Healthcare is the only industry in which internal threat actors are the biggest threat to an organization, a recent study posits. The "Verizon Protected Health Information Data Breach Report" found 58 percent of healthcare-related cybersecurity incidents involved insiders.
Workers driven by financial gains such tax fraud or opening lines of credit with stolen information accounted for 48 percent of those incidents; fun or curiosity in looking up the personal records of celebrities or family members accounted for 31 percent, and simple convenience accounted for 10 percent.
Corrupt insiders weren't the only threat to healthcare organizations. Of the incidents involving malicious code, the report found 70 percent were the result of ransomware, a figure similar across all business sectors.
In addition to the cyberattacks, the report also found 21 percent of incidents involved lost and stolen laptops containing unencrypted personal health information (PHI) prompting researchers to recommend more employee education to ensure that basic security measures are put in place.
“An overall incident response (IR) plan should be established and include both internal stakeholders as well as external partners in areas of legal guidance and forensic investigative assistance,” researchers said in the report. “The ability to react quickly and efficiently can often make a difference in the level of impact an incident has on an organization.”
Furthermore improvements should be made in the detection of potential security incidents and/or data, the report said.
In order to improve the threat landscape in the short run researchers suggested healthcare centers use full disk encryption, routine monitoring of record access, and build resiliency to combat ransomware attacks.
Full Disk Encryption is also a part of the HIPAA Security Rule checklist and would help reduce risks in the event of a stolen laptop. Healthcare centers can also reduce their risks by improving their readiness to confront cyberthreats.
One of the best ways they can ensure they are prepared is by conforming to NIST Cybersecurity Framework (CSF). Unfortunately the average NIST CSF conformance is only 45 percent for healthcare organizations, according to CynergisTek's " Improving Readiness: Meeting Cyber Threats" report.
“Assuming that the maximum potential is 100 percent, our average of 45 percent is not a particularly promising sign,” the report said. “While the NIST CSF is only four years old, the HIPAA Security Rule will turn 13 in 2018 and healthcare is still catching up.”
Academic medical centers seems to be on average more compliant with 65 percent followed by health systems at 56 percent, children's hospitals at 50 percent, short term acute care centers at 48 percent, and critical access centers at 18 percent.
“By hospital type, not surprisingly, the smaller, the lower the level of NIST compliance,” researchers said in the CynergisTek report. “This should be a reminder that we are all connected and while your organization may have many of the NIST practices and guidelines in place, connecting with organizations that have less security raises your risk.”
While the type of facility made a difference in security, the correlations between budgets and security were a bit more obscure. While as a whole healthcare centers were of greater compliance the higher their budget, there were still discrepancies as centers with budgets less than $50 million which had an average 27 percent conformance rate compared to a 16 percent average conformance rate for orgs with budgets between $50 million and $100 million.
“Organizations with less than $50 million in revenue scored significantly higher than those in the $50 million to $100 million range,” researchers said in the report. “Organizations in the range of $500 million to $1 billion in revenue scored higher than the next two tiers, and higher than any other revenue range.”
Researchers said that organizations must have a response plan in place, defined communication lines among appropriate parties, and the ability to collect and analyze information about the event. In addition they must recover with a coordinated set of restoration activities internally and with external parties that incorporate the lessons learned into an updated recovery plan, the report said.