Pursuing Cyber Resiliency So Healthcare Can Weather the Worst Storms
Anyone who watched the Apple TV show or read the Pulitzer Prize–winning investigative series “Five Days at Memorial” was likely shocked that a hospital in New Orleans didn’t have a hurricane preparedness plan.
The result was a power failure, lack of potable water and food, botched care, and a poorly executed evacuation during 2005’s Hurricane Katrina that impacted hundreds of patients and providers — some fatally. Beyond the immediate crisis, exhausted personnel faced mental health woes for years afterward.
But whether we’re talking about a deadly weather event or another disaster that is arguably more controllable — like a ransomware attack — the conversation is the same. It’s all about resilience.
Defense in depth is a multilayered approach
But just what does resiliency mean, and why is cyber resilience important? Nary a CISO (nor anyone else who’s attended a healthcare conference since the COVID-19 pandemic) hasn’t spilled the phrase “cyber resilience” like the hottest tea around the community water cooler.
Initially, the pandemic was a catalyst for thought-provoking research, like Harvard’s T.H. Chan School of Public Health, “How to Build—And Lead—Resilient Health Care Teams During COVID-19” from Harvard’s T.H. Chan School of Public Health.
At first, providers and caregivers were mobilized and inspired like never before. For example, Texas physician Nora Garza said that she was “built for this” crisis and had the “gumption … in a time when people are in their greatest need.” And she was not alone. The resiliency of healthcare providers was paramount during the COVID-19 crisis.
But as the public health emergency stretched on for three years, that fortitude waned for many caregivers. An exodus of skilled professionals continues to affect healthcare, and those departures aren’t limited to clinical settings.
A survey from the Healthcare Information and Management Systems Society (HIMSS) cites hiring and retention as the primary barrier to robust cybersecurity at healthcare organizations: Almost 84% of respondents said they struggle to attract skilled staff, and more than two-thirds cite retention as another top problem.
The implications of sudden digital transformation, lack of a Zero Trust security model
That’s cause for concern on many levels. Healthcare’s speedy digital transformation during the COVID-19 pandemic took on many forms, each requiring complementary technical expertise. There was a sudden transition to remote work for many support staff, and although many healthcare organizations are working toward it, few have a Zero Trust security model in place.
Virtual care and the expansion of the Internet of Medical Things require superior delivery and protection, yet a recent report from Forbes shows that 82% of IT executives noted that their organization experienced one or two data breaches when introducing new technology. That’s a vital statistic when thinking of the consequences behind compromised patient data, which is more valuable than other data on the Dark Web.
While the June 2023 closure of a hospital in Illinois is the first to be linked to a ransomware attack, the number of such facilities facing similar challenges continues to rise. Healthcare is a top target for malicious actors, including a recent spate of hospital-related threats from Russian hacktivist group Killnet.
Ransomware attacks on healthcare are a “threat to life”
The hospital closure is a case in point that, as the American Hospital Association states, “Ransomware attacks on hospitals are not white-collar crimes, they are threat-to-life crimes.”
Tony Lauro, the Director of Security Technology and Strategy at Akamai, believes, “The ability to maintain required capability in the face of adversity is a continual struggle across many industries, but healthcare is perhaps one of the hardest-hit because of COVID-related operational woes and rapid digitization.”
Cybersecurity is directly related to financial solvency
In addition to clinical impacts, there are direct financial impacts tied to ransomware attacks and system downtime. The Illinois hospital closure was linked to billing being delayed for months after its system outage. Other healthcare facilities face massive cybersecurity insurance premiums after suffering a breach.
The long and short of it? Cybersecurity has a direct corollary with financial solvency — and operational resilience.
Prevention and mitigation: the best medicine
Cybersecurity tools and frameworks that align with theNIST guidelines can help healthcare and life sciences organizations batten down the hatches in advance of a storm.
One part of the guidelines includes having a tested emergency response plan, which Memorial Medical Center did not have. Plans for crises — whether those crises are physical or technical — are just as essential as fire drills.
Manage and improve cybersecurity resilience
The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a set of five Framework Core Functions for organizations to manage and improve their cybersecurity posture and resilience. These include:
Identify — Develop an understanding of the potential risks especially by mapping assets, systems, data, and their associated vulnerabilities.
Protect — Add safeguards such as robust access controls, encryption mechanisms, and security awareness training programs to protect sensitive patient information.
Detect — Develop and implement activities to detect cybersecurity incidents in a timely manner to respond and mitigate. Real-time monitoring tools can detect potential security breaches promptly.
Respond — Have an effective response plan in the event of a cybersecurity incident that will minimize the impact and restore normal operations. This includes outlining roles, responsibilities, and internal and external communication protocols.
Recover — Resilience and restoration after an incident is crucial. Healthcare organizations must focus on recovering their systems and data. This includes restoring backups, analyzing lessons learned, and improving resilience against future attacks.
“Everyone is focusing on responding and recovering and not enough on the ‘identify,’ ‘protect,’ and ‘detect’ stages,” says Lauro about the healthcare industry’s framework adoption. “We've always said this at Akamai — being preventive is way less costly than being reactive.”
The need to shift toward prevention
Despite an increase in data breaches, the number of healthcare and life sciences organizations that are shifting focus away from crisis and toward prevention is still surprisingly low. Protections such as phishing-resistant multi-factor authentication (MFA) are considered security gold standards, but only 9.4% of respondents to the HIMSS cybersecurity survey have implemented such measures.
Healthcare cyberattacks are becoming increasingly more frequent and severe, using advanced techniques like zero-day exploits, targeted malware, and social engineering. The avenues on which threat actors are treading continue to move increasingly closer to those on the (clinical- and patient-facing) front lines. This necessitates both cyber resilience and operational resilience for a unified nexus across people, process, and technology.
Find out more
Join us to learn more about the evolution of threats affecting healthcare and how an Akamai partnership can enhance your healthcare organization’s resilience.
