Cybersecurity threats to healthcare organizations and patient safety are real. Health information technology provides critical life-saving functions and consists of connected, networked systems that leverages wireless technologies, which in turn leave such systems more vulnerable to cyber-attacks. Recent highly publicized ransomware attacks on hospitals, for example, necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery.
Such cyber-attacks can also expose sensitive patient information and lead to substantial financial costs to regain control of hospital systems and patient data. From small, independent practitioners to large, integrated health systems, cyber-attacks on healthcare records, IT systems, and medical devices have infected even the most protected systems. Given the increasingly sophisticated and widespread nature of cyber-attacks, the healthcare industry must make cybersecurity a priority and make the appropriate investments needed to protect its patients.
There has never been a more critical time for our sector to discuss the importance of cybersecurity. By the end of 2019 a research foundation found that 764 healthcare providers fell victim to ransomware1, including two of the largest healthcare breaches in 2019. Phishing attacks also increased throughout 2019, and one aggressive phishing attack on the Oregon Department of Human Services caused the largest breach of the year impacting 645,000 patients2. Also, the U.S. Department of Health and Human Services Office for Civil Rights Breach report concluded 38 Million Healthcare Sector records were exposed in 2019 versus only 7 million exposed in 2018. These attacks do not occur in a vacuum, they affect us all and continue to threaten our nation’s critical infrastructure sectors.
Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across a myriad of public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments (state, local, tribal, territorial, and federal) to mitigate the risks and minimize the impacts of a cyber-attack. Most importantly, cybersecurity is a shared responsibility; a team effort. It is not solely an IT issue; it is an enterprise issue with impacts to mission, business, and programs. For the health industry, it is fundamentally about patient safety and uninterrupted care delivery. Cybersecurity is also a challenge of technology and tactics, but is also a challenge of increasing awareness across all elements of our organizations—doctors, nurses, administrators, healthcare practitioners, cybersecurity professionals, IT and non-IT experts—and bringing all relevant parties into a challenge that is about much more than just technology. This is why addressing this threat requires a broad, collaborative approach across a multitude of organizations within the government and the private sector.
The U.S. Department of Health and Human Services is a dedicated partner in this mission, and is working actively with a broad coalition of partners to enhance cybersecurity within the Department and across the Healthcare and Public Health Sector. HHS uses a 360-degree view to ensure that cybersecurity efforts are based on a “one team, one fight” approach. HHS has many players on this team, IT and non-IT. The HPH sector also has teammates in academia, medical research, and technology. HHS continues to build partnerships with these important stakeholders to become a better, more coordinated team.
HHS began this broad coalition approach in response to the Cybersecurity Act of 2015. Under Section 405(d), HHS convened the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use.
To ensure a successful outcome and a collaborative public–private development process, HHS engaged a diverse group of healthcare and cybersecurity experts from the public and private sectors. Participation was open and voluntary. Out of this coalition the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication was developed to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the most pertinent cybersecurity threats.
What is HICP?
The HICP publication provides guidance on cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks. The HICP publication was designed with everyone in the HPH sector in mind. The main document describes, at a high level, the current state of cybersecurity in the HPH sector and the top five threats we are facing. It sets forth a call to action for the healthcare industry, especially executive decision makers, with the goal of raising general awareness of the issue. It was also developed to be read by doctors, nurses, administration officials and any non-IT healthcare professionals who are seeking a background in the importance of protecting patients from cyber threats.
The document includes a main document, two technical volumes, and a resources templates appendix:
- The main document examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats.
- Technical Volume 1 discusses these ten cybersecurity practices for small healthcare organizations.
- Technical Volume 2 discusses these ten cybersecurity practices for medium and large healthcare organizations.
- Resources and Templates includes a variety or cybersecurity resources and templates for end users to reference.
The Five Threats
The five threats explored in this document are as follows:
The technical volumes are designed with your IT department or IT contractor in mind and lay out the top ten mitigation practices that should be implemented at every size organization to strengthen cybersecurity posture.
E-mail phishing is an attempt to trick you, a colleague, or someone else in the workplace into giving out information using e-mail. An inbound phishing e-mail includes an active link or file (often a picture or graphic). The e-mail appears to come from a legitimate source, such as a friend, coworker, manager, company, or even the user’s own email address. Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer. Accessing the link or file may result in malicious software being downloaded or access being provided to information stored on your computer or other computers within your network.
Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key. However, hackers may deploy ransomware that destroys or exfiltrates data, or ransomware in conjunction with other malware that does so. Paying a ransom does not guarantee that the hacker will unencrypt or unlock the stolen or locked data. Ransomware threats may incorporate tactics or techniques that are the same as or identical to other threats. For example, successful phishing attacks may lead to the installation of ransomware.
Loss or Theft of Equipment or Data
Every day, mobile devices such as laptops, tablets, smartphones, and USB/thumb drives are lost or stolen, and they end up in the hands of hackers. Theft of equipment and data is an ever-present and ongoing threat for all organizations. From January 1, 2018, to August 31, 2018, the Office for Civil Rights received reports of 192 theft cases affecting 2,041,668 individuals. Although the value of the device represents one loss, far greater are the consequences of losing a device that contains sensitive data. In cases where the lost device was not appropriately safeguarded or password protected, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data.
Insider, Accidental or Intentional Data Loss
Insider threats exist within every organization where employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. There are two types of insider threats: accidental and intentional. An accidental insider threat is unintentional loss caused by honest mistakes, like being tricked, procedural errors, or a degree of negligence. For example, being the victim of an e-mail phishing attack is an accidental insider threat. An intentional insider threat is malicious loss or theft caused by an employee, contractor, and other user of the organization’s technology infrastructure, network, or databases, with an objective of personal gain or inflicting harm to the organization or another individual.
Attacks Against Connected Medical Devices
The Food and Drug Administration (FDA) defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Consider this: Your organization is afflicted with a phishing attack that affects a file server that a heart monitor is connected to. While scanning the network for devices, the attacker takes control of all heart monitors in the ICU putting multiple patients at risk. Patients are at great risk because an attack has shut down heart monitors, potentially during surgery and other procedures.
To learn more about the top 5 threats facing the healthcare industry and how you can mitigate them check out the Health Industry Cybersecurity Practices Publication at www.phe.gov/405d
405(d) Program now
In the past year the 405(d) Program has grown its reach and continues to pursue its mission of Aligning Health Care Industry Security Approaches. The 405(d) program is now able to assist with many of your cybersecurity needs. Whether it’s instituting a cybersecurity program structure using HICP, or educating your staff on cybersecurity, we are here for you. Check out the list below for the many different ways you can utilize the 405(d) Program and its available resources.
405(d) Awareness Materials
Need cybersecurity awareness posters for your organization? We’ve got you covered! The 405(d) Program creates cyber awareness products year round o we can provide you with a rotating assortment of cybersecurity tips and best practices that you can share with your staff. Our uniquely crafted cybersecurity awareness posters and materials are designed with you in mind and can be used as posters, email blasts, or print outs.
405(d) Guest Webinars
Does your organization have a standing webinar series that is missing a cybersecurity element? The 405(d) Program will come to you! The 405(d) Program will curate a webinar specifically for your organization’s cybersecurity needs and invite other federal partners where appropriate to help educate and inform your workforce on cybersecurity issues.
405(d) Social Media
Looking for ways to stay up to date on the latest 405(d) Cybersecurity topics and products? We are now active on Instagram, Facebook, and Twitter at @ask405d! Our Social Media accounts highlight new 405(d) awareness products and also provide cybersecurity best practices and tips that you can use in your organization. To stay connected, have your organization follow us and re-share our content with your employees!
405(d) Spotlight Webinar
Interested in learning more from industry about cybersecurity? The 405(d) Spotlight Webinar spotlights a new topic and Task Group Member each time and they produce content based on insight on how their organizations have used the HICP publication, real-world scenarios and lessons learned, industry cybersecurity best practices, proven cybersecurity procedures and techniques, and other topics involving cybersecurity in the healthcare industry.
To receive any of these materials or calendar invites email us at firstname.lastname@example.org!
After examining this information, HHS would like to leave you with a Call to Action. Over the past decade, the threat to the healthcare industry has increased dramatically along with the sophistication of cyber-attacks and there are no signs that these threats are going to subside or stop evolving. But coming together as a sector and educating ourselves is the best way our sector can establish, implement, and maintain current and effective cybersecurity practices. In that light, the call to action is that as readers of this journal you stay engaged and active because this collaboration and coordination will only thrive if the sector stays engaged.
This article will also appear in the Physician Leadership Journal, Jan/Feb 2021.