Cybersecurity in healthcare: How to protect patient data

The healthcare sector experienced the highest average data breach cost of any industry in 2022.

With Cybersecurity attacks on the rise across the U.S., the next potential threat an organization faces could be moments away. By the third quarter of 2022, average weekly attacks per business worldwide reached over 1,130. While that’s a staggering statistic, some businesses with valuable assets could see even higher numbers. For instance, the healthcare sector experienced the highest average data breach cost of any industry, hitting an all-time high of over $10 million per incident in 2022. The personal information of patients stored by healthcare providers is a treasure chest to cybercriminals, and they will try every entry point to access that sensitive data.

The time for healthcare industry leaders to take action is now. As we approach an age of complete digitization for the services and operations of organizations, the risk of health records falling into the hands of attackers is greater than ever before. And the reputation of the providers themselves, as well as potential penalties under HIPAA compliance standards, hangs in the balance. To ensure complete privacy of sensitive data, healthcare industry leaders must consider implementing the following cybersecurity measures.

Adopting a zero trust security approach

Zero trust is a cybersecurity framework that, when applied correctly, improves cyberthreat defense and minimizes the severity of ransomware attacks, reducing the time and cost of responding to a breach. For the healthcare industry, zero trust is the only foolproof way to prevent threats by securing networks from unauthorized access and reducing attack surface area. In addition, zero trust allows healthcare companies to know who is connected to the network at all times as every user must be known and verified.

A zero trust security model is one of the most effective forms of cloud security there is, with the mantra "never trust, always verify." The ability to not trust any connection without proper verification is critical, especially with the amount of cloud data in today’s healthcare industry. The zero trust architecture was also part of an executive order signed by President Biden in 2021. This order was intended to improve U.S. cybersecurity infrastructure in the wake of the Russia-linked supply chain attack on SolarWinds in 2020, the March 2021 Microsoft Exchange Server attack and the May 2021 ransomware attack on Colonial Pipeline.

Continuously evaluating agreements

Overall, approximately 40 million health records of individuals are affected each year by exposures reported to the federal government. Because so many third parties are involved in running a successful healthcare business, it is essential that third-party risk management is a central focus of a cybersecurity strategy.

Healthcare industry leaders can do their part in keeping patient information secure by performing due diligence before onboarding new vendors and then continuously monitoring all activities during the vendor lifecycle. A properly managed third-party risk assessment will likely include the following elements:

  • Maintaining a thorough inventory of all third-party relationships, segmented by potential risks.
  • Setting an established owner of all third-party management plans and processes.
  • Creating a contingency plan for when certain third-parties are considered high risk or a third-party data breach occurs.

Most of all, be transparent with vendors about what you expect from them from a security standpoint. Make sure they also follow strict protocol and respect the risk assessment processes of your organization.

Integrating EDR solution tools

Cybersecurity practices are only as good as the leaders and employees who apply them. Approximately 82 percent of all breaches involve a human element, such as falling for a phishing scam or experiencing a lapse in concentration or judgment when handling important files.

Enter endpoint detection and response (EDR) solutions. This type of digital security goes beyond signature-based detection by continuously evaluating endpoints for suspicious behavior. By utilizing policy-based detection rules and User Entity Behavioral Analysis (UEBA) capabilities, EDR protects systems from multi-vector attacks. This is achieved with artificial intelligence (AI) and machine learning (ML) to analyze all data and identify threat patterns. EDR solution tools also provide an automatic response by containing the threat and notifying authorities in charge. In an age where human error is the leading cause of ransomware attacks, it’s critical to integrate a tool to be the eyes and ears of your security team 24/7, minimizing risk and strictly managing threats when they do occur.

Don’t let another moment of cybersecurity insecurity pass by your organization. The harm of a potential ransomware attack is too great to risk provider reputation, immense cost, and, most of all, the sensitive information of the patients. Take these critical measures into consideration to weather every storm cybercriminals throw your way and ensure the longevity and success of your business operations for years to come.

Grant Gibson has more than a decade of experience in the cybersecurity industry and is the ChiefInformation Security Officer at CIBR Ready, a cybersecurity think tank headquartered in the Triangle. Gibson also serves as chair of National Initiative for Cybersecurity Education where he provides a voice of leadership to emerging Cyber technology education standards in the United States. He is a proud veteran of The United States Marine Corps, serving as a critical Communications Chief and pioneering IT instructor.