Cyberattacks remain a formidable threat to healthcare providers, with hackers’ tactics getting more sophisticated by the day.
Policymakers are trying to combat this. For example, New York Governor Kathy Hochul released a proposed set of cybersecurity regulations in November that require hospitals to establish new policies and procedures to protect themselves from ever-intensifying cyber threats. And a couple weeks ago, HHS published guidance outlining voluntary cybersecurity performance goals for the healthcare sector. While this initial guidance is voluntary, these goals will likely be used to inform upcoming HHS rulemaking.
In its guidance, HHS outlined 10 key goals for strengthening providers’ cybersecurity: mandating basic cybersecurity training, mitigating known vulnerabilities, boosting email security, using multifactor authentication, ensuring strong encryption, requiring unique credentials, revoking credentials for departing workforce members, separating user and privileged accounts, establishing incident response plans, and vetting vendors’ cybersecurity.
These guidelines are a starting point toward a more secure and resilient healthcare system in the U.S., and others are adopting similar measures internationally, pointed out Taylor Lehmann, director of Google Cloud’s office of the CISO, as well as the former CISO of athenahealth and Tufts Medicine. But he also thinks these regulatory efforts must be coupled with industry collaboration and information sharing to drive real, long-term change.
“The benefit of the cyber performance guidelines is that it indicates where the ball is bouncing next, and what the standards and expectations are for what organizations should be working on. It may not be today, but what is on HHS paper will most likely become what is in the actual final rulemaking or new regulatory requirements that become law,” Lehmann explained.
Some hospitals are more prepared to achieve these cybersecurity goals than others. While many hospitals have already begun their digital transformations, there are plenty of others that are still using legacy IT systems.
The degree of readiness depends on the hospital’s size, funding and resources for an IT security team, Lehmann noted.
“While the essential goals may seem like base-level security — things like multi-factor authentication and using unique credentials — they’re clearly not being implemented properly, as these continue to be the leading causes of breaches in the industry,” he declared. “The basics aren’t always necessarily easy — they can actually be super hard.”
Across the board, hospitals should focus on strengthening their use of identity as a control mechanism, Lehmann recommended. Seeing that highlighted throughout HHS’ guidance was encouraging, he remarked.
Lehmann emphasized the importance of conducting penetration testing, as this can help healthcare organizations identify the high-impact, low-effort ways attackers can get in — and the equally beneficial yet simple remediations that need to be put in place immediately.
“Test and fix until the organization achieves a baseline of security control that would allow it some breathing room to consider prioritizing voluntary goals, like HHS’ cybersecurity performance goals. Trust in systems, especially those that haven’t been assessed before, needs to be established regularly and continuously,” he said.
Penetration testing, red teaming and other forms of technical assessments provide a realistic view of what problems need to be fixed immediately, Lehmann explained. In his view, providers need to begin performing these processes regularly before more strategic conversations can occur.
Photo: JuSun, Getty Images
