Longstanding under-investment in healthcare cybersecurity means that healthcare organizations put their patient data at risk if they do not take steps to cover their security blind spots.
Standards for data security are the backbone of healthcare cybersecurity, with HIPAA being the most ubiquitous framework. Although HIPAA borrows from the robust set of NIST standards, it does not match up favorably with more intensive data frameworks, so healthcare systems that rely exclusively on HIPAA are still at risk of attack. These standards remain a solid starting point, but organizations should look further if data security is their goal.
Recent world conflicts escalated the risk of attacks, with the Russia-linked REvil ransomware being a notable example. While individuals equipped with ransomware attacks may pose a moderate threat to hospital systems, nation-state hackers with unlimited resources pose a formidable threat to even the most secure health organizations. In addition, these nation-state actors have proven to be highly interested in data about the U.S. population collected in hospitals.
With this escalated risk following current world conflicts, many seemingly secure companies have suffered attacks, putting partners at risk. For example, SolarWinds and Microsoft Exchange attacks sent shockwaves through multiple industries, including healthcare. As a result, healthcare organizations and providers looking to protect themselves need to regularly evaluate the security of their systems and their vendor's systems.
COVID-19 created a cybersecurity blind spot for many providers in the form of "work-from-home." Even if IT locks down all data in hospital computers, employees working with sensitive PHI from home without the same safeguards as company equipment expose the information to risk. Additionally, home users may not be as savvy to potential malware and may click on suspicious links sent to their private accounts. If a bad actor gets access to their home PC, they potentially gain access to work information.
Fortunately, many trusted institutions like NIST and AICPA (American Institute of CPAs) maintain stringent guidelines and standards for companies to lock down their data. By being aware of these blind spots and taking steps to mitigate them, providers can protect their patients and livelihoods.