Cybersecurity was already one of the top concerns among healthcare organizations at the beginning of 2022, after a record year of healthcare data breaches in 2021.
“The combination of poor cybersecurity practices, sensitive data storage, and a desperation to preserve business continuity at all costs, makes the healthcare industry a prime target for cybercriminals – an inevitability that was further exacerbated by the pandemic,” writes Edward Kost for the cybersecurity risk management company Upguard.
And now, with the ongoing war in Ukraine and the increased international risk of a cyberattack from Russia, its allies, or other bad actors, experts are urging extreme caution and immediate action.
“We are seeing more and more nation-state activity due to the conflict in the Ukraine,” says Ryan Wright, a professor specializing in cybersecurity at the University of Virginia, in an interview with USA Today. “With U.S. sanctions setting in, it is only a matter of time until the U.S. is targeted more directly. This may mean attacks on your personal device through ransomware but also attacks on the infrastructure such as your internet access or even the power grid.”
Acts of War Exclusions
In time of war, one issue healthcare organizations may face is the potential for a cyberattack to be excluded from their usual cybersecurity insurance coverage because of “acts of war” exclusions.
According to Alex Clark, CPLP, cyRM, Vice President, Cyber Risk Practice Leader at Hylant, while every cyber policy includes some type of war exclusion, they aren’t “a one size fits all decision and many carriers have different exclusion language.”
“Any stance that is taken on a systemic cyber event would depend on the facts and circumstances applied to the policy language and the event itself,” Clark said in a recent email communication to clients.
Back in January, the Lloyd’s Market Association (LMA) released four “model clauses,” along with expanded definitions for coverage exclusions for “war” in all of their cyber insurance policies.
The concern about these and other such exclusions is that they “suggest that insurers are — for now — taking a very cautious approach,” according to The National Law Review. “Consequently — and as premiums for cyber insurance continue to rise — insureds should carefully determine whether their operations are sufficiently insured from foreseeable risks.”
Ransomware also continues to threaten the healthcare industry, as the need to maintain patient safety and well-being makes healthcare providers especially vulnerable to such attacks.
Ransomware is essentially malware that’s loaded onto a network to infect and encrypt sensitive data. The data is then held hostage until the victim pays the ransom and receives an encryption key. According to Kost, this malicious software usually gets into a system when an unsuspecting employee clicks on a link through an email phishing attack.
The Cybersecurity and Infrastructure Security Agency (CISA) launched a new website – StopRansomware.gov – to help public and private organizations defend against the rise in ransomware cases. StopRansomware.gov is an interagency resource that provides partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website. This includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners.
Beyond the EHR
Another issue related to cybersecurity in healthcare is acknowledging the breadth of risk throughout the organization beyond the obvious electronic health record.
“All too often, we see that risk analyses only cover the electronic health record,” writes Lisa Pino, Director for Office for Civil Rights (OCR), in a recent blog post. “I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”
What to Do
Director Pino recommends that all healthcare organizations, from physician practices to hospital systems, regularly review their risk management policies and procedures, and if they haven’t done so recently, to conduct a review now in light of the increasing threat of a cyberattack. The OCR suggests the following best practices should be included:
- Maintain offline, encrypted backups of data and regularly test your backups.
- Conduct regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.
- Run regular patches and updates to your software and Operating Systems.
- Train your employees regarding phishing and other common IT attacks.
Other best practices recommended by Kost, include:
- Increase visibility. “An attack surface monitoring solution will instantly display all vulnerabilities associated with cloud solutions within a private network.”
- Improve third-party security. “Almost 60% of data breaches occur via a compromised third-party vendor.”
And Jessica Guynn offered these additional tips in a recent USA Today article:
- Think before you click. “Most cyberattacks start with a phishing email, which looks legitimate but isn’t and can be used to steal your passwords, Social Security number, credit card numbers and other sensitive information or to run malicious software known as malware.”
- Use strong, unique passwords. “Use strong passwords and don’t reuse them. Your best bet is to subscribe to a password manager to generate and store unique passwords.”
- Back up important files.
- Use a VPN on public Internet.
Finally, most security experts agree that one of the most effective ways to avoid a cyberattack is to implement Multi-Factor Authentication. In fact, Kost estimates that “up to 90% of cyber attacks could be prevented with MFA enabled on endpoints and mobile devices.”
MFA is an electronic authentication method in which a user is granted access to a website or application when they offer two or more pieces of evidence, or “factors,” related to their identity. Factors are drawn from four categories:
- knowledge (something only the user knows, like a password, PIN, or security question),
- possession (something only the user has, like a security token, a fob, or QR-code displayed),
- inherence (something only the user is, typically a biometric method like scanning a fingerprint or iris, or a behavioral biometric like a keystroke dynamic), and
- location (somewhere the user is, like a connection to a specific network or a GPS signal to identify the location).
For more information about minimizing your cyber risk, check out the following resources:
- CISA’s SECURITY TIP (ST04-006): Understanding Patches and Software Updates
- CISA’s “New StopRansomware.gov website – The U.S. Government’s One-Stop Location to Stop Ransomware” on July 15, 2021
- “Cybersecurity: Avoiding Cyber Attacks Is Everyone’s Responsibility” from the CIPROMS archives
- “Americans are at higher risk of Russian cyberattacks after Ukraine invasion: What you should do right now” by Jessica Guynn for USA Today on February 28, 2022
- “Biggest Cyber Threats in Healthcare (Updated for 2022)” by Edward Kost for Upguard on February 03, 2022
- “Improving the Cybersecurity Posture of Healthcare in 2022” by Lisa Pino, Director for Office for Civil Rights (OCR) for the HHS blog on February 28, 2022
- “How to identify a malicious email” by Hoala Greevy for Physicians Practice on February 4, 2022
- “Four New Cyber War Exclusions from Lloyd’s Market Association” by The National Law Review on January 10, 2022
- “Cyberattacks top list of 2022 health tech hazards alongside supply chain problems, damaged infusion pumps” by Rebecca Torrence for Fierce Healthcare on January 20, 2022
- “Healthcare data breaches hit all-time high in 2021, impacting 45M people” by Heather Landi for Fierce Healthcare on February 1, 2022
- “Be Alert: Heightened Concerns about Cyberattacks” by Alex Clark for Hylant on March 09, 2022
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org.