A recent string of massive healthcare cybersecurity breaches has put data security leaders on edge.
Health system cybersecurity executives are looking at their biggest points of weakness in the aftermath of large-scale breaches at St. Louis-based health system Ascension, UnitedHealth Group's Change Healthcare and Chicago-based Lurie Children's Hospital.
Read more: AI challenges: a hot-button topic at Digital Health Summit
Cybercriminals are becoming more sophisticated and using social engineering techniques, such as calling into hospital help desks and posing as employees. Defending against the attacks require organizations to undergo a cultural shift rather than just buying data security software, experts say.
“I think one big misconception is that you can buy yourself into a super low risk situation,” said Brad Reimer, chief information officer at Sioux Falls, South Dakota-based Sanford Health. “Historically, you could just buy some technology, and it would give you the protection you need and now that's just changed with the way social engineering is happening.”
Recent incidents have shined a light on some of the most significant vulnerabilities at health systems. Here are four of the biggest, according to experts.
Lack of shared organizational goals
The biggest vulnerability is leaders failing to acknowledge the risk that cybersecurity poses to their organizations, said Taylor Lehmann, director of healthcare and life sciences for Google Cloud's office of the chief information security officer. Lehmann, who works with health systems, said many providers have not prioritized or acknowledged the full set of risks.
"There's no shared goal among leadership in every sector of healthcare but especially in the provider setting," Lehmann said. "Yeah, they are in the business of treating patients, right? But having a secure system is a going-in requirement to be able to do that."
Reimer emphasized the need for providers to have streamlined internal processes to handle cybersecurity incidents.
“I think it’s natural to think about some of the technology tools or software vendors that can help and there is a technical component of that," Reimer said. "But then your internal processes, when we talk about speed to respond, that is extremely critical.”
Third-party vendor risks
Providers' third-party vendor relationships could also expose them to greater risk. According to data from the Health and Human Services Department, 173 healthcare vendors reported breaches last year. The number has increased each year since 2017.
"We consume risk from vendors, connections and all that, just as much as we induce it to others," said Erik Decker, vice president and chief information security officer at Salt Lake City-based Intermountain Health. "The downstream impacts of those convergences can become very material depending upon what it is."
Last year, a sweeping series of data breaches involving file transfer software vendor MOVEit affected at least 88 provider organizations, including Houston-based Harris Center for Mental Health and Baltimore, Maryland-based Johns Hopkins Medicine.
Multi-factor authentication misses
Parent company UnitedHealth Group did not adhere to its policy of requiring multi-factor authentication on external platforms, CEO Andrew Witty told House and Senate lawmakers earlier this month in response to questions about the Change Healthcare cybersecurity incident. Multi-factor authentication requires users to verify credentials in multiple ways—such as sharing a password and entering a separate code from their mobile device—to access a system.
Cybersecurity experts recommend health systems adopt that process as a minimum. However, multi-factor authentication is not foolproof, Lehmann said.
"Getting an app installed that forces users to provide a second factor is relatively straightforward," Lehmann said. "But making sure that hundreds of thousands of systems that should have it do have it is really hard, and then [you] make sure it works."
Slow response times
Healthcare data security executives said there is a growing sense that being the victim of a cybersecurity event is inevitable. If a health system of any size has a vulnerability, hackers are able to exploit it quickly, said Decker, who is also chairman of the Health Sector Coordinating Council’s cybersecurity working group. The group is a public-private partnership that develops cybersecurity practices for organizations throughout healthcare.
While Lehmann said providers should not abandon their prevention efforts, he said time also should be spent preparing for an attack.
"Yeah, we've got to keep data private, cool, but we have got to keep the systems up and running even when they've been attacked, even when they've been ransomed," Lehmann said. "We still need these systems going."