Ransomware attacks on the sector rose 128 percent year-over-year in 2023, and the April attack on Change Healthcare compromised health-care information on an estimated 100 million people. The sector relies on connected systems, and providers cannot tolerate long disruptions. Those are both factors that make health care vulnerable to cyber attacks, said Keith Busby, acting CISO for the Centers for Medicare and Medicaid Services, during a recent FedInsider webinar.
And, while people can usually get new bank account numbers or replace credit cards if those details are stolen, patients cannot replace compromised medical diagnosis information or other parts of their health record data, said Benjamin Koshy, CISO of the federal Indian Health Service.
“Health-care records are extremely valuable in the black market, and they're not easily changed or recoverable,” Koshy said during the webinar.
Data thieves using stolen patient records may also submit fraudulent claims to Medicaid or other insurance providers. A side effect is that real patients may then be unable to submit for the care that they genuinely need.
Following Health Insurance Portability and Accountability Act (HIPAA) guidance isn’t enough to meet today’s challenges, said Busby. Some panelists advocated for following more rigorous standards, like the widely regarded National Institute of Standards and Technology Cybersecurity Framework or the health-care-specific HITRUST cybersecurity framework. That’s a point echoed in other discussions as well, with the federal government currently considering updating HIPAA requirements for entities handling electronic personal health data. A new rule isexpected out this year. New York state has also begun phasing in new cybersecurity requirements for hospitals. By October, New York hospitals will have to appoint a CISO, adopt security controls addressing email phishing, adopt multifactor authentication (MFA) and take other steps.
One big area that health-care organizations should focus on is identity and access management. This means that anyone with privileged access should be required to use phishing-resistant MFA, Busby said. Take the attack on Change Healthcare as an example of what can go wrong otherwise: the ransomware actors gained access to the organization via a remote desktop access portal that lacked MFA.
Helpdesk members should also be trained about phishing and should avoid resetting staff passwords without first carefully validating the person is who they claim to be, suggested CrowdStrike Identity Protection Specialist Alec Lizanetz during the webinar. Small health-care providers could consider offloading the work of identity authentication and verification to a third party that specializes in the space, Koshy suggested.
Patients should also be given the option of MFA on their accounts. But organizations determining their public-facing identity authentication and verification approaches must also be mindful that not all members of the public have access to the same level of technology, Busby said. For example, some patients lack smartphones or wouldn’t be able to jump on a Zoom call.
Indian Health Service’s Koshy also recommended getting a third party to conduct cyber audits or risk assessments, to help catch any areas that need improvement. Employees should all get regular training on phishing and ransomware attacks, too. Patch management is also impactful, and cyber teams can avoid getting overwhelmed by the sheer number of vulnerabilities by prioritizing patching those they know are being actively exploited in the wild. CISA’s KEV catalog details those.
Because ransomware actors often encrypt victims’ data to deny the organizations access to it, making backups — and practicing restoring from them — is important to resisting these attacks. Koshy’s agency asks its system owners to make backups at least quarterly, for example. Data also should be encrypted at rest and in transit, to prohibit attackers from using the data even if they steal it, Busby said.
But at the end of the day, organizations should also assume a breach will happen at some point — and have an incident response plan prepared for when that happens.
