Work like ‘a beehive, an ant colony’ to protect against cyber intruders
WASHINGTON, DC – Last Thursday on Halloween at the HIMSS Healthcare Cybersecurity Forum, attendees heard a terrifying list of recent headlines from Healthcare IT News, all relevant in October:
-
This week, an alert from the Health Sector Cybersecurity Coordination Center about Scattered Spider – an appropriately creepy name – a cybercrime group that uses ransomware variants and AI for advanced social engineering exploits, such as voice spoofs and deep fakes, targeting healthcare.
-
A report from the Ponemon Institute earlier this month found that even as cybersecurity budgets are finally increasing, they are still not keeping pace with the disruptions from attacks – with 69% of healthcare systems that have experienced a cyber attack saying it has had a negative impact on patient care.
-
Another October report from the National Association of State Chief Information Officers found that 41% say they are unsure whether their teams can handle all the cyber threats they face, and are particularly concerned about AI attacks.
-
A survey the same week found that 44% of healthcare organizations are still not using basic multi-factor authentication for remote access, and the same percentage still do not have an incident response plan.
-
A Southern California provider group this month paid a $240,000 civil penalty to settle with the HHS Office for Civil Rights over potential violations of HIPAA security rules, after a series of ransomware attacks revealed a lack of basic cyber hygiene controls demonstrated. In that settlement, OCR noted that there has been a 264% increase in major ransomware-based breaches since 2018.
In his opening remarks at the forum, Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, said these challenges are not solely the responsibility of IT and infosec professionals.
The scope of cyber threats is “our whole problem” these days, Garcia says. In today’s healthcare system, a “digitized, interconnected ecosystem” where “every point is a transaction,” he says, “it’s not just the cybersecurity folks who are on the hook.” It’s everyone.’
As if a reminder of the magnitude of the problem was needed, the Change Healthcare ransomware attack of February 2024 was mentioned more than once on Thursday affected the protected health information of approximately 100 million Americans – making this officially the largest healthcare breach ever.
Across the healthcare ecosystem – operational, financial, reputational, legal, regulatory, clinical – hospitals and healthcare systems must “mobilize ourselves against” a cyber enemy that is becoming increasingly devious and creative: increasingly sharpening their social engineering exploits with artificial intelligence, and by becoming more brutal and ruthless
Garcia says HSCC – along with 17 other sector coordinating councils across the federal government – is working to help healthcare organizations be stronger and better prepared “against an agile and resilient adversary.”
And he noted that such preparedness may soon no longer be voluntary. He suggested that the health care industry keep an eye on a notice of proposed rulemaking from HHS, which could be released soon, aimed at requiring HIPAA-covered providers – as well as third parties and business associates – to have a number of have basic cybersecurity protection measures in place.
More philosophically, Garcia is interested in helping healthcare systems understand the stakes and think more creatively about security—by design, by default, and by implementation—and the value of close collaboration and defense in depth.
“How do we act like a beehive, an ant colony,” he said. “Do you see how they behave when there is an intruder in their midst? The communication is telepathic.’
As healthcare organizations work to strengthen their defenses and map a complex web of critical data infrastructure, it is critical to understand that “none of us individually are as smart as all of us together,” he said.
This story will be updated.