Improving healthcare cybersecurity with a ‘whole health’ approach

With a wealth of valuable patient information and a low tolerance for downtime, the healthcare industry continues to be attacked by cyber-attackers. Healthcare suffers from the highest average cost of breaches of any industry – this figure Up 42% since 2020. Now this is painful.

In particular, many organizations are highly organized cybercriminal organizations and nation-state attackers (eg. North Korea).

With the industry-wide digital transformation of an endless network of third-party providers and suppliers, the healthcare ecosystem is a target-rich environment for competitors. We all know they’re mostly after protected health information on the dark web, which can fetch around $1,000 per record (compared to around $5 per credit card number and $1 per social security number), According to Experian.

Despite this background, investment in securing patient-free IT infrastructure typically lags behind other industries, although the final impact can directly jeopardize patient care. In addition, many health institutions do not have enough personnel for the safety risks commensurate with their environment.

How can we tip the scales in our favor? Answer: Taking a “healthy” approach to cybersecurity to scale cyber defense.

The days of stand-alone defense are over

The entire healthcare ecosystem needs to be stitched together and interconnected to enable any organization to defend better, but also to provide stronger collective defense for the industry in general. This means empowering healthcare providers, payers, and even employers who invest in group healthcare programs to collaborate in real time to advocate for the healthcare ecosystem at scale.

We should also be open to sharing anonymized threat data with the government as needed to take action against critical cyberthreats that have been specifically identified, as cyber threats are being created (for example, command and control or C2 infrastructure is being set up – long before the attack itself occurs). .

For this approach to succeed, the healthcare industry must overcome its systemic fear of sharing threat data, a legitimate fear fueled by strict data privacy regulations and compliance requirements.

It is important to understand that threat sharing in cybersecurity relies entirely on anonymized data. That’s the easy part that technology takes care of. Cyber ​​threats in networks can be detected using behavioral analytics without the need for any corporate or personally identifiable information. This level of security applies to companies and organizations with on-premises, cloud-based, or hybrid network environments.

The tricky part is working with the longstanding concern that sharing information will result in compliance penalties for the reporting organization. Therefore, the language in the Cyber ​​Incident Reporting for Critical Infrastructure Act 2022 to protect private entities sharing cyber threat information is very important to shed light on what threat sharing really means for healthcare and, more importantly, to reframe relations between the public and the public. is important. and private organizations. We must bring about this collective mind shift.

The “health-by-health” approach to cybersecurity complements Health-ISAC’s existing efforts by adding both actionable attack intelligence on new and original threats and a real-time, radar-like picture of the cyber threat landscape. .

Let’s create a ‘talent phalanx’

This approach creates a “community of talent” that empowers the industry to advocate at scale.

We draw this analogy from military campaigns, which rely on the convergence of specialized capabilities such as battlefield intelligence, special operations intelligence, multi-weapons operations expertise, and more. In cyberspace, once you start thinking about creating a set of abilities, your ability to hit your target and achieve mission success increases exponentially, making it much harder for the enemy to knock down mission objectives.

In addition to leveraging the combined expertise and resources of a collective advocacy community for healthcare, this phalanx requires layering of public sector and government capabilities to complement private sector insights. By leveraging this phalanx, a complete health cybersecurity community helps all stakeholders understand the common result: collective defense for the betterment of the industry and the nation.

Do not leave a health institution

A collective advocacy community that brings together payers, providers, and employers shifts the enemy’s overall calculus to healthcare, especially for small and medium-sized organizations facing ongoing resource constraints. they can take advantage From volume by leveraging the expertise of applied analysts at larger, better-resourced organizations. As Greg Garcia, executive director of the Health and Public Health Industry Coordinating Council cybersecurity working group, recently said at the HIMSS Health Cybersecurity Forum, “None of us is as smart as all of us collectively, individually.”

This whole-health approach creates a kind of cyberpeloton that attracts those who may not be as cyber-strong as herd leaders, slashing the headwinds so everyone can compete ahead of the competition as a co-operative group with the same care. goal: better defense.

All health cybersecurity returns to protecting patient care

Cybersecurity is not an IT issue. It is an integral part of a healthcare organization’s ability to provide high-quality patient care while protecting and securing data – the provider, payer or employee stakeholder. CIO David Finn, a member of the United States Health and Human Services cyber task force, said: isolated this particular challenge“Cybersecurity is still viewed as an IT and security ‘issue.’ it’s in pain.”

It is imperative to act now. Choosing collective defense is no longer an option for the healthcare industry. We need public and private cooperation in the provider-payer-employer ecosystem if we have a chance to fight against cyber enemies. Don’t put off this critical cyberhealth health checkup any longer.