WASHINGTON, D.C. – On Halloween this Thursday at the HIMSS Healthcare Cybersecurity Forum, attendees heard a fright-inducing list of recent Healthcare IT News headlines, all from just this October:
- A warning this week from the Health Sector Cybersecurity Coordination Center about Scattered Spider – an appropriately creepy-crawly name – a cybercrime group that leverages ransomware variants and AI for advanced social engineering exploits, such as voice spoofs and deep fakes, targeting healthcare.
- A report from the Ponemon Institute earlier this month showed that, even as cybersecurity budgets are finally increasing, they’re still not keeping pace with attack disruptions – with 69% of health systems that had experienced a cyberattack saying it had adversely impacted patient care.
- Another October report, from the National Association of State Chief Information Officers, found 41% of them noted that they were unsure whether their teams could handle all the cybersecurity threats they face, and were particularly concerned with AI-enabled attacks.
- A study from the same week showed 44% of healthcare organizations still not using basic multifactor authentication for remote access, and the same percentage still lack an incident-response plan.
- A provider group in Southern California paid a $240,000 civil monetary penalty this month to settle with HHS’ Office for Civil Rights over potential HIPAA Security Rule violations after a series of ransomware attacks showed a lack of basic cyber hygiene controls. In that settlement, OCR noted that there’s been a 264% increase in large ransomware-based breaches since 2018.
In his opening keynote at the forum Greg Garcia, executive director at Health Sector Coordinating Council Cybersecurity Working Group, said those challenges are not just the responsibility of IT and infosec professionals.
The scope of the cyber threat environment these days is “all of our problem,” said Garcia. In today’s healthcare circulatory system, a “digitized interconnected ecosystem” where “every point is a transaction,” he said “it isn’t just the cybersecurity people that are on the hook. It’s everyone.”
As if a reminder was needed of the size of the problem, it was mentioned more than once on Thursday that the Change Healthcare ransomware attack of February 2024 impacted the protected health information of some 100 million Americans – officially making it the biggest healthcare breach ever.
Across the healthcare ecosystem – operational, financial, reputational, legal, regulatory, clinical – hospitals and health systems need to “mobilize ourselves against” against a cyber foe that’s getting more cunning and creative: more and more honing their social engineering exploits with artificial intelligence and becoming bolder and more relentless.
Garcia says HSCC – along with 17 other sector coordinating councils across the federal government – is working to help healthcare organizations be stronger and better prepared “against a flexible and resilient adversary.”
He noted that such preparedness may soon not be voluntary. He suggested the healthcare industry keep an eye out for a notice of proposed rulemaking from HHS that may be published soon, aiming to require HIPAA covered providers – and third parties and business partners too – to have some baseline cybersecurity protections in place.
More philosophically, Garcia is interested in helping health systems understand the stakes and think more creatively about security – by design, by default and by implementation – and the value of close collaboration and defense in depth.
“How do we act like a beehive, an ant colony?” he said. “Do you see how they act when an intruder is in their midst? The communication is telepathic.”
As healthcare organizations work to shore up their defenses and map a complex web of critical data infrastructure, it’s crucial to understand that “none of us individually is as smart as all of us together,” he said.
Garcia was followed onstage in D.C. by his workgroup colleague, Intermountain Chief Information Security Officer Erik Decker, who also serves as HSCC chairperson.
Decker offered some complementary perspective on the scope and stakes of the challenge – and gave some prescriptions for how healthcare organizations can boost communication and collaboration to protect against a relentless foe.
Information security, once upon a time, was about protecting the privacy and confidentiality of patient data. It’s still that, of course, but nowadays the more urgent imperatives are the safeguarding financial assets and, critically, the protection of patient safety.
Moreover, “it’s a resilience issue,” he said, “making sure we’ve covered the bases around the digital stack and protecting against disruption.”
That’s easier said than done, of course, and health systems need to be “very meaningful about how you’re covering those bases.”
In a world where bad actors can rely on any number of different vulnerable points of entry – social engineering, third party compromise, system misconfiguration – it’s easier than ever for cyber crooks to get in and compromise controls.
A lot is said about how savvy the bad guys have gotten, but in many cases they’re only taking advantage of the opportunities afforded to them. “The reconnaissance is sophisticated, the attack is stupid,” said Decker.
In the massive Change Healthcare breach, for example, with its months of debilitating ripple effects and 100 million patients affected, the absence of multifactor authentication on a legacy server was all the opening they needed.
Healthcare organizations need to embrace a whole-of-enterprise approach to fend off committed cyber enemies who are seeking any point of weakness they can find.
“We have to build a system where ‘you’ve got to beat all of us to beat one of us,'” said Decker, quoting former National Cyber Director Chris Inglis.
Like our bodies’ immune response, he said, “the whole system has to work.”
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.