Cybersecurity is a priority for many organizations these days, but one sector of particular concern is healthcare.
According to Axios, more than 32 million people have had their protected health information (PHI) breached this year – making the sector the leading industry for cyber-attacks and breaches. Meanwhile, the Department of Health and Human services is investigating 311 health care providers listed on its data breach “wall of shame”.
Those are worrisome numbers, but they don’t necessarily tell the whole story. More than any other industry, poor cybersecurity hygiene in a hospital setting can have a direct impact on people’s lives. In fact, it’s emerged that the impact of a cyber-attack on patient care has become deadly.
Data breaches reduce the quality of patient care
A recent study, conducted by Vanderbilt University’s Owen Graduate School of Management, found that in the wake of a cyber-attack and as a result of subsequently stronger security controls, the quality of patient care drops and mortality rates increase--notably among heart patients.
Quoting the study, Krebs on Security reported that “...after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined...The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.”
This is a new development in the battle against cybercrime in the healthcare sector. It suggests a definitive correlation between the security measures implemented after a cyber incident, such as multi-factor authentication, and adverse impact on patient critical care.
“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the Vanderbilt University study found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”
In other words, more robust controls slowed down hospital staff’s ability to provide critical care to patients. Or, to put it even more bluntly, better security may have been achieved--but at the expense of patients’ well being.
While there is no universal “best practice” to remedy the quandary, security professionals in the healthcare industry must design cybersecurity solutions that address the specific needs of the business--which, in the healthcare industry, is patient outcomes.
The unique nature of cybersecurity risk in healthcare
Spurred by digital transformation and the value placed on PHI, healthcare organizations clearly occupy a perilous cybersecurity landscape. Vast, interconnected systems are growing weak spots that can threaten patient outcomes. Indeed, our own research found organizations in this sector have much to do to improve their security postures.
A key challenge for the healthcare sector is third-party risk management. An increased dependency on outsourced services, such as patient billing and records, and greater interaction with mobile and IoT technologies has significantly broadened the risk landscape to encompass vendors and contractors.
It’s a startling fact, but a recent study found that 59% of cybersecurity breaches originate with third parties. In 2019, attacks such as the Quest Diagnostics breach and others have already exposed up to 23 million patient records.
Third-party risk assessment and monitoring takes center stage
Third-party risk assessment is such a serious concern that healthcare cybersecurity standards alliances are starting to implement measures to combat the threat. HITRUST, for example, is pioneering a boutique Third-Party Risk Management (TPRM) methodology to help address the unique needs of the sector.
However, hospitals engaged in comprehensive TPRM should also incorporate ongoing, real-time monitoring of vendor risk. As new threats evolve and business relationships change, healthcare organizations must continuously monitor the security performance of their vendors over time, looking for material changes in their risk framework and then proactively collaborating to mitigate risk.
It’s also important to collect independent, objective, and verifiable information about the risk of engaging with a particular third-party. This information should include historical data related to the organization’s security performance over time.
A comprehensive approach to healthcare cybersecurity
Despite the rise of cybersecurity awareness in the healthcare sector, numerous studies and breaches prove that more needs to be done to prevent an attack. And, as the shocking findings of the Vanderbilt University study suggest, hospitals will likely face increased pressure to understand and proactively manage their third-party relationships, which tend to pose the greatest cybersecurity risk.
However, unless they’ve experienced the impacts of a breach first-hand, it can be hard for hospital leaders and administrators to grasp the potentially devastating consequences of not doing enough to prevent a cyber-attack. Even if they have the funding to harden their security posture, they must balance controls with convenience. Meanwhile, security teams will likely continue to struggle with a lack of visibility into the risks and vulnerabilities associated with their own security infrastructure and partners.
Unless, of course, they employ a comprehensive security approach. While there’s no failsafe way to stop a cyber-attack, the release of new frameworks like the HITRUST TPRM methodology and the availability of third-party continuous monitoring solutions provide healthcare organizations with access to the tools they need to achieve a true measure of a vendor’s security posture before they engage with them and for the life of that business relationship. Using this insight, they can quickly identify vulnerabilities and understand what to do and where to focus valuable resources to successfully manage risk across their business ecosystems.