Five Ways to Improve Healthcare Security Today

by | Feb 20, 2024

In a recent article on a cyberattack that crippled Chicago’s Lurie Children’s Hospital, the Associated Press reported that experts believe attacks on U.S. healthcare organizations are likely to get worse in the coming year. The reason, according to the American Hospital Association (AHA), is that the mix of digitally connected technologies used by hospitals is so broad and complex, there are too many healthcare security weak points to defend that most hospitals are ill-equipped to protect themselves.

“Unfortunately, the unintended consequence of the use of all this network and internet connected technology is it expanded our digital attack surface,” the AHA’s cybersecurity advisor John Riggi explained to the AP. As a result, there are “so, many more opportunities for bad guys to penetrate our networks.”

That’s bad news for healthcare security. And what’s worse is the threat actors carrying out these attacks are gaining more financial reward—and motivation—as they increase their efforts. The AP report said that the average take from a successful cyberattack nets the attackers an average of $1.5 million—up from only $5,000 just five years earlier.

Help from the Government?

One security analyst said that, “Unless governments do something more meaningful, more significant than they have done to date, it’s inevitable that it’ll get worse.”

We disagree that hospitals must rely on action by the government before they can stem the tide of attacks. What’s more, taking this attitude is likely to make matters worse for healthcare security as organizations wait for help to come from somewhere else when they could, instead, start marshaling their own resources to improve their resilience against cyberattacks.

What We Can do Today

The fact is, governments are slow to act and, by the time they do manage to pass some sort of measure to address a situation, there’s a chance that the law will already be obsolete. And if the solution that some are waiting for is state or federal funding to pay for needed improvements it’s not likely the amounts made available will be sufficient on their own to invest in what is needed to identify and close security gaps. Also, any checks written would likely be contingent on the recipient making some change, or presenting some play, to justify a grant. So, why wait for help that might not arrive? Why not do what you can to fortify your networks with what you have today?

No, this is not where we claim that an investment in one of our products is the first step a hospital should take if they want to make their network impervious to attack. This is merely a call to take a moment to reconnoiter and adjust; to take inventory of what resources a hospital (or any organization for that matter) has available—both internally and externally. Here are five things you can do right away.

1. Adopt a Proven Framework

Recently we wrote about the availability of proven cybersecurity frameworks that are available for either creating a new or revising an existing cybersecurity strategy. Picking one—whether from NIST or some other organization—is a good place to start. That will allow you to set priorities for what to protect because often the biggest mistake an organization can make is to try and protect every asset and aspect of their IT enterprise equally. Instead, the focus should be on protecting the things that are most vital to carrying out the mission.

2. Set Meaningful Priorities

Another important step is to assess what threats are most likely to imperil your organization and align your priority actions with addressing those. Attacks on hospitals are different from those targeting financial services, manufacturing facilities, etc. One element that can disproportionately affect healthcare organizations is the number and variety of digital supply chain connections there are between third parties and the various systems in the network. Hospitals and other healthcare organizations rely on affiliated medical offices, financial services, technical support, billing and insurance providers, suppliers of medical and other materials, and many more.

3. Strengthen Digital Supply Chains

We work with many large hospitals and other healthcare services organizations, and some maintain digital supply chains that have well over a thousand different first-level connections. A compromise of any one of them can be catastrophic to cybersecurity. Gaining a handle on digital supply chain security is a must, and that might mean requiring that your vendors and partners commit to improving their own standards as a condition of doing business. That might seem harsh, but it beats the alternative.

4. Emphasize Cyber-Hygiene

Cyber-hygiene should also be emphasized. Improving the day-to-day awareness and practices of every employee can make it harder for attackers to exploit two of the biggest security weaknesses of any organization: email and mistakes. Email in-boxes are bombarded with phishing messages every day, and this is often where threat actors gain a foothold. And while most phishing emails may be obvious to even the untrained eye, the use of AI is contributing to an exponential increase in sophistication that could be mistaken as genuine. As for mistakes, using process automation wherever possible—especially for tasks involving sensitive data management—is vital.

Finally, this article on common threat vectors from Dark Reading offers good insights on things to look for, and change, to mitigate many threats. In addition to email, the article identifies public-facing applications, compromised user credentials, and the use of remote services as oft-exploited weaknesses in cyberdefenses.

5. Don’t Do Nothing

This blog is not meant to suggest that improving security is a simple matter. But it is clear that doing nothing is not a viable option. When we all improve our individual security postures, we vastly improve our overall security posture. Let’s all commit to that as a starting point. Then, if Uncle Sam does manage to provide some financial relief, we’ll be in a much better position to know how to apply those funds to make a bigger difference.