A Fresh Healthcare Cybersecurity Approach

A New Approach to an Old Problem

Resistance to yet another government regulation, a lack of understanding the complexities of the rules, and an overall unwillingness to take on yet another area of expertise in an ever-changing technical landscape can make the sale of Cybersecurity in Healthcare a tough one.

Gone are the days of using Meaningful Use as an incentive for HIPAA compliance.

MACRA / MIPS has not filled the gap.

Even though a HIPAA Security Risk Assessment is required for MACRA – Promoting Interoperability (PI), the financial incentives don’t appear to be driving the decision to continue pursuing or purchasing HIPAA compliance.

The lack of widespread OCR enforcement – aside from the fear of large penalties, is another reason many healthcare organizations and their business associates have dragged their feet when it comes to HIPAA compliance.

Easy Target

While the HIPAA message doesn’t ring as loud as it used to, a new dynamic has overcome the healthcare sector, and we need to pay attention. Cybercriminals have realized that healthcare is an easy target with a big payoff.  Technological advances in the way we address medical care have resulted in an overwhelming amount of electronic data – in both results, reports, and general patient information.  Medical equipment is continually evolving and providing the world with cutting edge methods – and that data is stored electronically.  The need to link that data to a patient can mean finding a quick fix solution that may overlook addressing HIPAA in the process.  This leaves countless files in danger of a breach if not protected properly.

In addition to ignoring HIPAA regulations for the sheer convenience of doing things “the easy way”, healthcare organizations historically spend less on security measures, including employee awareness training. Healthcare organizations often see high turnover rates, meaning even if an organization does train their employees (which generally occurs only once a year, if that), incoming employee training tends to get overlooked.

Cybercriminals now know this is an easy target.  Meaningful Use has successfully transformed a paper-based industry into electronic health records. Unfortunately, cybersecurity defenses have remained stuck in the last decade.

While Russian hackers have argued over the ethical merits of targeting healthcare, some have admitted that “hospitals make too easy of a target to ignore”.

Hundreds of million patient records have already been breached, ransomware has paralyzed many healthcare organizations, and business email compromise attacks continue to victimize medical practices, hospitals, and the organizations that support them.

A New Approach

While many Healthcare organizations do take HIPAA seriously and do their best to protect PHI, the vast majority will continue to ignore government regulations and believe that compliance is something that only larger organizations need to worry about. MSPs will continue to be met with lukewarm reception to a HIPAA compliance message.

However, 10 years after the HITECH Act, it is time to change the message to healthcare clients and prospects, which in turn, could change the landscape altogether.

We need to stop pitching HIPAA compliance and start focusing on a strong cybersecurity message. The real threat to healthcare organizations is not the government with their fines and regulations, but cybercriminals that have realized the healthcare sector is where they need to focus.

Ransomware is one of the biggest threats to healthcare organizations. Hackers are focusing on healthcare, and medical practices. Employees are ill-prepared to defend against them.

Using examples of hospitals that have been paralyzed by ransomware or pointing to events like the Baltimore or Greenville city shutdowns only reinforce the message that it’s just large organizations that cybercriminals are targeting and victimizing.

Instead, we need to use examples of medical practices and other small/midsize healthcare organizations that are relatable to our clients. 

Explain how a Michigan ENT & Hearing practice was a ransomware victim, and that cybercriminals deleted all of their data after they refused to pay the ransom – including any trace of their patients’ medical records. They were out of business before you can say backup