I recently sat down with Cecil Pineda, CISO at R1 RCM, to take a deep dive into the growing challenges around cybersecurity in the Healthcare industry.
We discussed the recent Change Healthcare attack, the importance of vision in cybersecurity, and the challenges that are faced by today’s CISOs in aligning their security practices with their wider organizational goals. You can watch the full podcast here, or keep reading while I share some highlights from our discussion.
Why is Healthcare Such a Lucrative Target for Cybercriminals?
Healthcare is a prime target, in large part because of its vast amount of sensitive and valuable data. There’s Personal Identifiable Information (PII) such as names, addresses and social security numbers, as well as financial details, and Protected Healthcare Information (PHI) including medical histories, treatment information and diagnoses. A single healthcare record can be worth $1,000 on the Dark Web, and the average cost of a healthcare data breach is significantly higher than in other industries — reaching $10.9M in 2023.
With so much money on the table, it’s no surprise that the frequency and scale of healthcare data breaches are both on the rise. Think about the Anthem breach, which affected close to 79M people, or the multi-layered Change Healthcare attack which may have impacted up to one third of all Americans, and you’ll see how vulnerable the sector has become.
Key stat from Cecil: healthcare organizations may have upwards of 100 partners, and you’re only as strong as your weakest link. The complex web of connectivity means data protection is key.
However, the rise in healthcare attacks is not only about how much money can be made. Multiple issues have converged to build an increasingly complex risk landscape in healthcare. A shift towards digital transformation has led to widespread adoption of electronic healthcare records, remote monitoring and telehealth, all of which expand the attack surface. Healthcare is known for poor cybersecurity practices, spending far less of its IT budget on cybersecurity than other industries — just 6-10%, despite the severe consequences of disruption on its critical services. Regulatory requirements lead to financial pressures such as fines, reputational loss, and even legal fees, and regulations are being shaped in real-time, making the landscape immensely complex to manage.
Healthcare is known for poor cybersecurity practices, spending far less of its IT budget on cybersecurity than other industries — just 6-10%, despite the severe consequences of disruption on its critical services.
How Can Security Professionals in the Healthcare Industry be Prepared for Future Attacks?
While organizations can never eliminate risk entirely, we discussed a wide range of strategies for bolstering defenses and preparing against cyberattacks.
Speed
Cecil commented on the importance of speed, from investigation to communication and rapid response. Every second counts when you’re in the thick of a crisis, and your incident response plan needs to be tested, updated, and validated so that all team members know what they need to do.
I always recommend that teams conduct frequent tabletop exercises, simulating real-world incidents so that you have a swift coordinated response in place.
Culture
A strong security culture goes further than just the security team. You may not be the person who originally hired your Chief Legal Officer or Chief Financial Officer, but you still own their response when a cyberattack occurs. If you have playbooks in place, and you’ve communicated expectations ahead of time, it’s easier to act quickly and cohesively across the business.
How do you know you’ve done enough? You need a level of preparedness where everyone — from members of the C-suite to the person in Marketing who might pick up the phone to a reporter — knows exactly what they should say and do.
Communication
It’s so important to encourage open communication, trust, and transparency across the business. Employees should feel comfortable speaking up about potential vulnerabilities or issues, without worrying about the consequences. My top tip in this area is to implement feedback opportunities to extract value, as it’s not always easy to get your audience to say what’s on their mind. 30-min coffee meetings are a great start.
My top tip in this area is to implement feedback opportunities to extract value, as it’s not always easy to get your audience to say what’s on their mind. 30-min coffee meetings are a great start.
At the same time, you have a responsibility to provide continuous learning opportunities for your teams so that they are up-to-date on the latest threats and technologies, with cross-team training to ensure broad coverage of skills and knowledge. As a bonus, this broad education reduces the reliance (or points of failure) on key individuals.
Technology
The decision between a single platform or a layered approach to cybersecurity will depend on many factors, including the size of your team, your monitoring capabilities, and your specific industry needs. However, for enterprise companies, we generally recommend a defense-in-depth strategy where multiple layers work together in tandem.
A diverse set of tools ensures redundancy and catches threats that may otherwise slip through a single layer of protection.
For enterprise companies, we generally recommend a defense-in-depth strategy where multiple layers work together in tandem.
Partnerships
Finally, strong relationships with partners and vendors will be crucial for timely support during an incident, both for targeted advice and response, and also sharing best practices across a collaborative defensive network.
We founded CyberProof to build relationships with enterprise companies and become a strategic partner for them in the good and the bad, providing both the technology and the expertise. We set a vision together and move forward in a trusted relationship, and I’ve seen firsthand how these kinds of collaborative partnerships can make a real difference.
I’ve just scratched the surface of our discussion on cybersecurity in healthcare. You can listen to the full podcast to discover:
- How to set cybersecurity vision by aligning security goals with corporate objectives, and tips for finding your way through the noise without distraction.
- Our insights on the Change Healthcare attack, including how attackers can leverage the vulnerabilities of healthcare clearinghouses.
- A live Q&A between Cecil and me, where listeners get access to additional cybersecurity insights, plus learn what we do in our free time!
