Health industry wake-up call

The Department of Health and Human Services (HHS) and the Health Sector Coordinating Council recently published a report on managing cybersecurity threats and protecting patients. The stated goal of the publication is to foster awareness, provide practices, and move towards consistency to mitigate today’s most impactful cybersecurity threats. It explores five threats and provides suggestions for how to mitigate them. The threats are:

• E-mail phishing attacks
• Ransomware attacks
• Loss or theft of equipment or data
• Insider, accidental or intentional data loss
• Attacks against connected medical devices that may affect patient safety

What’s in a label?

Arguably, four of the five threats they chose could be labeled as insider threats. When an external threat successfully gains access by exploiting an employee’s legitimate credentials via phishing or ransomware, they look like an insider. The outcomes of each threat, however, are the same - loss of personal health information (PHI) or personally identifiable information (PII), financial loss, tarnished reputation, and/or compromised patient safety.

Other threat and loss examples include:

• e-mail and unencrypted mobile storage, resulting in data breaches;
• employees or others inappropriately viewing and/or using patient information;
• socially engineered insiders giving the external hacker insider accesses, including banking information;
• patients given the wrong medicines or treatment because of incorrect data in the file;
• patients taking their business to a competitor; or
• unauthorized persons (internal or external) gaining remote control of a medical device and compromising patient safety.

Not just an IT problem

The report correctly highlights that this is “not simply an IT problem.” It never has been. Whether addressing an insider threat or network protection, the solution requires a human-centric approach. We expect our caregivers to be knowledgeable, well trained, compassionate and caring. We should expect the same from the solution to this problem. After all, the root of the issue is human beings.

Training and awareness, auditing, data loss prevention, and privileged access management are critical and basic steps (countermeasures) that are well tested and beneficial for any organization. They are easily scaled to fit the needs of the business. For example, small medical practices benefit most from training and awareness and outsourcing fundamental security protections, while large healthcare organizations need a formal Insider Threat program. For the protection of connected medical devices, they may also benefit from the use of cross domain technology used in the government and being explored in the operations technology (OT) world.