Resources to Help Address Cybersecurity Challenges in Healthcare
By Vince Campitelli, Co-Chair for the CSA Health Information Management Working Group (HIM)
According to a 2019 Thales Report (3) 70% of healthcare organizations surveyed reported a data breach, with a third reporting a breach within the last year. All organizations surveyed reported collecting, storing, or sharing sensitive information with digital transformation technologies.
“Between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 230,954,151 healthcare records. That equates to more than 69.78% of the population of the United States. In 2019, healthcare data breaches were reported at a rate of 1.4 per day.”
2020 Update, according to an article published January 5, 2021 in Health IT Security, Cyberattacks against healthcare entities rose 45 percent since November, 2020. At this rate the sector is accounting for 79 percent of all reported data breaches, according to reports from Check Point and Fortified Health Security.
Check Point’s research provided a fresh analysis of the biggest threats currently facing the sector. Shortly after the federal agency alert on the imminent ransomware threat facing healthcare providers, researchers observed a 45 percent increase in attacks—more than double the amount seen in other industries.
The threats include botnets, remote code execution, and DDoS attacks, with ransomware attacks seeing the biggest increase. Check Point stressed that malware is the biggest threat facing healthcare providers.
This new information confirms our thesis that the healthcare industry faces significant challenges, somewhat unique to other industries:
Healthcare requires the collection of huge amounts of sensitive data, that pose significantly longer-term risks
compared to other industries. Moreover, the data is inherently more attractive to hackers than other types of data that can be accessed and exploited. As a result, there may be a cascade of negative impacts to successfully attacked organizations such as: significant fines/penalties or legal actions extracted by regulatory agencies such as HHS, FDA in the USA and GDPR in the European Union and the European Economic Area; in addition, there is always the loss of patient and community confidence as well as reputational damage to the organizations affected.
From a risk perspective, the potential for future damages cannot be fully mitigated. For example, in financial services, credit cards can be canceled and bank accounts closed. In healthcare, private patient data can be re-sold, recycled and reused in an endless cycle of fraud and abuse! Even worse, the patients may never be aware of the fraud associated with their data! Without improved and more effective interventions, the outcomes are only too predictable and alarming.
As more sensitive healthcare and related personal data moves to the cloud, spurred by the growth of individual providers as well as new entrants into the market, the volume of targets will grow and the volume of data will grow exponentially. The Cloud Security Alliance is committed to continuing research on all aspects of cloud computing including best practices and guidelines for effective security and compliance. The CSA Health Information Management (HIM) group is just one of the vehicles available for individuals to explore best practices for securing information in the cloud.
Patients globally will continue to come to the US to seek the preeminent healthcare services only available in America. This places a compliance burden emanating from the European Union - The General Data Protection Regulation, aka, GDPR. Such activity triggers two regulatory requirements. Under the US HIPAA requirements, the periodic risk assessments must document the existence of these cross-border data flows, and under the EU’s GDPR, the Data Protection Requirements necessary to achieve compliance. In addition, the UK exited the EU on January 1, 2021 under the Brexit accords. Hence, GDPR as it currently exists in the UK will be subject to change.
Healthcare is also a study in managing supply chain risk. Organizations should not naively assume that because they’re moving to the cloud, they don’t have to worry about security. They are always responsible for completing and documenting an enterprise risk assessment, including the risk associated with outsourcing to third-parties, especially where the nth? parties of third parties may subsequently be relied upon. In short, they are responsible for validating and vetting their Cloud Service Providers for meeting their regulatory requirements such as HIPAA and GDPR. Moreover, healthcare providers that rely upon Cloud Service Providers (CSPs) need to understand that regardless of individual CSP responsibilities, the healthcare provider is accountable for the negative outcomes resulting from the deficient or non-conforming practices, of the business associate(s) providing the service. Now, more than ever, the security axiom that a strong organization is only as “strong” as its weakest link is a mantra to be embedded in the spirit and practice of all of their due diligence practices.
It has been our observation that organizations adopting cloud services come to realize that with the adoption of every new CSP, they have essentially extended their enterprise into another entity “somewhere in a cloud.” One that they have limited control over and even less visibility into their operations, but remain fully accountable for the continuous operation, effective performance, appropriate security, privacy, and all relevant regulatory compliance requirements. While not impossible, success is not a given without insightful planning, continuous vigilance, and mastery of the technology services being delivered throughout the supply chain.
Addressing the cybersecurity and cloud technology skills gap in healthcare. One of the most prevalent challenges to the majority of healthcare organizations entering 2021 will be mastering the upskilling and new skilling requirements to meet the new requirements of digital transformation and cloud technology platforms.
If you are new to cloud computing and even newer to CSA and cloud security, we recommend starting by reviewing the table below of recommended reading materials as well as training and educational opportunities, including CSA certifications.
These documents can be an immense help in identifying the individuals in your organization who can upskill their capabilities and extend their capacity to fill in the knowledge gaps created by the multitude of cloud platforms being utilized and consumed by healthcare providers all over the world.
Recommended Reading Materials
Below is a guide of reading materials that will help you understand the fundamentals of cloud computing and best practices in creating effective security, privacy and compliance programs.
Value to the Reader
This paper outlines how security changes in cloud computing and best practices all organizations should follow regardless of which vendor they are using.
This provides guidelines for cloud users to better select security qualified cloud service providers. These guidelines are based off of the controls outlined in the Cloud Controls Matrix (CCM).
Addresses the privacy and security concerns related to processing, storing, and transmitting patient data in the cloud for telehealth solutions.
Examines big data and some use cases for big data in healthcare, the impact of big data on healthcare, regulatory requirements for Protected Health Information (PHI) in the cloud, and securing PHI in the cloud.
Presents the concept of managing medical devices based on their proximity to the patient and introduces practices to secure the use of cloud computing for medical devices.
This guide is intended to serve as a comprehensive guide to the secure deployment of medical devices within a healthcare facility.
If you’re interested in staying up to date on research CSA creates for the healthcare industry, and/or participating in the creation of future publications you can visit the CSA Health Information Management Working Group. This group helps the entire healthcare industry by accelerating solutions to security challenges specific to healthcare. For example, one of our members was able to solve IoT categorization challenges through their participation in this working group.
Cloud security training we recommend for the healthcare industry.
The whole premise of the training is to train and educate healthcare professionals in the cloud.
More important than earning a certificate, is having robust training for the community working with healthcare organizations. For cybersecurity professionals who are new to the cloud, the Certificate of Cloud Security Knowledge (CCSK) is a good place to start as it will give them a vendor-neutral understanding of cloud computing and security best practices. Once a baseline of knowledge is established, the Certificate of Cloud Auditing Knowledge (CCAK) in particular should be helpful for the core security people in healthcare.
Join the Health Information Management Working Group
By joining this working group, you will be able to help influence how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries. You can view the latest research created by this group or join as a volunteer here.
- Market Guide Published for cloud service providers to Healthcare Delivery Organizations, Analyst, Gregg Pessin, ID G00034798