Nearly 93% of healthcare organizations experienced a data breach in the last three years, and most of these events could have been avoided with basic cybersecurity practices.
To help healthcare entities mitigate cybersecurity risks and increase their data breach resilience, we’ve created a comprehensive healthcare cybersecurity guide optimized for the biggest security threats in the industry.
Perform a Risk Assessment and Define your Risk Appetite
For your cybersecurity program to be cost-effective, it needs to be tailored to the unique risks of your digital ecosystem. A risk assessment (a security questionnaire) will help you determine the areas in your cybersecurity posture that need improvement to meet recommended national cyber resilience standards.
The NIST Cybersecurity Framework (available on the UpGuard platform) is a popular risk assessment for such initial evaluations.
Once completed, a risk assessment will evaluate your total risk exposure without security controls in place - also known as your inherent risk. This data will allow you to define a risk appetite specifying the maximum level of security risks your healthcare organization is willing to absorb for any given threat scenario. By establishing a standard for managing cyber risks, your risk appetite sets the foundation of your entire cybersecurity program.
Once your risk appetite is defined, your first cybersecurity objective should be to push your inherent risk level below your risk appetite through the strategic implementation of security controls. The resulting risk level then becomes known as your residual risk level.
Learn how to choose the best healthcare attack surface management product >
Inherent risk is the total level of security risks within your IT system before security controls are implemented.
Residual risk is your remaining level of risk after security controls have been implemented.
Learn how to calculate your risk appetite >
The effort of reducing security risks below a defined risk appetite is the foundational mechanism of every cybersecurity program.
The security controls you implement to achieve an ideal residual risk level should be based on the recommended controls for each major healthcare cyber threat listed below.
Become Aware of the Biggest Cyber Threats in Healthcare
Healthcare entities need to develop a cybersecurity program based on the unique cyber threats in the industry.
The three most critical cyber threats in healthcare are listed below. Suggested security responses for each listed threat are also included to help you develop the most relevant cybersecurity program aligned to the healthcare threat landscape.
1. Ransomware Attacks
According to the 2022 State of Ransomware in Healthcare report by Sophos, 66% of surveyed healthcare organizations fell victim to a ransomware attack in 2021; and between 2020 and 2021, ransomware attacks in the healthcare sector increased by 94%.
During a ransomware attack, a victim’s computer is completely encrypted, locking out all users. Only a ransom message by the responsible cybercriminals is accessible on infected computers, promising to reverse the damage and reinstate access if a ransom is paid with bitcoin.
Here's an example of a ransom message from the AvosLocker ransomware.
To force victims into complying with ransom demands, some cyber criminals publish increasing amounts of stolen sensitive healthcare data on cybercriminal forums, promising only to stop when the ransom is paid.
Learn how to choose a healthcare cyber risk remediation product >
Healthcare entities are ideal targets for ransomware attacks, not only because of the treasure trove of sensitive patient data they store, but also because of their need to maintain operational continuity to provide effective patient care. Amongst the chaos of a ransomware attack, this expectation makes a cybercriminal's promises to reinstate systems in exchange for a ransom payment increasingly appealing.
The FBI strongly advises against paying a ransom in response to a ransomware attack. Ransom payments never guarantee reinstated access to encrypted healthcare systems and only serve to fund future attacks.
A ransomware attack is comprised of 7 stages:
1. Phishing - An employee is targeted with a fraudulent email leading to a credential-stealing website.
2. Account Compromise - The healthcare employee performs the cybercriminal’s intended action, resulting in the compromise of their account.
3. Lateral Movement - Using the employee’s compromised account, the cybercriminal logs into the healthcare organization’s network and begins clandestinely moving across its regions, looking for privileged accounts to compromise.
4. Privilege Escalation - Privileged credentials leading to sensitive healthcare information resources are located and compromised.
5. Data Exfiltration - Using compromised privileged credentials, sensitive data resources are accessed. The patient data within these resources is then secretly transferred from backdoors and into cybercriminal servers for extortion purposes.
6. Data Encryption - The malware payload is deployed, encrypting the victim’s critical systems. A digital ransomware note is left on all compromised devices.
7. Data Dump - To force victims into following through with ransom demands, increasing amounts of sensitive data stolen in stage 5 of the attack is published on the dark web until the ransom is paid.
How Healthcare Organizations Can Defend Against Ransomware Attacks
To defend against ransomware attacks, targeted security controls should be deployed across each stage of the attack.
Phase 1 Security Controls - Phishing Attacks
The success of phishing attacks could be significantly reduced by teaching healthcare employees how to identify and respond to phishing threats correctly.
More details about phishing attack mitigation are outlined below
Phase 2 Security Controls - Account Compromise
Should an employee’s credentials become compromised, the use of their account to gain unauthorized network access could still be prevented with the following security controls:
- Multi-Factor Authentication (MFA) - The addition of authentication protocols to complicate account compromise attempts.
Learn more about MFA >
- Endpoint Detection and Response (EDR) - These solutions support responses to potential threats detected on endpoints (laptops, IoT devices, mobile devices, desktop computers, medical devices, etc.).
Learn more about Endpoint Detection and Response >
- Endpoint Protection Platforms (EPP) - These solutions prevent threats from entering an internal network from compromised endpoints.
Phase 3 Security Controls - Lateral Movement
With the following security controls, an attacker inside your network could be prevented from locating and progressing toward your sensitive patient data resources.
- Security Information and Event Management (SIEM) - A cybersecurity discipline focused on real-time monitoring and subsequent alerts of potentially malicious network activities (such as certain network regions and application access attempts).
Learn more about SIEM >
- Network Segmentation - A strategy for dividing a network into sub-regions to close off sensitive patient resources, such as medical records, from general user access.
Phase 4 Security Controls - Privilege Escalation
Privileged account compromise - and therefore unauthorized access to sensitive data resources - could be prevented with the following controls.
- Privileged Access Management (PAM) - A strategy for controlling, monitoring, and safeguarding use accounts with access to sensitive resources.
Learn more about Privileged Access Management >
- Zero Trust Architecture - A security model enforcing continuous user authentication while logged into a network - especially when accessing sensitive resources. A Zero Trust Architecture usually contains an MFA control component.
Learn more about Zero Trust >
Phase 5 Security Controls - Data Exfiltration
Data exfiltration could be intercepted through a multi-layered security control approach consisting of:
- An SIEM
- Open port montitoring
- Foreign IP address connection monitoring
- Outbound traffic monitoring
- A data loss prevention solution
Learn more about detecting data exfiltration >
Phase 6 Security Controls - Data Encryption
At the encryption stage of a ransomware attack, the primary course of action should be reinstating compromised systems to keep service disruptions minimal.
Achieving this requires the following:
- Regular data backup security policies.
- A well-designed incident response plan to efficiently guide security staff through data restore processes.
Learn how to create an incident response plan >
Phase 7 Security Controls - Data Dump
At the data dump stage of a ransomware attack, nothing more can e done to stop patient data from leaving your network. However, the impact on compromised patients could still be minimized if stolen data is rapidly detected when it’s published on the dark web. Rapidly detecting
Rapidly detecting leaked data allows compromised patients to be notified quickly, supporting compliance with the breach notification rule. Rapidly detecting leaked internal credentials allows compromised accounts to be secured faster, decreasing the chances of cybercriminals using them to access your network.
Sensitive data posted on cybercriminal ransomware blogs can be rapidly detected with UpGuard’s data leak detection feature.
Learn more about UpGuard’s data leak solution >
2. Phishing Attacks
In a phishing attack, a hacker sends an employee a fraudulent email purporting to be from a familiar, reliable source. These emails try to persuade victims to perform a specific action - a link click or an attachment download. If a link is clicked, victims are directed to a decoy website that looks almost exactly like the service or login page mentioned in the email. Submitting credentials on these pages sends the account login information directly to the hacker.
Here’s a comparison of a real vs. fake login page for a popular Australian bank.
When a hacker wants to steal internal network credentials, their phishing emails link to fraudulent login pages of a known internal service likely to share the same login details as a target’s internal network - highlighting the danger of password recycling.
Phishing attacks are one of the most critical cyber threats in healthcare. Almost every cyber attack begins with a phishing campaign since these attacks arm hackers with the credentials they need to breach a network.
In 2022, data breach damage costs resulting from phishing attacks cost an average of $4.91 million.
An alternate perspective to phishing attacks shines a bright silver lining on the problem - by decreasing the success potential of phishing attacks, your healthcare organization could avoid falling victim to most cyber attacks, including ransomware attacks.
How Healthcare Organizations Can Defend Against Phishing Attacks
To defend against phishing attacks, implement the following controls:
1. Secure all User Accounts with Multifactor Authentication
Stolen user credentials are difficult to abuse if a hacker needs to complete additional user authentication protocols before network access is granted.
Multi-factor authentication is so effective at protecting user accounts that, according to Microsoft, this single control could block up to 99.9% of account compromise attempts.
Ideally, MFA protocols should involve using hard tokens since this authentication is very difficult to bypass.
When implementing an MFA policy, ensure you account for the different ways MFA can be bypassed.
Learn how hackers bypass MFA >
2. Use a Password Manager
Password Managers prevent insecure password practices in the workplace, such as password recycling and using weak passwords.
3. Teach Staff How to Recognize Phishing Attempts
Even with the most expensive data security solutions in place, your patient data is still at a high risk of compromise if your staff are likely to fall victim to phishing campaigns.
The best way to reduce the human error component of data breach risks is to teach staff how to detect and respond to common cyber threats effectively. These education programs, known as security awareness training, should ideally be supported with regular simulated phishing attacks to keep cyber threat readiness front of mind.
The most common cyber threats are explained in the free resources below, which can be used to design a cyber threat awareness program.
- What is a cyber threat?
- What is a data breach?
- What is social engineering?
- What are phishing attacks?
- What is clickjacking?
- What is typosquatting?
- What is a DDoS attack?
- What is Ransomware?
- What is Ransomware-as-a-Service (RaaS)?
Learn how to use ChatGPT to create a phishing resilience program >
3. Data Breaches
The most disastrous outcome all cybersecurity programs aim to avoid a data breach - the unauthorized exposure of sensitive information.
Data breaches occur through IT network vulnerabilities, such as unpatched software. But the threat of a breach extends well beyond your IT boundary. A data breach could occur through any of your third and even fourth-party vendors. This is because service providers often need access to internal system data to deliver their offered service effectively. So a breached third-party vendor becomes a potential pathway to your sensitive patient information.
With almost 60% of breaches occurring through compromised third-party vendors, a data breach prevention strategy must consider cybersecurity threats from the third-party vendor landscape.
How Healthcare Organizations Can Defend Against Data Breaches
Successfully defending against data breaches requires a two-thronged approach:
1. Defend against network compromise threats
Deploy the same security controls against common network compromise tactics such as phishing and social engineering, in addition to the following basic cybersecurity defenses:
- Firewalls
- Antivirus software
- Data protection solutions
- Identity theft strategies (to mitigate internal credential theft).
2. Scan for security vulnerabilities
Use an attack surface monitoring solution to detect internal and third-party vulnerabilities increasing data breach risks.
Learn more about UpGuard’s attack monitoring solution >
3. Asses the security postures of all your vendors
The probability of each vendor becoming a potential pathway to your sensitive data can be evaluated through a combination of risk assessments and security ratings.
- Risk assessments - these questionnaires map to popular cybersecurity frameworks and regulations to evaluate each vendor’s cybersecurity efforts against industry standards.
- Security ratings - These solutions continuously scan each vendor’s attack surface against 70+ common attack vectors for real-time security posture tracking.
When used symbiotically, risk assessments and security ratings streamline the effort of mitigating third-party breaches. Security rating drops indicated potential new vendor risk exposures requiring further investigation with risk assessments, with the remediation efforts of all. Identified threats tracked in real-time through the security rating’s improvement.
The resulting efficiency of response efforts means third-party risks can be rapidly addressed before cybercriminals discover and exploit them.
Understand the Difference Between a Regulation and a Cybersecurity Framework
If you’re deep into your journey of learning about implementing cybersecurity programs in healthcare, you’ve likely come across the terms ‘regulation’ and ‘framework.’ Understanding the difference between these terms is important because conflating them could bloat your project with significant unnecessary effort.
In the context of cybersecurity, a regulation is a legally binding set of rules organizations must follow to meet national cybersecurity standards.
A cybersecurity framework, on the other hand, is a set of guidelines for organizations to follow to help them comply with specific regulations.
For example, a popular regulation in healthcare is the Health Insurance Portability and Accountability Act (more details below). This is not a framework; it’s a set of rules stipulating security standards for healthcare facilities. To comply with HIPAA’s security standards, healthcare entities must implement a framework that maps to HIPAA’s requirements. The NIST Cybersecurity Framework is an example of such a framework.
In short, your organization needs to implement a cybersecurity framework to improve its security posture. When a cybersecurity framework maps to the requirements of a specific regulation, its implementation will help you comply with that regulation.
The healthcare industry is heavily regulated by the Health Insurance Portability and Accountability Act, not only because of its high susceptibility to data breach attempts but also because of the high potential of national-level impact when these entities are breached.
This destructive potential was most vividly demonstrated in the WannaCry ransomware attack of 2017. WannaCry is a strain of ransomware that infects computers through a vulnerability in Microsoft Windows operating systems.
Because many healthcare organizations were running older unpatched versions of Microsoft at the time, the ransomware rapidly tore the healthcare sector, locking doctors and medical staff out of their computers and every emergency service powered by them.
After its spread was finally stopped, WannaCry impacted more than 230,000 computers in 150 countries, causing a total estimate of $4 billion in damages.
WannaCry continues to be a threat in the healthcare sector, infecting organizations running the same unpatched Microsoft software the ransomware was designed to exploit in 2017 - which highlights the desperate need for the industry to improve its cybersecurity standards
Get Familiar with the Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law specifying national security standards to protect patient health information from unauthorized disclosure. Failure to comply with HIPAA could result in fines of up to $50,000 and up to one-year imprisonment.
Learn how to avoid the top 10 HIPAA violations >
The US Department of Health and Human Services (HHS) created two rules to help healthcare entities meet HIPAA’s security requirements.
- The HIPAA Privacy Rule - Outlines standards for sharing protected health information (PHI) with other entities, such as other healthcare providers, health plans, and healthcare clearinghouses.
Learn more about the HIPAA Privacy Rule >
- The HIPAA Security Rule - Outlines security standards for protecting electronic forms of protected health information (ePHI) from compromise. This HIPAA security rule specifies administrative, physical, and technical safeguards centered around the most common cause of ePHI compromise - data breaches.
Learn more about the HIPAA Security Rule >
The HIPAA Privacy and HIPAA Security Rules are not cybersecurity frameworks. They outline the absolute minimum security standards for compliance with HIPAA. Align your unique internal process with HIPAA’s requirements is achieved with a cybersecurity framework.
The HIPAA Security Rule specifies security controls across three categories of safeguards - administrative, physical, and technical.
1. Administrative Safeguards
Administrative safeguards outline standards for protecting health information security programs. Some examples of administrative safeguards include:
- Security management processes capable of evaluating and reducing risks to ePHI safety.
- Staff training programs educating employees about the security and privacy standards of the HHS.
- Information access management controls to prevent unauthorized access to electronically protected health information.
- Data backup processes and recovery plans to ensure rapid system reinstatement following a successful cyber attack.
For more information on each administrative safeguard standard, refer to this document by the HHS.
2. Physical Safeguards
Physical safeguards secure all physical access points to your organization and its computer systems. Some examples of physical safeguards include:
- Physical access controls, such as locks and alarms, limiting computer and information system access to authorized staff only.
- Securing workstations against physical theft attempts with the use of cable locks.
- Securing workstations against unauthorized login attempts.
- Workstation policies preventing methods of use increasing the risk of device compromise.
For more information on each physical safeguard standard, refer to this document by the HHS.
3. Technical Safeguards
Technical safeguards focus on limiting access to electronics Protected Health Information through controls spanning hardware, software, and information technology. Some examples of technical safeguards specified by the HHS include:
- Access controls limting PHI accessibility to authorized users only.
- Monitoring solutions tracking access attempts on systems and resources containing electronic health records.
- Security measures for protecting ePHI from interception and compromise while in transit.
For more information on each technical safeguard standard, refer to this document by the HHS.
Learn how UpGuard helped Burgess Group achieve HIPAA compliance.
Who Needs to Comply with HIPAA?
HIPAA compliance, and therefore compliance with both HIPAA rules, is mandatory to all “Covered Entities,” which includes:
- Health care providers
- Health plans
- Health care clearinghouse
The following entities are also considered “Covered Entities” and, therefore, bound to compliance if they electronically transmit health information mapping to any security standards set by the US Department of Health and Human Services (HHS).
- Doctors
- Clinics
- Hospitals
- Nursing homes
- Pharmacists
HIPAA Breach Notification Rule
HIPAA’s data breach notification rule is a critical compliance component. According to the notification rule, a covered entity must provide a notification of a data breach to all impacted patients, the Secretary, and in some cases, the media.
If the breach impacts less than 500 individuals, a covered entity must notify the secretary of the event within 60 days of the end of the calendar year the breach was discovered.
If the breach impacted more than 500 individuals, a covered entity must advise the Secretary no later than 60 calendar days after the breach was discovered.
For more information about the HIPAA breach notification rule, refer to these resources:
How to Comply with the HIPAA Regulation
Compliance with the HIPAA regulation can be achieved by implementing the following cybersecurity frameworks.
- NIST Cybersecurity Framework - The NIST CSF maps to the same HIPAA standards being met by HIPAA Security rule.
- HITRUST - A framework supporting compliance with various regulations, including HIPAA, PCI DSS, and the GDPR.
For compliance support, refer to the following free resources:
- How to Become HIPAA Compliant in 2024.
- How to Comply with HIPAA’s Third-Party Risk Management Requirements.
- Compliance Guide: NIST CSF and the Healthcare Industry.
- Leveraging HITRUST to Demonstrate HIPAA Compliance.
- HITRUST CSF Download.
Compliance with the HIPAA’s regulation internally and across all third-party covered entities can be evaluated with UpGuard’s risk assessment mapping to all of HIPPA’s Security Rule standards.
Learn more about UpGuard’s security questionnaires >
How UpGuard Helps Organizations Become HIPAA Compliant
Through a suite of essential healthcare security features, including security ratings, the continuous attack surface monitoring, and data leak detection, UpGuard helps healthcare entities establish a cybersecurity program that’s resilient to common data breach causes and compliant with the HIPAA regulation. UpGuard also offers a prebuilt, customizable questionnaire to help healthcare entities ensure that their third parties and business partners are also HIPAA compliant.