As the nation becomes increasingly interconnected through technology, industries are also utilizing new technology to meet patient expectations for quick diagnoses and access to results. However, when this technology usage includes personal or healthcare data that may be sensitive for patients or health systems, cybersecurity becomes paramount and necessitates the implementation of new cyber standards. The Healthcare Information and Management Systems Society (HIMSS), a global society focused on information and technology in the health ecosystem, held its annual HIMSS 2023 Healthcare Cybersecurity Forum in September. Here, industry professionals converged to innovate and discuss strategies for safeguarding the healthcare sector against cyber-attacks. To protect against breaches, the healthcare system must integrate and scale to achieve a more connected technological landscape across the industry to better serve patients.
Ransomware and Cybersecurity in Healthcare
By connecting and improving interoperability between healthcare systems/EHR platforms, overall patient service is improved; however, with features such as digital integration, migration to the cloud and the incorporation of remote workers, cyber vulnerability has simultaneously increased. Bad actors oftentimes target healthcare agencies with ransomware for hire. With the increased capabilities of artificial intelligence (AI), even inexperienced bad actors can create sophisticated and dangerous attacks. Due to the immense financial loss of these attacks, it is vital that agencies prioritize cybersecurity. Hospitals, other healthcare centers, and especially their third-party stakeholders, now face a new barrage of ransomware attacks and data breaches.
There are a couple of steps administrators can take to protect hospital systems, patients and stakeholders.
- Implement ‘Security-by-Design,’ a strategy where providers ensure that all products are secure by design and default, with all IT solutions and enterprise environments.
- Maintain pace with the evolution of artificial intelligence (AI) and utilize it to defend against bad actors.
- Standardize a detailed incident response plan that includes a thorough business continuity plan.
- Exchange defense strategies between stakeholders — a united front is stronger than trying to face threats alone.
- Implement multi-factor authentication and zero trust on all end users so information is accessed by the parties that need to know.
- Apply data encryption to systems to protect sensitive information against hackers.
AI in the Healthcare Industry
While bad actors have utilized the capabilities of AI, the healthcare industry can also use it to improve cybersecurity. AI does not need breaks, and therefore can run all day reducing the time needed to identify a security breach by analyzing large amounts of data in real time. On a similar note, AI can identify multiple devices and manage network endpoint detection for large networks. AI has been used to predict Domain Name System (DNS) attacks before occurrence, preventing and mitigating these attacks. It can implement Secure Access Service Edge (SASE), analyze identities and manage risk. With its strength of detecting patterns, AI can distinguish subtle patterns of attack that would otherwise go unnoticed by people.
Due to the nature of this new technology, the healthcare industry must carefully decide whether it wants to implement AI, and to what extent it will be used. In terms of cybersecurity, AI may be the answer to providing a secure standard for an interconnected healthcare industry.
Partnerships to Strengthen Cybersecurity in the Healthcare Industry
To provide the best security for patients and stakeholders in the healthcare sector, the federal government and technology industry have joined the battle against bad actors in healthcare. Several federal agencies including the Administration for Strategic Preparedness and Response (ASPR), will lend a hand in bolstering the cyber posture of the American health system. The ASPR is working alongside Cybersecurity and Infrastructure Security Agency (CISA) and private sector partners to analyze the cyber threat landscape of the healthcare sector. Over the next year, the agency hopes to create a cyber division, introduce a cyber risk identification tool, track cyber incident reports and gain resources and buy-in from senior leadership. Another agency, the Department of Health and Human Services (HHS) will strengthen cybersecurity by partnering with hospitals, health organizations and federal agencies, including CISA, that have additional information on cyber threats. Under the HHS, the Health Industry Cybersecurity Practices (HICP), a publication in response to the Cybersecurity Act of 2015, provides practical cybersecurity guidelines for the healthcare industry.
HICP covers several major threats that the industry faces, including:
- Social engineering
- Payment fraud
- Loss or theft of equipment
- Insider, accidental, or malicious data loss
- Attacks against network connected medical devices
To counter said threats, the HICP has listed its top ten best cybersecurity practices. It advises to:
- Protect email systems from phishing breaches
- Implement endpoint protection systems to all hardware devices
- Utilize identity and access management, regardless of the size of the health care organization
- Check cyber posture to prevent data loss
- Manage IT assets
- Execute network management for wireless or wired connections before interoperating systems
- Enact vulnerability management
- Take advantage of incident response plans to discover network cyberattacks
- Extend relevant cybersecurity practices to network connected medical devices
- Establish and implement cybersecurity and governance policies
By enabling organizations to evaluate capability against cybersecurity attacks, HICP aims to protect patients and stakeholders from private data loss.
While cyber attacks are always growing in complexity, the healthcare industry can evolve and provide superior service for its patients through the use of tested security strategies, AI and federal aid.
Visit Carahsoft’s Healthcare Solutions Portfolio to learn more about improving cybersecurity practices in the healthcare sector.
 “HICP’s 10 Mitigating Practices,” Department of Health and Human Services, https://405d.hhs.gov/best-practices
*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at the HIMSS Fall Forum in September 2023.*