An overview to navigating the complexities of healthcare cybersecurity
Introduction
The role of a Chief Information Security Officer (CISO) in healthcare has never been more challenging. According to Gartner, 80 percent of CIOs plan to increase their cybersecurity investments in 2024. This increase is driven by the expanding attack surface, the increase in the scope and public visibility of ransomware incidents, and the rapid proliferation of generative AI (GenAI) use cases, which introduce new and unknown risks.
In recent years, the healthcare industry has witnessed a significant rise in cyber breaches. In 2022, there were 650 breaches affecting 52 million people. This number increased by 13 percent in 2023, with 740 breaches affecting 136 million people. The cost of a single record breach in healthcare is $408, compared to $148 in other industries, and the overall cost of a healthcare breach incident is approximately $10 million, which is twice as expensive as in the financial industry. Notably, 61 percent of healthcare breaches are due to unintentional risks posed by employees.
The impact of AI
As it stands, 61 percent of healthcare breaches are due to unintentional risk by employees. Now, the democratization and ease of use of GenAI have introduced a new era of cyber risk. Employees who might never have engaged with AI before are now independently using and relying on it in their workflows, raising concerns about deep fake scams and AI-enhanced ransomware attacks.
AI has transformative power in healthcare, but with great power comes great responsibility. There are two critical aspects to consider: the security of AI and AI for security.
Security of AI
The security of AI is intrinsically linked to data security. While GenAI can provide efficiencies and uplift for healthcare practitioners, it must be implemented with strict human governance. Leveraging generative AI with human oversight is essential. AI also magnifies the threat to data governance, making hygiene and control around regulated data a significant challenge.
AI for security
AI can greatly enhance efficiency in security workflows, similar to its impact on clinical workflows. With bad actors using AI to enhance their attack capabilities, AI provides the tools to sift through vast amounts of data and identify potential threats. This proactive approach is crucial in staying ahead of cybercriminals.
Regulatory considerations
The regulatory landscape is becoming increasingly stringent. As of December 2023, the SEC requires the reporting of material breaches within four business days. Organizations must file a publicly viewable 8-K form with high-level details of the incident, a stark contrast to previous practices where details emerged slowly.
This shift in accountability is evident in recent cases. The former Uber CISO was convicted of a cover-up in federal court, and the SEC is investigating SolarWinds and their CISO following the Sunburst malware attack.
Healthcare-specific regulations are also evolving. The California Consumer Protection Act and similar proposed regulations in New York and other states are being implemented. The Department of Health and Human Services (HHS) has published a concept paper on voluntary cybersecurity performance goals as part of a strategic plan to enhance industry-wide cybersecurity.
Planning ahead
Considering these developments, a robust healthcare security strategy must focus on the fundamentals:
- Improve cyber hygiene: Regular updates, patches, and employee training are essential.
- Resiliency principles: Prepare for quick recovery from attacks.
- Segmentation: Limit the spread of breaches by isolating critical systems.
- Identity management: Ensure strong authentication and access controls.
A key component often overlooked in security strategies is user experience. Cultural change and adoption among clinicians and staff are crucial for successful implementation. Security measures, such as new authentication controls, can be seen as disruptive. Therefore, fostering a partnership between IT and end-users from the start is essential to gain their support and cooperation.
Conclusion
The cybersecurity landscape in healthcare is complex and rapidly evolving. As a hospital CISO, staying ahead of threats requires a multifaceted approach that balances technological advancements with regulatory compliance and user experience. By focusing on robust security practices and fostering a collaborative environment, healthcare organizations can better protect their data and ensure the safety of their patients.