Healthcare Cybersecurity: Start with a Plan

By Bill Phillips, Sr. VP & CIO, University Health System, San Antonio, Texas

Bill Phillips, Sr. VP & CIO, University Health System, San Antonio, Texas

Today’s healthcare landscape continues to become more complex each day. The CIO’s role is ever-expanding with additional responsibilities. At the top of this list is the protection and security of the systems and data of the organizations we serve. As we all have seen in the news, the recent Wannacry ransomware attack struck countries and organizations around the world. Many businesses were disrupted, including National Health Service hospitals in the UK, where systems were frozen and data encrypted resulting in chaos.

“Sharing information can assist others in preventing an attack, reducing the spread of an attack and ultimately eliminating threats”

Although the attack was devastating for many, it did bring a heightened awareness to healthcare organizations across the country. CIO’s have to deal with the risk of cyber-attacks, which bring down systems, make data unavailable or extract data. Recent studies have valued downtime at a cost of approximately $5,000 per minute. In 2016, there were 329 data breaches of more than 500 records each, exposing a total of 16,471,765 patient records. The average cost of a data breach is $4 million.

One of the key differences in Protected Health Information (PHI) versus financial data is that PHI lives forever, and financial information ends at the time of discovery. In other words, if you had your identity stolen, you would immediately cancel your credit cards and change your bank account numbers, which terminates the life of the breach. If your PHI is stolen, you cannot change your medical history. Unfortunately, cybersecurity threats cannot be eliminated, they can only be mitigated. Just look at recent events around the world. 

Mitigation begins with a plan. Conduct an accurate and thorough assessment of potential risks and vulnerabilities of your environment. If you haven’t done so, establish a vulnerability management process. This should be part of your organizations effort to control security risks. Identifying and mitigating vulnerabilities will reduce the likelihood of an attack.

According to the SANS Institute, vulnerability management consists of five phases: preparation, vulnerability scanning, defining remediation actions, implementing remediation actions and rescans. There are several types of scanners available on the market today which utilize a variety of technologies. A key component in this process is deciding whether to remediate the vulnerability or accept the risk. 

A primary example of this is patching. Patches are made available, but at a risk. Sometimes the patch is disruptive and brings applications down, application vendors have known issues with the patch, or the vendors haven’t had a chance to test the patch when made available. These types of issues normally delay patching cycles, and organizations have to decide what an acceptable risk is. Establishing a vulnerability management process is critical to identifying risks for your organization pertaining to cyber threats.

No organization, regardless of size, is exempt from cybersecurity threats. In the event of an attack, you need a plan to follow. An incident response plan is an important part of your overall cybersecurity strategy and consists of awareness, assessment, response and recovery, and restoration of services. Performing incident response effectively is a complex undertaking.

Establishing a successful incident response capability requires substantial planning and resources. There are many good reference documents available to assist with the creation of a plan. The National Institute of Standards and Technology has a very good document titled Computer Security Incident Handling Guide. This is a detailed guide for establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. The document also includes different scenarios to work through.

One of the key critical items to combat security threats is information sharing. Sharing information can assist others in preventing an attack, reducing the spread of an attack and ultimately eliminating threats. There are several organizations that have setup processes for information sharing. The following is a list of several: The FBI, National Institute of Standards and Technology, National Vulnerability Database, Department of Homeland Security, National Cybersecurity and Communications Integration Center, United States Computer Emergency Readiness Team, Health Information Trust Alliance, National Health Information Sharing and Analysis Center, National Cyber-Forensics & Training Alliance and American Hospital Association, to mention a few. These organizations provide information pertaining to current and potential threats. I also strongly recommend establishing a relationship with the FBI office that supports your location.

Cyber threats will continue to plague healthcare organizations, as demonstrated over the past several years. No organization is safe from attacks. Implementing a cybersecurity framework will assist you with mitigating risks. Items to consider:

• Cybersecurity presents risks and opportunities
• Cybersecurity incidents are predicted to increase each year
• New threat vectors will emerge as technology advances
• Cyber attackers will go after easy targets
• Learn from other Healthcare breaches
• Understand the nature and scope of cyber threats
• Continue to invest in education, prevention, detection and response
• Identify your assets and risks
• Implement protection/detection technologies
• Test your plan
• Ensure you have an adequate backup strategy
• Plan to respond and recover to an event