Insights from The Identity Jedi for shoring up healthcare's cybersecurity defenses

(Marietta, Georgia) April 30, 2024 — Healthcare is among the top seven targets of cyber thieves with its valuable cache of data and wellspring of potential victims. Since 2010, the healthcare industry has endured the highest data breach costs compared to other sectors, with each breach costing over $10 million in 2023. ⁽²⁾ 

David Lee, The Identity Jedi and Chief Evangelist and Visionary for Tech Diversity, observes, "Healthcare is an outlier in cybersecurity because they're often playing catch-up due to their reliance on closed-off technology that limits integrations with external partners, leaving them more vulnerable to cyber threats. The industry must venture outside its purview to gain third-party insights on fixing their Identity and Access Management (IAM) blind spots."    

Healthcare records are worth up to 10 times more than stolen credit cards on the dark web because they offer more than just cash. The at-risk data includes patients' protected health information (PHI), financial details like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property linked to medical research and innovation. ⁽³⁾ But that's not all.

Fail-safe cybersecurity has become a matter of life and death. Ransomware and killware cyberattacks can pose lethal threats to hospitals and critical infrastructure. Ransomware typically extorts money by threatening the integrity of an organization's critical data. Killware, on the other hand, encompasses cyberattacks that cause physical harm, whether it's lethal or not. ⁽⁴⁾

According to a Comparitech study, ransomware attacks on U.S. healthcare facilities since 2016 have led to approximately $77.5 billion in economic losses due to downtime. Each attack averages nearly 14 days and affects over 52 million patient records across 539 incidents involving almost 10,000 facilities. The study found that ransom demands varied from $1,600 to $10 million. ⁽⁵⁾ 

The FBI has been sounding the cybersecurity alarm regarding the vulnerabilities in popular medical devices like insulin pumps, intracardiac defibrillators, and mobile cardiac telemetry due to outdated software and inadequate security features. Unscrupulous hackers can cause direct harm to patients by hijacking these devices using WiFi, Bluetooth, and other remote technology to alter readings or administer drug overdoses. ⁽⁶⁾

The government has been taking steps to stem the tide of cyberattacks. The Cybersecurity & Infrastructure Security Agency (CISA) has developed a Zero Trust Maturity Model to transition to a zero trust architecture. ⁽⁷⁾ "Trust but verify" is the core principle of zero trust, where all components of a cybersecurity supply chain are deemed untrustworthy and, therefore, always vulnerable to internal and external threats.

Section 524B of The Consolidated Appropriations Act, 2023 ("Omnibus"), Ensuring the Cybersecurity of Devices, empowered the FDA to require medical device manufacturers to include a Software Bill of Materials (SBOM) with each device. ⁽⁷⁾ An SBOM includes a structured list of components, libraries, and modules comprising software and the supply chain. ⁽⁹⁾ 

By identifying software components and constantly monitoring the supply chain for potential breaches, organizations can pinpoint outdated or open-source software that may be susceptible to cyber breaches.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) pioneered patient data protection. HIPAA is a federal law that established national standards for protecting and disclosing sensitive patient health information. ⁽¹⁰⁾ 

In 2023, the HIPAA Journal emphasized the importance of identity and access management in the healthcare industry. IAM involves implementing a range of administrative, technological, and physical defenses to control access to resources and data. It ensures access is granted according to job roles, authority, and responsibilities, facilitating appropriate access for authorized individuals while preventing unauthorized entry. ⁽¹¹⁾

IAM consists of single sign-on systems, multifactor authentication, and privileged access management. These technologies also securely store identity and profile data and can perform data governance functions. Lee explains, "As cyberattacks increase, the healthcare industry responds with more integrated systems, which creates a larger attack surface for cybercriminals, with each additional connected system offering a new avenue for attack. Healthcare has its own ecosystem, and it tends to self-medicate when it comes to cybersecurity, at its own peril."

A survey by the Healthcare Information Management and Systems Society discovered that healthcare organizations spend a paltry 7% of their budget on cybersecurity. Fifty-five percent of healthcare IT professionals reported that their organization had experienced a significant security breach in the last year, and 74% say hiring qualified cybersecurity professionals is a considerable challenge. ⁽¹²⁾

The healthcare industry is more concerned with the health of their patients, hiring the best staff, scientific research, and discovering groundbreaking treatments that can save more lives. Cybersecurity becomes a significantly lower priority.

It's critical for the healthcare industry to find effective and affordable solutions to prevent a devastating attack on the life-saving care they provide. Lee emphasizes, "Cybersecurity technology like IAM, SBOMs, and zero-trust architecture, in and of itself, is not a magical elixir. It requires people with the right skills and expertise to implement it successfully. Healthcare needs to expand its trust circle to include cybersecurity professionals who can provide the urgent care the industry needs to protect itself and the millions of lives it serves."    

References:

1. "Half of Ransomware Attacks Have Disrupted Healthcare Delivery, JAMA Report Finds." Healthcare IT News, 10 Jan. 2023, www.healthcareitnews.com/news/half-ransomware-attacks-have-disrupted-healthcare-delivery-jama-report-finds.
2. The 7 Industries Most Vulnerable to Cyberattacks | Ekran System, ekransystem.com/en/blog/5-industries-most-risk-of-data-breaches. Accessed 19 Apr. 2024.
3. "The Importance of Cybersecurity in Protecting Patient Safety: Cybersecurity: Center: AHA." American Hospital Association, aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety#:~:text=Why%20health%20care%20gets%20hit,thieves%20and%20nation%2Dstate%20actors. Accessed 19 Apr. 2024.
4. Flynn, Shannon. "Killware vs. Ransomware: What's the Difference?" MUO, 6 Sept. 2023, makeuseof.com/killware-vs-ransomware-difference/.
5. Olsen, Emily. "Ransomware Attacks on Healthcare Facilities Cost $77.5B in Downtime, Report Finds." Healthcare Dive, 27 Oct. 2023, healthcaredive.com/news/healthcare-ransomware-costs-comparitech-77-billion/698044/.
6. "FBI Warns of Vulnerabilities in Medical Devices Following Several CISA Alerts." Cyber Security News | The Record, 12 Sept. 2022, therecord.media/fbi-warns-of-vulnerabilities-in-medical-devices-following-several-cisa-alerts.
7. "Zero Trust Maturity Model: CISA." Cybersecurity and Infrastructure Security Agency CISA, cisa.gov/zero-trust-maturity-model. Accessed 19 Apr. 2024.
8. Center for Devices and Radiological Health. "Cybersecurity in Medical Devices Frequently Asked Questions (FAQs)." U.S. Food and Drug Administration, FDA, fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs. Accessed 19 Apr. 2024.
9. "What Is an SBOM?" Linux Foundation, The Linux Foundation, 13 Sept. 2022, linuxfoundation.org/blog/blog/what-is-an-sbom.
10. "Health Insurance Portability and Accountability Act of 1996 (HIPAA)." Centers for Disease Control and Prevention, Centers for Disease Control and Prevention, 27 June 2022, cdc.gov/phlp/publications/topic/hipaa.html.
11. Identity and Access Management (IAM) in Healthcare, hipaajournal.com/identity-access-management-iam-healthcare/. Accessed 19 Apr. 2024.
12. Southwick, Ron. "Healthcare Cybersecurity Budgets Are Rising, but Workers Are Hard to Find." OncLive, OncLive, 2 Mar. 2024, chiefhealthcareexecutive.com/view/healthcare-cybersecurity-budgets-are-rising-but-workers-are-hard-to-find.