 individuals during 2023. Among these were incidents that compromised the information of millions, or even tens of millions, of individuals, as was the case with this summer’s high-profile breach at HCA Healthcare.
Some attacks forced healthcare providers to adjust their workflows or interrupt services due to lockups of their computer systems. Sixteen-hospital Prospect Medical Holdings, for example, suffered an attack in August that led to certain locations switching over to paper records or suspending several elective and outpatient procedures. Ardent Health Services weathered a ransomware attack on Thanksgiving that ultimately led the 30-hospital system to proactively shut down and suspend all user access to its IT applications, leading to pauses in non-emergency procedures.
“It’s obvious that it’s escalating, and that the tactics are changing,” Mike Hamilton, chief information security officer of cybersecurity-as-a-service firm Critical Insight, told Fierce Healthcare.
Beyond the threat to patients’ lives, these incidents can have a lasting impact on the financial health of a provider organization.
According to a July report from IBM and the Ponemon Institute, cybersecurity breaches ran healthcare organizations an average of $10.1 million per incident during 2022, a 9.4% increase over 2021 and well above what other sectors of the economy are forced to spend. In fact, a rural Illinois hospital that shut its doors in the summer attributed its closure in part to a multi-week ransomware incident it had suffered two years prior, marking the first-ever case in which a hospital shutdown was explicitly lined to a cyberattack.
Further, these incidents leave organizations exposed to litigation from those whose data were compromised. The aforementioned HCA data breach earned the system at least four class-action lawsuits within just a week of its disclosure (though in this case, the massive for-profit chain told investors shortly after that the filings weren’t expected to have a “material impact” on its business).
Against this backdrop, it’s little surprise that provider executives are looking to strengthen their positions. A survey report published last month by consulting firm Guidehouse found that 85% of respondents’ organizations planned increases to their 2024 digital and IT budgets, with cybersecurity listed as their top investment priority.
Erik Pupo, director, commercial health IT advisory at Guidehouse, said that a large portion of the investment decisions are reactions to “the external threat environment—[many leaders] are looking to invest in cybersecurity from the inside out AND outside in, and not specifically analyzing where cybersecurity investment ROI helps in the cybersecurity posture.”
From an evolving regulatory environment to shifting angles of attack, cybersecurity experts say there’s plenty that hospital and health system leaders hoping to protect their organizations need to be thinking about as they enter the new year.
Who is in the crosshairs?
The past year has shown that cybercriminals are more than willing to hit low, experts said. As prominent, well-resourced facilities have spent the last few years building their walls, smaller providers have remained as the lower-hanging fruit.
“There's a notable rise in attacks on smaller, regional healthcare providers, which may need robust cybersecurity measures,” said Ani Chaudhuri, co-founder and CEO of data security firm Dasera. “These entities often hold highly sensitive data, making them attractive targets for hackers.”
Down-market providers such as specialty clinics or medical imaging facilities are also a rising target for attackers, Hamilton said.
On the other hand, he said there’s also been more focus on “going to the top of an organization that has a lot of affiliates, where the top of the organization is handling records for a dozen or more hospitals and it becomes a one-stop shop.” This type of strategy has contributed to the greater scale of this year's reported breaches as compared to those past.
Attacks against healthcare providers’ third-party business associates and the broader supply chain have also spiked during the last several months. For instance, almost two-thirds of the respondents to one recent survey of healthcare IT professionals said their organization had faced a supply chain attack in the past two years, and the portion who said it ultimately disrupted patient care rose by 70% from the prior year’s survey.
“Ensuring that third-party vendors adhere to robust cybersecurity standards is no longer a nice-to-have or checked-box exercise; it is a fundamental obligation to safeguard sensitive patient data, maintain operational continuity and protect against the rising tide of cyberthreats,” Mike Parisi, head of client acquisition at cybersecurity compliance firm Schellman, told Fierce Healthcare. “Hospitals must proactively collaborate with vendors to impose stringent cybersecurity protocols, conduct regular audits and foster a culture of continuous improvement.”
As well as insisting on contractual clauses for data security, Chaudhuri advocated for regular joint cyber exercises and the sharing of threat intelligence between hospitals and their partners.
“Transparency and open communication with business associates about potential vulnerabilities and threats are vital,” he said.
Vectors of attack
Several experts said that cyberattackers are more often leveraging software vulnerabilities as their point of entry.
“Based on our data breach report analysis, phishing as a preferred initial access vector has given way to vulnerability exploit,” Hamilton said. "So, the focus is on quickly patching your vulnerabilities, getting your updates in—it’s a race now when a vendor comes out with a patch.”
“Fundamental security hygiene” with connected devices should be among the top cybersecurity focus areas for healthcare leadership teams, Sonu Shankar, chief strategy officer of extended internet-of-things security firm Phosphorus, told Fierce Healthcare. Because the legacy approach to cybersecurity prioritized monitoring and controlling network traffic, it's now "very common” for in-use medical devices to still be running with their default passwords, he warned.
“There isn’t a lot of awareness around this being a problem,” Shankar said. “The first step here would be to get a real accurate inventory of every connected thing out there in a hospital environment, in a clinical environment, that could potentially be taken over for a variety of cybercriminal objectives.”
On the other hand, “there’s increased awareness on [the attackers’] side that with traditional IT devices like Windows laptops, you have advanced solutions—like CrowdStrike, for example—out there that you can deploy on those Windows workstations. But you can't do that for the large number of connected devices that you have in your environment; you just can't deploy an endpoint agent into those,” he said.
Though device-focused attacks are a “likely” tactic for future attacks, Chaudhuri isn’t ready to start downplaying the threat of phishing. He anticipates that targeted attempts to exploit human error could pick up next year—and, like other strategies, could even be bolstered by new technologies.
“The healthcare sector must brace for increased AI-powered cyberattacks, which are more advanced and adaptable than traditional threats,” he said. “These attacks include highly personalized phishing emails, automated exploitation of IT system vulnerabilities and adaptive malware that evades detection. Additionally, AI-driven attacks can mimic normal network behavior, bypassing anomaly detection systems.”
Considering the tight financial positions of many health systems and the rising number of threat actors—most notably those backed by foreign states hostile to the U.S.—the experts said hospitals need to be thinking about “when” rather than “if.”
“Multi-layered” security strategies that include network segmentation and real-time threat detection are “vital” toward limiting the damage, Chaudhuri said.
Jake Aurand, counterintelligence team lead at security firm Binary Defense, noted that simply having an incident response plan in place isn’t enough.
“Companies need to run realistic simulations of an attack to make sure everyone that would be involved knows what to do, which allows a quick response to an incident instead of people not understanding their role in the process,” he said.
When a cyber incident does occur, “being open and honest with patients can also go a long way,” Aurand continued. “The earlier that they can be notified about an incident, the quicker they can try and protect themselves and be on the lookout for attacks targeting them such as phishing emails, blackmail and fraudulent insurance bills.”
Rising federal and state regulation
The ball is already rolling on new industry requirements surrounding healthcare data security.
Alaap Shah, a member of law firm Epstein Becker Green (not speaking on any entities in particular) told Fierce Healthcare that key policy and regulatory enforcement efforts “will likely emerge” as the result of recent state efforts to ramp up security.
Specifically, he pointed to the California Consumer Protection Act’s rules on conducting risk assessments; rules proposed by New York last month to require certain levels of hospital cybersecurity; and Washington’s My Health My Data Act, which was signed into law in April.
Additional developments will stream out of federal entities as well, from HHS and OCR under HIPAA and the Federal Trade Commission under the Health Breach Notification Rule, Shah said. Further, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology will continue to follow their mandates to share threat information and other technical assistance.
So far, HHS has released a concept paper outlining its plans to bolster the healthcare industry’s cybersecurity position going forward. The department said it plans to introduce a combination of voluntary cybersecurity goals; upfront investments and incentives; and new cybersecurity requirements within Medicare, Medicaid and HIPAA that, should Congress sign off, could come with payment hits and greater civil monetary penalties.
The roadmap was quickly critiqued by the American Hospital Association, which described mandatory cybersecurity requirements and financial penalties as a “counterproductive” measure in hospitals’ uphill battle against attackers.
Such a response is no surprise to Hamilton, who predicted that imposing new requirements “doesn’t really do any good” for the financially “shaky” healthcare sector (unless they come hand in hand with grant money).
Reading the tea leaves, Hamilton said it’s more likely that upcoming regulatory and policy efforts will focus on resilience rather than preventive controls. He pointed to CISA’s “Shields Ready” campaign, where “rather than trying to prevent a bad outcome, we now consider it to be a foreseeable event, and the objective is to get off the mat after you take the punch before the 10-count.”
As for the state-level activity, Hamilton noted that the regulations being proposed are “nearly identical” to those being prioritized by federal agencies. The difference, he said, is that a more ideologically stable state runs less risk of major policy overhauls every four years.
“If the dysfunctionality in the federal government is such that every time there’s a new election the regulatory winds are gonna blow another way, states are going to start to take that on so they can stable out,” he said.
On the other hand, Hamilton said that the state statutes related to privacy are less likely to become a long-term factor for the industry. He pointed to the burdensome “patchwork” of data breach reporting statutes that came out of all 50 states when federal lawmakers failed to move. Even a “dysfunctional Congress” would want to pass national privacy statutes and avoid repeating that mistake, he said.
As for what would be included in these privacy statutes, Hamilton said it’s possible that Congress would look to “take some of the pressure” from the oft-litigated health sector.
Specifically, he said such national statutes could preempt the private right of action permitting immediate class action suits following a protected record breach included in many states’ statutes. “Rather than a class action that happens immediately just because my record was stolen, what you [would] have to show was that there was some fraud that was perpetrated with that record,” he said.
In line with the Shields Ready campaign and other recent guidance from HHS and the Securities and Exchange Commission, the federal regulatory focus going forward appears to be centered on governance, executive involvement and negligence, Hamilton predicted. Claims of the latter “will become more and more abundant” as an enforcement mechanism that’s more likely to create positive change than new regulations requiring preventive measures, he said.
“Failure to address a foreseeable risk is negligence, and that standard of foreseeability is actually embodied in legal doctrine,” he said. “We’re going to see more examples [of enforcement] where hospitals did not take the advice given to them in the [Health Industry Cybersecurity Practices] and some of HHS’ other guidance about governance. They want executives involved in risk governance. They gotta put their fingerprints on these decisions—not just put your head in the sand and not worry about it—and if they fail to do that, that’s negligence.”
But would this enforcement approach of greater executive accountability lead to fewer cybersecurity incidents?
Hamilton acknowledged that even with a risk governance committee in place to hear and consider the recommendations of their IT and security teams, healthcare leadership would still be free to weigh the costs and accept a cybersecurity risk to their organization.
Rather, he and the hospital lobby were in accord on what else would be needed to drive industry-wide behavior change.
“Again, it’s if they can afford it, right? That continues to be the problem in the healthcare sector," he said. "Federal government needs to do a better job of busting out the grant money because the health sector is hurting.”