Healthcare cyber defenses aren’t up to scratch

Massive data breach affecting 11 million patients HCA Healthcare provided a stark reminder this week of how often the defenses of America’s largest healthcare organizations are breached.

Because matter: The hospital industry retains sensitive personal data which is among the most valuable assets on the black market and experts predict that further attacks will become more difficult to counter.

What are they saying: “They have pretty lax security, in general, compared to a bank as an example,” said Ross Brewer, chief revenue officer at SimSpace, a firm that regularly tests the defensive capabilities of large US banks.

By the numbers: HHS data shows that more than 39 million patient information was exposed in the first half of 2023 in nearly 300 incidents, according to Health IT Security.

• Health violations have doubled in the past three years, reports HHS.
• While HCA said its breach is limited to patients’ names, addresses, phone numbers, emails and treatment locations and “has not caused any disruption to day-to-day operations,” incidents at other hospitals have targeted people’s medical and financial records and were highly disruptive.
• And while regional health systems are frequent targets, the largest players in the sector are not immune.
• In January, community health systems reported that an estimated 1.2 million patients had exposed protected health information.
• Commonspirit Healthcare, one of the largest nonprofit healthcare systems in the United States, reported that more than 600,000 records were violated last fall. The attack disrupted operations at some hospitals and resulted in losses of approximately $160 million.
• “Of course, healthcare organizations can’t protect themselves against all cyberthreats, but if the industry is to improve their defenses, they need to dramatically up their game,” said Andrew Whaley, senior technical director at the cybersecurity firm, in an email. norwegian promon.

Being smart: Violations of health care systems covered by the Health Insurance Portability and Accountability Act (HIPAA) must be reported to federal officials.

• Oversight and enforcement rests with the HHS Office of Civil Rights, which also handles civil rights complaints.
• “HHS has spent significant time deepening its understanding of both how our adversaries are beating our hospitals’ cybersecurity protections today and how resilient our hospitals are to cyber to stand up to our adversaries,” said a HHS spokesperson.
• The agency released an analysis and published best practices for industry and free online training in April and is working through policy considerations and potential minimum standards to support them, the spokesperson said.
• But the office isn’t equipped to handle the sheer volume of cyber incidents. It had a budget of $38 million in 2022, which roughly matched the cost of about 20 MRI machines, Politico pointed out.

What’s next: In remarks late last month, Deputy National Security Advisor for Information and Emerging Technology Anne Neuberger said the Biden administration is turning its attention to healthcare for new critical infrastructure cybersecurity regulations, reported Eric Gellersenior cybersecurity reporter at The Messenger.

• HHS has requested $78 million in funding for the civil rights office in next year’s budget.

Between the lines: Ask any hospital executive about their cybersecurity and they’ll assure you they’ve made major investments in their defenses.

• But that’s part of the problem, Brewer said.
• “We have a systemic challenge in the industry where these organizations think technology will save them,” Brewer said. “They’re not placing enough emphasis on their people running their systems and properly testing their capabilities and putting them through exercises so they know what these attacks will look like before they’re in the middle of one.”
• Healthcare organizations are prime targets because they have so many locations and employees, work with a large number of external vendors, and have a complex web of technology connected to the Internet. They often lack full control over systems such as X-ray machines and the ability to keep them up to date.
• In the case of Nashville-based HCA, the hackers broke into an external storage location used to automate the formatting of email messages. The compromised data lists contained 27 million rows of data, including protected health information from about 11 million patients who received care at HCA hospitals and doctor’s offices in 20 US states, according to the HIPAA Journal.

The bottom line: It will become increasingly difficult to defend against threats, Amy Abernethy, Verily’s chief medical officer and former chief deputy commissioner for food and drugs at the FDA, told Axios.

• “Quantum [computing] it’s coming,” he said. “If we think we live in a complex time where we have the ability to have encryption work for us, when it’s not really that possible that’s going to be a completely different landscape,” he said. “We have to support what we’re doing now as we think about where this future goes.”