Skip to content

How To Build a Strong Cybersecurity Posture at Your Healthcare Organization

August 30, 2022

Digital technologies have caused drastic changes in the healthcare industry, and the recent global pandemic has only expedited some of those changes. The handling of data has moved to the forefront of technology-related risks in many industries, but it’s a critical risk for the healthcare industry. Cybersecurity incidents and ransomware attacks are continuing to rise among U.S. businesses, and healthcare providers are prime targets. Electronic protected health information (ePHI) is at high risk since it is present in almost every hospital and clinic in the country. This is not lost on cybercriminals and is a high-value treasure.

Cybersecurity incidents have an enormous impact on healthcare practices. According to Emsisoft, an antivirus software company, data showed that in 2020 the average ransom demand related to ransomware grew by more than 80%; in the same year, the U.S. paid a minimum of $1 billion in relation to ransomware. Per Check Point Software Technologies, attacks on healthcare organizations globally have increased 45% since Nov. 1, 2020. This is in comparison to an increase of 22% in other industries. The global pandemic has provided ammunition to cybercriminals as coronavirus-themed phishing attacks have been a source of intrusion.

For perspective, Tenet Healthcare Corporation discussed the impact that cyber incidents have had on their organization during their 2022 second quarter earnings release. Early in the quarter, Tenet was impacted by an incident that temporarily disrupted a subset of their acute care operations. The company’s hospitals remained operational and continued to deliver appropriate patient care, utilizing backup procedures. During the quarter, Tenet was able to restore operations to normal but not before the financial impact was felt. The incident resulted in a negative impact to the company’s adjusted earnings before interest, taxes, depreciation, and amortization (EBITDA) during the quarter of approximately $100 million. The company was able to file a claim with their insurance company, but as of the time of the earnings release, only $5 million of insurance proceeds had been received. Tenet’s story is not isolated, and similar incidents have been happening with increased regularity.

Where To Start

A strong cybersecurity posture is critical, but knowing where to start is not always obvious. First, it’s important to understand what can be controlled and what cannot. What if employees fall victim to a phishing attack or other data-compromising situation? Alternatively, what if employees lose their tablet or laptop, putting the device’s data at risk? There may be a natural inclination to think that bad things won’t happen to your organization. However, in today’s environment, providers should move forward with the mentality that it is not if it happens, but when it happens. While organizations cannot control external aspects of cybersecurity, there are numerous opportunities to enhance their security and their readiness for when an incident does occur.

Employers cannot control what their employees do, but they can prepare those employees for what an incident may look like and what the consequences would be. A common misconception is that investing in cybersecurity technology alone is sufficient to guard against an attack, but employee training and awareness is critical. Annual cybersecurity training modules can be inexpensive and are readily available. Because the general public is informed about data security, providers can show the public that they are taking data protection seriously by displaying cybersecurity credentials on their website or in information related to the practice.

Back It Up and Test Your Plan

With ransomware cases on the rise, data storage practices are more important than ever. Ransomware attackers target the backups of information. If an organization’s backups are online and connected to the network, then they are at risk of being compromised in a ransomware attack. The primary way to protect your organization in a situation like this is to have offline backups that are not accessible from the network at all. Offline backups could be a cloud backup solution, DVDs, disk drives, or external hard drives.

While it is imperative for providers to back up their data, those backups are not valuable if they cannot be used properly to recover from an incident. An increasing number of organizations are regularly backing up their data; however, many do not test their incident response plan, which is an internal document that shows how the organization defines an incident and what steps need to be taken in the event of an incident. Developing an incident response plan and testing it requires internal time and resources, but it is an inexpensive and critical step in an organization’s security posture.

Vet Your Vendors

Healthcare organizations work closely with third-party vendors, and in some cases, those vendors have direct access to a provider’s network. The more network access points there are, the higher the inherent risk. Imagine if an attacker was able to access a healthcare organization’s patient billing information due to a vendor’s weak network security environment. Hypothetically, the attacker could mail notices of a change to the amount owed, asking patients to send payments to a new account. The communication may look like it came from the healthcare organization, and the organization would be unaware of the change until it’s too late. In this case, the incident would be a direct result of a gap in security from the vendor – not the healthcare organization.

Due to risks like this, providers have a responsibility to their organization and their patients to ensure that vendors working with the organization are vetted properly. Third-party due diligence can be handled through questionnaires sent to the vendor or through assurance reports like System and Organization Controls (SOC) reports. These reports act as a seal of approval, confirming the organization’s internal controls are well designed and operating effectively.

Restrict Access

Another way providers can enhance their security position is by ensuring that access to data is appropriately restricted. Employee turnover and position changes occur relatively often in all businesses, and therefore, access requirements are constantly changing. Due to this, reviewing who has access to sensitive data and systems is serious and involves minimal time investment. Included in access reviews is the idea of segregation of duties. This concept disperses critical functions of key processes between more than one person or department in order to reduce the risk of fraud or error.

Implement Password Requirements

Implementing password requirements is another relatively simple internal control that can substantially mitigate risk in the event of an incident. The use of weak passwords for network or application authentication could lead to unauthorized access or malicious attacks. Requiring passwords to be a certain length and complexity is an easy step to mitigate the risk. Cybersecurity insurance providers (among other technical security controls) are now commonly requiring the implementation of multifactor authentication (MFA) on all email, remote access (including remote desktop protocol connections), privileged and administrative accounts, and backup solutions.

The Bottom Line

Patients are more cautious than ever when it comes to how their data is stored and shared. Healthcare organizations must strengthen their cybersecurity posture in order to meet patients’ expectations and to ensure the protection of the company’s information. There are numerous ways to improve an organization’s security environment, and many don’t involve third parties or large amounts of time or monetary investment. Increasing technology to reduce cybersecurity risk is a positive step, but internal security controls are needed in order to ensure success in overall security risk mitigation.

If you would like to discuss ways to improve the current IT controls and cybersecurity risk posture at your practice, contact your KSM advisor or complete this form.

George Batalis Partner, Healthcare Consulting
Bobby Brown Manager, IT Risk Advisory Services

We're Looking for
Remarkable People

At KSM, you’ll be encouraged to find your purpose, exercise your creativity, and drive innovation forward.

Explore a Career Full of Possibilities