Laboratories, hospitals, and other healthcare entities are facing increasing numbers of cyberattacks, with the latest example including a devastating ransomware attack on the largest healthcare payment system in the US—Change Healthcare—on February 21, 2024. The consequences of security incidents can be costly, including theft of patient protected health information (PHI), or providers being locked out of critical systems and unable to safely care for patients. In the case of Change Healthcare, which is a division of UnitedHealth Group (UHG), the attack shut down large parts of Change’s systems, halting reimbursements for a wide range of the company’s healthcare provider clients and delaying and disrupting medication deliveries for more than 10 days.1,2 According to media sources, the attack also apparently led to UHG paying the cyberattackers $22 million in bitcoin as ransom.2
However, there are increasing numbers of resources to help healthcare providers protect themselves. Marc Machin, chief information security officer and director of technology at FrontRunner Health Care (FrontRunnerHC), discusses recent cybersecurity developments and how labs and other providers can defend against cyberattacks.
Editor’s Note: This story was updated on March 6, 2024 to include information about the Change Healthcare cyberattack.
Q: What are the latest trends in cybersecurity for healthcare providers such as laboratories?
A: Cyberattacks against the healthcare sector, in general, have been steadily rising. So, the trends are related to trying to combat that. For example, you hear on the news too often about hospital systems shut down due to ransomware. The attacks are not waning; they’re getting bolder and more prominent. The trend, in a broad sense, is to better defend against the ongoing attacks.
Q: How has artificial intelligence (AI) impacted cybersecurity?
A: AI in cybersecurity can work both for and against us. In time, AI could be used to break encryption algorithms that today we deem secure. The Cybersecurity & Infrastructure Security Agency (CISA) recently put out an advisory to start cataloging all encryption technologies in use by a business in order to know what may be at risk in the future from AI breaking it. At the same time, there are certain products and technologies such as anti-malware products that use AI for better malware detection. That’s just part of the technology evolution, both for good and bad.
Q: Regarding the CISA advisory, what is the most important information labs and other providers should know about that communication?
A: The advisory specifically recommended that organizations put together an inventory of all their encryption technologies. It’s another means to protect yourself. If, for example, a threat actor is found to be using AI to break certain encryption algorithms and you’re not sure which encryption algorithms you’re using, you won’t know if you’re at risk. The earlier you know about a possible cyberattack, the better you can prepare your defenses.
Q: What vulnerabilities do cybercriminals usually exploit?
A: People are the weakest link in the overall chain. One common example is a person who clicks on a phishing email. Phishing emails are so prevalent, and they’re a huge risk. Think about hospital systems that may have 5,000 to 10,000 people—doctors, nurses, and other staff, all with email accounts. Many of these people are not necessarily technical in nature and may not quickly recognize a phishing email for what it is. All it takes is one wrong click to pull down malware or have credentials compromised.
Q: What types of information do cybercriminals tend to target when it comes to labs and other healthcare providers?
A: Once cybercriminals have penetrated the defenses, they see what kind of sensitive patient health data they can steal, hold it for ransom along with all the systems, and they might say, “Alright, how much are you willing to pay me to not put that information on the Internet, or for me to give you the decryption key to unlock everything that we just shut down?” Other than people, Internet-facing systems such as web or email servers are probably the easiest example of other areas cybercriminals target. If they aren’t patched or properly maintained, all it takes is a quick scan by a threat actor to identify any known vulnerabilities and start attacking.
Q: What are the most important things labs and other healthcare providers can do to protect themselves? And how can they choose the cybersecurity solution that’s best for their organizations?
A: Every organization should have an information security governance program. There are resources available on how to set up such a program—including doing asset management, account management, vulnerability management, backup/restore, malware defenses, staff training, business continuity processes, etc. Going through all these areas can be challenging as most places are understaffed, but it’s important. For example, if an organization focuses on vulnerability scanning, that’s great, but there are many other areas that may be overlooked, and without a documented framework that outlines all those areas and how to address them, it can be difficult for providers to protect themselves.
Once labs have their governance program and training in place, then they can start looking at specific solutions such as anti-malware. Since different organizations have different needs, the solutions they choose will vary and will depend on their budget and the gaps identified when setting up their governance program. Certain providers will also want to ensure vendors are HIPAA-compliant and possibly consider SOC 2; for our organization, for example, maintaining those certifications is very important.
Q: What are some useful resources for setting up a cybersecurity framework?
A: The US government, under the Department of Homeland Security (DHS), provides a lot of resources for free. They include information on how to set up a program and measure its effectiveness, so labs can figure out what they need to improve on. The US Cybersecurity & Infrastructure Security Agency (CISA) website—cisa.gov—is very helpful. It has information specific to the nation’s different critical infrastructure, health care being one, such as the latest cyberattacks and vulnerabilities discovered in various software. The Center for Internet Security (CIS)—cissecurity.org—has several tools and resources for building out a robust information security program. Securityweek.com is another good source of general cybersecurity information.
Q: How often should organizations do cybersecurity training?
A: Ongoing training is important. If you only do training once a year—for example, every January—probably by February, staff have forgotten it. It needs to be constant to stay fresh in people’s minds. In our organization, for example, we have an extensive employee training program with mandatory requirements and assessments throughout the year, as well as phishing email simulations that go out monthly.
Q: What developments in cybersecurity for healthcare providers are you most excited about? Why?
A: There are so many more resources from the government, particularly DHS, than there ever were in the past. For example, the DHS now offers a free service for critical infrastructure entities where they help scan all your public-facing websites for vulnerabilities. I’m sure resources like that will continue to grow, as the threat continues to evolve and grow.
Q: How do you expect trends in healthcare cybersecurity to develop going forward?
A: Threats are going to continue, if not grow. So more resources are going to be brought to bear, including more tools, more technologies, more threat intelligence, etc. All of this will require even more educated and trained professionals, so we will see more colleges and universities start offering certificate and degree programs in cybersecurity.
References: