# Opener

Why NIST CSF Helps Hospitals and Healthcare Systems in the Face of Growing Cyber Attacks

Published by Axio

In 2021, you wouldn’t expect a modern hospital in the US to be running on pen and paper, but that is exactly what happened when an Alabama hospital was attacked by ransomware, resulting in the first alleged death by cyber attack in the country. The healthcare sector has always been a top target for cybercriminals, even more so within the last year and a half; ransomware attacks against hospitals carry high stakes, making them easy targets because they are more likely to pay the ransom with lives on the line. With hospitals and healthcare entities under immense and unprecedented stress due to the COVID-19 pandemic, hackers have capitalized on new or amplified cyber vulnerabilities stemming from continued digital transformation and a global shift to remote work. 

 The Varonis 2021 Healthcare Data Risk Report reveals some alarming figures from 2020:  

  • Confirmed data breaches [in the industry] increased by 58% 
  • The average breach lifecycle was 329 days 
  • The average cost of a breach was $7.13 million  

Indeed, hackers continue to hone their skills with continuous practice and improvement, but these numbers can be attributed in part to both a lack of preparedness and weak security hygiene by healthcare organizations. From compromised PII (Personal Identifiable Information) to delivery of patient care, unsecured data is putting hospitals, patients, and their staff at risk.  

The Emergence of Killware 

Previously, we’ve discussed the threats cyber crime poses to the Nation’s critical infrastructure, and the healthcare industry is no exception. You’re undoubtedly familiar with ransomware, but now its lethal cousin, “Killware,” has emerged as a top threat to healthcare cybersecurity. A hospital in Düsseldorf, Germany, alleged that a 2020 cyberattack on its systems directly led to the death of a 78-year-old woman. After being hit with ransomware, the hospital could no longer take in additional patients, and the woman died shortly after being rerouted to another hospital 32km away. Ultimately, prosecutors in this instance could not prove causation, but it became clear that lethal killware attacks were inevitable.  

Hospitals have historically made appetizing targets to hackers, particularly because of the immediate panic an attack can cause. Patient health record systems, medical devices/IoT equipment, and delivery unit heartbeat monitors all make up the infrastructure that can be disrupted by a cyber attack; treatments and vital procedures can be delayed. 

In 2021, there have been 850 attacks on hospitals in the US, and the first reported case of loss of life as a result of a cyber-attack occurred last month in Alabama. NBC News reported the death of a baby in Alabama, who allegedly received botched care because her hospital was dealing with a ransomware attack. This appears to be the first “creditable” public claim that a death directly resulted from a ransomware extortion attempt on a hospital.  

Safe Harbor Bill HR7898 

These stats tell us that convincingly that regulations and cybersecurity frameworks are alone are not sufficient for improved cyber security. So how is the US Government responding? Earlier this year, the United States Congress passed HR7898, a safe harbor bill designed to incentivize HIPAA-covered entities to adopt NIST CSF. HR 7898 states its intention is “to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.” The legislation encourages healthcare companies to follow “recognized security practices,” which it defines in part as “standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act. 

So, rather than adding yet another requirement to their cybersecurity team’s compliance checklists, this non-partisan bill is actually meant to help healthcare security professionals improve their organizations cybersecurity posture.  It does not increase fines or introduce new security practices but rather is intended to:  

  • incentivize HIPAA regulated entities to use cybersecurity best practices 
  • incentivize these HIPAA regulated entities to be proactive with their cybersecurity measures 
  • lower penalties for breached entities that have implemented best practices  

In the past, organizations were punished with various penalties, but this new legislation takes a different approach. While it doesn’t take away penalties completely, when calculating fines, evaluating audits, or proposing mitigation requirements, HHS officials must now take under consideration companies that have been following these “recognized security practices.” NIST CSF is currently one of two named practices in HR7898, which outlines these recognized security practices as those “standards, guidelines, best practices, methodologies, procedures, and processes” developed by the NIST Act. 

What is NIST CSF, and Why is it Important?  

The Healthcare and Public Health Sector Coordinating Council (HSCC) noted that, in the past, HIPAA enforcement by HHS officials has “applied severe penalties against organizations victimized by cyberattacks in spite of their well-resourced programs that employ industry best cybersecurity practices.” In response, HR7898 is intended to serve as a “positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and, ultimately, patient safety,” they continued. 

As referenced in HR7898, the NIST Cybersecurity Framework provides an excellent guide for companies that wish to improve their cybersecurity strategy. For a deep dive on the NIST CSF, check out Axio’s  e-book, “NIST CSF:  The World’s Most Popular Cybersecurity Framework:  A 2021 Guide for Understanding and Implementing NIST CSF to Keep your Organization Cyber-Secure.” NIST CSF developed via collaboration between public and private sector business leaders and academics to help organizations understand and better manage their cyber risk. The NIST framework consists of five core tenets:  Identify, Protect, Detect, Respond, and Recover. At a high level, NIST is effective because it fosters a comprehensive, holistic cybersecurity strategy that fits specific business needs.  

What are the Key Benefits of NIST CSF? 

The amount of work that needs to be done to protect and secure our healthcare data is immeasurable, but there are effective steps companies can take to ward off potentially life-threatening cybercrime. In theory, HR7898 is designed to provide relief for Covered Entities (CEs) and Business Associates under HIPAA and incentivize them to implement best practices. In practice, HR7898 ties closely with appropriate risk management strategy and the NIST framework. We already know that compliance alone is not a sufficient cybersecurity strategy and that companies that follow NIST guidelines are set up for better success against a breach. With HR7898, in the event they are breached, they will be “credited” for having following NIST guidelines with lower fines or penalties.  

Why You Should Implement the NIST CSF

As a set of best practices and guidelines for protecting against cybersecurity risk, the NIST CSF — also known as the NIST Cybersecurity Framework — provides a path forward for companies, organizations and institutions that are looking for something better than that fledgling whack-a-mole approach to IT security. Created by the National Institute of Standards and Technology and the United States Commerce Department, the NIST CSF is intended to provide a comprehensive set of rules and regulations that help organizations better prevent, identify, respond to and recover from cybersecurity attacks.

Many top cybersecurity companies use the NIST CSF to help organizations get a handle on their real time cybersecurity risk, as well as to help their clients better understand where the next attack or breach may come from. While it’s certainly possible to develop cybersecurity measures without the NIST CSF, the framework makes it easy to implement a comprehensive approach that avoids the common pitfalls of developing a program from scratch. Instead of struggling to make sense of the various tools, technologies and policies that go into hardening your cybersecurity capabilities, the NIST CSF provides a way for organizations to hit the ground running with a unified strategy informed by modern cybersecurity best practices. 

Why the NIST CSF Works

Before the NIST CSF, discussing your needs with 10 different cybersecurity risk management software providers or companies would likely yield 10 different approaches and solutions to the same threat basis. However, since cybersecurity threats are getting worse, both in severity and frequency, it’s no longer the case that your organization can afford to go it alone with unique concerns that don’t acknowledge the threats and unified approach that many rogue actors have. Instead of treating each data breach or hack as a one-off, the NIST CSF helps organizations better respond to threats and harden their systems against attacks under a common set of rules, tools and guidelines. 

In fact, even the United States government has started to implement NIST CSF regulations in an attempt to get ahead of the ever-changing world of cyber threats. And with bigger cyberattacks afflicting various organizations, businesses and industries with each passing week — from healthcare to oil pipelines, water treatment plants and even schools — it’s only a matter of time before your organization and its data is compromised. Indeed, it’s no longer the case that most organizations can afford to ignore their cybersecurity needs, and the NIST CSF is one of the best ways to get started or to revamp your existing cybersecurity policies.

How can you get started with NIST CSF? 

NIST CSF helps health care organizations address some of the top drivers of increase in cyber attacks. As Jane Chung, VP of Public Cloud at Palo Alto Networks., has noted, the rise of cyber crime against healthcare entities is often attributed to the following three factors:  

  • Financial Gain – health records with PII are very valuable, and providers usually pay a ransom if they are subjected to ransomware.  
  • Easy Target – healthcare is highly vulnerable, and it lags in cybersecurity because of insufficient regulations, legacy software, and undertrained staff. 
  • Entry point for a larger attack – hackers have the potential to shut down a group of connected hospitals across a city or even country.  

By walking through the NIST framework, you will be able to address each of these factors to help fortify your organization against a cyber attack. Considering that, even before COVID-19, cybersecurity professionals in healthcare were overworked due to the high stress and constant attention required to fight cyberattacks, even a process as clearly defined as NIST CSF may seem like a huge undertaking. This is where the Axio360 platform can help walk you through the steps of a NIST assessment. Security is a team sport, and Axio360 will help you prepare for following best practices on a daily basis, getting your team trained, and everyone throughout every level of the organization on board.