How COVID-19 exposed provider cybersecurity gaps

Dan L. Dodson

Where do we go from here?

In a year of constant hurdles for healthcare organizations, count cybersecurity as one of the highest. Long targeted for their rich data and lack of mature security programs, such organizations were stretched thin in all areas during the first pandemic surge, and that posture improved only slightly during the rest of the year. Bad actors saw the pandemic for what it was: a perfect opportunity.

There is an upside though. The cybersecurity situation in 2020 highlighted the need for hospitals and health systems to get back to security fundamentals, something often unwisely ignored. Remote work arrangements and telehealth visits led to better security solutions and long-needed policies around email and device security. The overdue realization that cybersecurity employees can effectively work remotely opened opportunities for staffing, helping solve one of the thorniest HR issues faced by healthcare organizations.

A few Numbers to Consider:

According to the 2021 Horizon Report, reported breaches increased 18% in the first ten months of 2020 versus the same period in 2019. Healthcare organizations knew it was coming, they were warned by the FBI in April, but were unable to successfully fight the virus and cybercriminals simultaneously. 

All spring, healthcare IT departments scrambled to supply newly remote workers with laptops and sufficient security measures. Meanwhile, hackers targeted providers more than any other sector (79% of security breaches). Those hackers, along with other IT incidents, were the leading cause of breaches at 69%. Attacks on network servers also increased, rising from 23% from January to October 2019 to 35% in the same period in 2020. 

Ransomware attacks are a significant area of concern, including warnings from the FBI, HHS, and the Department of Homeland security this fall about an imminent threat to healthcare organizations. Nevertheless, email remains the most common attack vector because recent sophisticated phishing campaigns have proven so effective. Business associates (BA’s) must also stay on IT’s radar screen: the number of BAs involved in breaches last year rose significantly over the same period in 2019 (from 105 to 196).

As of January 2021, there are currently 715 healthcare providers under investigation by the Office of Civil Rights (OCR), compared to 79 BAs and 67 health plans. Considering how many fronts healthcare organizations are fighting on, a cybersecurity breach and the time-consuming investigation that follows are exactly what providers do not need.

Market Forces

The 2021 Horizon Report outlines the four market forces affecting healthcare entities the most now and for the immediate future.

1. Incident response plans. Healthcare IT executives should realize they need more effective incident response plans, if they’re going to mitigate risks simultaneously arising from telehealth services, work-at-home environments, and cyberattacks.

2. Tool rationalization. Rather than using overlapping technical point solutions, IT executives can opt for a more holistic approach to their technology spend. Right sizing the technology spend brings multiple benefits, including reducing coverage gaps and ensuring technology is being used to its fullest extent.

3. New ways to work. Human capital will never be viewed the same way again, and IT execs are exploring their options, including outsourcing monitoring and other cybersecurity functions.

4. Security beyond hospital walls. As employees worked from home, IT execs saw the importance of: (1) real-time network monitoring and (2) staff training to help combat phishing attacks.

Looking Ahead

With these market forces in mind, healthcare executives (IT and otherwise) can look at changes aimed to better withstand today’s realities. For many, a careful examination of business continuity and incident response plans is in order, along with a plan to ensure those procedures are followed consistently during a cybersecurity event. 

For example, the pandemic showed that on-premise IT systems that cannot be properly accessed remotely may significantly impact the ability to respond effectively during an emergency. Similarly, a clear line of authority from the server room to the C-suite is critical. Having multiple IT executives (CIO, CTO, and CISO) can cause confusion about reporting, as sometimes cybersecurity reporting is split between various business units.

A larger-picture consideration is which IT competencies to keep in-house and which could be outsourced. Healthcare organizations have been slow to adopt cloud-based systems and software-as-a-service (SaaS), but have recently warmed up to their use. Experiences during the pandemic may speed this process. 

Moving to cloud-based systems allows providers create a hybrid model for cybersecurity: keeping core functions in-house and outsourcing some security and maintenance functions to a managed security service provider (MSSP). In many cases, this step is less a matter of offloading tasks and more about gaining expertise and best practices. For example, an MSSP with healthcare expertise may not only spot a potential attack when it first occurs, but it also likely warns the other hospitals it serves to be prepared and takes steps to protect those systems from a comparable attack.

Looking further into 2021, the 2021 Horizon Report sees an unfortunate double-digit increase in breaches; a larger spend on cybersecurity thanks to prioritization from the C-suite; a focus on verifying credentials and access; and the advent of tool rationalization. Specifically, it recommends staying current on potential threats, emphasizing user training to derail phishing attempts, testing backup/downtime plans, ensuring security tools are up to date, and identifying processes or tools needed to mitigate any security gaps. Finally, it encourages healthcare providers to go beyond the basics by deploying advanced endpoint protection and adding multi-factor authentication to reduce their threat-surface area.

Dan L. Dodson is the CEO of Fortified Health Security, a recognized leader in cybersecurity that is fully focused on the healthcare market. He is the author of the “2021 Horizon Report” on the state of cybersecurity in healthcare. Through Dan’s leadership, Fortified Health Security partners with healthcare organizations to develop the best path forward for their security program based on their unique needs and challenges.