In 2021, you wouldn’t expect a modern hospital in the US to be running on pen and paper, but that is exactly what happened when an Alabama hospital was attacked by ransomware, resulting in the first alleged death by cyber attack in the country. The healthcare sector has always been a top target for cybercriminals, even more so within the last year and a half; ransomware attacks against hospitals carry high stakes, making them easy targets because they are more likely to pay the ransom with lives on the line. With hospitals and healthcare entities under immense and unprecedented stress due to the COVID-19 pandemic, hackers have capitalized on new or amplified cyber vulnerabilities stemming from continued digital transformation and a global shift to remote work.
The Varonis 2021 Healthcare Data Risk Report reveals some alarming figures from 2020:
- Confirmed data breaches [in the industry] increased by 58%
- The average breach lifecycle was 329 days…
- The average cost of a breach was $7.13 million
Indeed, hackers continue to hone their skills with continuous practice and improvement, but these numbers can be attributed in part to both a lack of preparedness and weak security hygiene by healthcare organizations. From compromised PII (Personal Identifiable Information) to delivery of patient care, unsecured data is putting hospitals, patients, and their staff at risk.
The Emergence of Killware
Previously, we’ve discussed the threats cyber crime poses to the Nation’s critical infrastructure, and the healthcare industry is no exception. You’re undoubtedly familiar with ransomware, but now its lethal cousin, “Killware,” has emerged as a top threat to healthcare cybersecurity. A hospital in Düsseldorf, Germany, alleged that a 2020 cyberattack on its systems directly led to the death of a 78-year-old woman. After being hit with ransomware, the hospital could no longer take in additional patients, and the woman died shortly after being rerouted to another hospital 32km away. Ultimately, prosecutors in this instance could not prove causation, but it became clear that lethal killware attacks were inevitable.
Hospitals have historically made appetizing targets to hackers, particularly because of the immediate panic an attack can cause. Patient health record systems, medical devices/IoT equipment, and delivery unit heartbeat monitors all make up the infrastructure that can be disrupted by a cyber attack; treatments and vital procedures can be delayed.
In 2021, there have been 850 attacks on hospitals in the US, and the first reported case of loss of life as a result of a cyber-attack occurred last month in Alabama. NBC News reported the death of a baby in Alabama, who allegedly received botched care because her hospital was dealing with a ransomware attack. This appears to be the first “creditable” public claim that a death directly resulted from a ransomware extortion attempt on a hospital.
Safe Harbor Bill HR7898
These stats tell us that convincingly that regulations and cybersecurity frameworks are alone are not sufficient for improved cyber security. So how is the US Government responding? Earlier this year, the United States Congress passed HR7898, a safe harbor bill designed to incentivize HIPAA-covered entities to adopt NIST CSF. HR 7898 states its intention is “to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” The legislation encourages healthcare companies to follow “recognized security practices,” which it defines in part as “standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act.”
So, rather than adding yet another requirement to their cybersecurity team’s compliance checklists, this non-partisan bill is actually meant to help healthcare security professionals improve their organizations’ cybersecurity posture. It does not increase fines or introduce new security practices but rather is intended to:
- incentivize HIPAA regulated entities to use cybersecurity best practices
- incentivize these HIPAA regulated entities to be proactive with their cybersecurity measures
- lower penalties for breached entities that have implemented best practices
In the past, organizations were punished with various penalties, but this new legislation takes a different approach. While it doesn’t take away penalties completely, when calculating fines, evaluating audits, or proposing mitigation requirements, HHS officials must now take under consideration companies that have been following these “recognized security practices.” NIST CSF is currently one of two named practices in HR7898, which outlines these recognized security practices as those “standards, guidelines, best practices, methodologies, procedures, and processes” developed by the NIST Act.
What is NIST CSF, and Why is it Important?
The Healthcare and Public Health Sector Coordinating Council (HSCC) noted that, in the past, HIPAA enforcement by HHS officials has “applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices.” In response, HR7898 is intended to serve as a “positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety,” they continued.
As referenced in HR7898, the NIST Cybersecurity Framework provides an excellent guide for companies that wish to improve their cybersecurity strategy. For a deep dive on the NIST CSF, check out Axio’s e-book, “NIST CSF: The World’s Most Popular Cybersecurity Framework: A 2021 Guide for Understanding and Implementing NIST CSF to Keep your Organization Cyber-Secure.” NIST CSF developed via collaboration between public and private sector business leaders and academics to help organizations understand and better manage their cyber risk. The NIST framework consists of five core tenets: Identify, Protect, Detect, Respond, and Recover. At a high level, NIST is effective because it fosters a comprehensive, holistic cybersecurity strategy that fits specific business needs.
What are the Key Benefits of NIST CSF?
The amount of work that needs to be done to protect and secure our healthcare data is immeasurable, but there are effective steps companies can take to ward off potentially life-threatening cybercrime. In theory, HR7898 is designed to provide relief for Covered Entities (CEs) and Business Associates under HIPAA and incentivize them to implement best practices. In practice, HR7898 ties closely with appropriate risk management strategy and the NIST framework. We already know that compliance alone is not a sufficient cybersecurity strategy and that companies that follow NIST guidelines are set up for better success against a breach. With HR7898, in the event they are breached, they will be “credited” for having following NIST guidelines with lower fines or penalties.
How can you get started with NIST CSF?
NIST CSF helps health care organizations address some of the top drivers of increase in cyber attacks. As Jane Chung, VP of Public Cloud at Palo Alto Networks., has noted, the rise of cyber crime against healthcare entities is often attributed to the following three factors:
- Financial Gain – health records with PII are very valuable, and providers usually pay a ransom if they are subjected to ransomware.
- Easy Target – healthcare is highly vulnerable, and it lags in cybersecurity because of insufficient regulations, legacy software, and undertrained staff.
- Entry point for a larger attack – hackers have the potential to shut down a group of connected hospitals across a city or even country.
By walking through the NIST framework, you will be able to address each of these factors to help fortify your organization against a cyber attack. Considering that, even before COVID-19, cybersecurity professionals in healthcare were overworked due to the high stress and constant attention required to fight cyberattacks, even a process as clearly defined as NIST CSF may seem like a huge undertaking. This is where the Axio360 platform can help walk you through the steps of a NIST assessment. Security is a team sport, and Axio360 will help you prepare for following best practices on a daily basis, getting your team trained, and everyone throughout every level of the organization on board.