Work like 'a beehive, an ant colony' to protect against cyber intruders
Photo: HIMSS Media
WASHINGTON, D.C. – On Halloween this Thursday at the HIMSS Healthcare Cybersecurity Forum, attendees heard a fright-inducing list of recent Healthcare IT News headlines, all from just this October:
-
A warning this week from the Health Sector Cybersecurity Coordination Center about Scattered Spider – an appropriately creepy-crawly name – a cybercrime group that leverages ransomware variants and AI for advanced social engineering exploits, such as voice spoofs and deep fakes, targeting healthcare.
-
A report from the Ponemon Institute earlier this month showed that, even as cybersecurity budgets are finally increasing, they're still not keeping pace with attack disruptions – with 69% of health systems that had experienced a cyberattack saying it had adversely impacted patient care.
-
Another October report, from the National Association of State Chief Information Officers, found 41% of them noted that they were unsure if their teams could handle all the cybersecurity threats they face, and were particularly concerned with AI-enabled attacks.
-
A study from the same week showed 44% of healthcare organizations still not using basic multifactor authentication for remote access, and the same percentage still lack an incident-response plan.
-
A provider group in Southern California paid a $240,000 civil monetary penalty this month to settle with HHS' Office for Civil Rights over potential HIPAA Security Rule violations after a series of ransomware attacks showed a lack of basic cyber hygiene controls. In that settlement, OCR noted that there's been a 264% increase in large ransomware-based breaches since 2018.
In his opening keynote at the forum Greg Garcia, executive director at Health Sector Coordinating Council Cybersecurity Working Group, said those challenges are not just the responsibility of IT and infosec professionals.
The scope of the cyber threat environment these days is "all of our problem," said Garcia. In today's healthcare circulatory system, a "digitized interconnected ecosystem" where "every point is a transaction," he said "it isn't just the cybersecurity people that are on the hook. It's everyone."
As if a reminder was needed of the size of the problem, it was mentioned more than once on Thursday that the Change Healthcare ransomware attack of February 2024 impacted the protected health information of some 100 million Americans – officially making it the biggest healthcare breach ever.
Across the healthcare ecosystem – operational, financial, reputational, legal, regulatory, clinical – hospitals and health systems need to "mobilize ourselves against" against a cyber foe that's getting more cunning and creative: more and more honing their social engineering exploits with artificial intelligence, and becoming bolder and more relentless.
Garcia says HSCC – along with 17 other sector coordinating councils across the federal government – is working to help healthcare organizations be stronger and better prepared "against a flexible and resilient adversary."
He noted that such preparedness may soon not be voluntary. He suggested the healthcare industry keep an eye out for a notice of proposed rulemaking from HHS that may be published soon, aiming to require HIPAA covered providers – and third parties and business partners too – to have some baseline cybersecurity protections in place.
More philosophically, Garcia is interested in helping health systems understand the stakes and to think more creatively about security – by design, by default and by implementation – and the value of close collaboration and defense in depth.
"How do we act like a beehive, an ant colony," he said. "Do you see how they act when an intruder is in their midst? The communication is telepathic."
As healthcare organizations work to shore up their defenses and map a complex web of critical data infrastructure, it's crucial to understand that "none of us individually is as smart as all of us together," he said.
This story will be updated.