Cybersecurity in healthcare guide: Stop, respond, recover

The recent cyberattack on Change Healthcare, a major player in the United States healthcare system, has sent shockwaves through the industry. This healthcare cyberattack, disrupting patient care and highlighting vulnerabilities in healthcare data security, serves as a stark reminder of the ever-present threat of cybercrime.

Medical practices hold a wealth of sensitive patient information, which makes them prime targets for cybercriminals. A successful healthcare cybersecurity breach can disrupt operations, compromise patient data, and erode trust.  This guide equips healthcare providers with the best knowledge and tools to navigate the complex world of cybersecurity.  

We'll walk you through: 

By following these steps, you can significantly improve your cybersecurity posture and ultimately safeguard patient care. 

Let’s first look at the Change Healthcare cyberattack in detail for some context.

Change Healthcare, a subsidiary responsible for managing patient records, revenue cycles, and prescriptions for Optum, fell victim to a ransomware assault orchestrated by Alphv/BlackCat. 

In response, UnitedHealth Group (UHG), the parent company of Optum, swiftly disconnected Change Healthcare to contain the breach. 

The repercussions of this shutdown are estimated to be disrupting over $100 million in daily provider reimbursement, potentially leading to various provider-related ramifications, such as:

The recent attack on Change Healthcare serves as a stark reminder that cyberattacks pose significant threats beyond the general disruption they cause.  

Healthcare providers are entrusted with a vast amount of Electronic Protected Health Information (ePHI). This sensitive data comprises a patient's entire medical history, diagnoses, and even financial details.  

Healthcare records continue to be one of the most lucrative items on the underground market, ranging from $250 to $1,000 compared to other items like credit cards only selling for an average of $100. This demonstrates the value of data like ePHI to cyber-attackers and their motivation for attacking healthcare institutions.

If ePHI is compromised, this information can have devastating consequences for patients. Potential implications can be identity theft, misuse of medical information, and even threats to their wellbeing.

Beyond the direct impact on patients, a successful cyberattack can cripple the operations of a healthcare facility; compromising the critical systems that healthcare facilities rely on to:

The financial repercussions of a cyberattack can also be significant. Healthcare providers face the risk of hefty fines for violations of the Health Insurance Portability and Accountability Act (HIPAA) regulations safeguarding patient data. Furthermore, they may be subject to lawsuits filed by affected patients seeking compensation for damages caused by the data breach.

Perhaps the most damaging consequence of a cyberattack is the erosion of trust in a healthcare provider. Public exposure of a data breach can severely tarnish a facility's reputation, leading to patient loss and negatively impacting future operations.

The HIPAA Security Rule requires HIPAA covered entities and business associates (“regulated entities”) to implement authentication procedures “to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

Healthcare providers (regulated entities) need to carefully choose how people access their systems based on an assessment of their specific risks. This ensures that private medical information (like test results and medications) stays protected.

Even though keeping this information confidential, accurate, and readily available is crucial, some healthcare providers still haven't put in place the necessary security checks as required by the Security Rule. This leaves them exposed to cyberattacks and data breaches and puts their patients' information at risk.

The HHS Office for Civil Rights (OCR) recently announced a resolution agreement with Banner Health to resolve issues of potential HIPAA non-compliance, including “failure to implement an authentication process to safeguard its electronic protected health information.” This incident included payment of $1.25M and implementation of a corrective action plan to be monitored by OCR for two years.

In September, 2011, a reported 5 million patients were impacted by a significant data breach following the theft of backup tapes of electronic health records from Tricare. 

Tricare is a healthcare program servicing active-duty troops, their dependents, and military retirees. The backups were stolen from the car of an individual responsible for transporting the tapes between facilities. Data compromised included Social Security numbers, names, addresses, personal health data, clinical notes, and phone numbers. 

UCLA also suffered a data breach that is believed to have started in October 2014, but this activity did not appear to have malicious potential. But in May of 2015, a cyberattack involving the compromise of sensitive patient information was confirmed.

UCLA health was issued a $7.5 million fine for its failure to report the breach in a timely manner, which is a violation of the breach notification protocol specified under HIPAA.

Fast forward to 2024, and one of the biggest cybersecurity threats facing physicians today is double extortion ransomware attacks. Modern ransomware groups don't just encrypt data — they also exfiltrate sensitive records to extort even higher payments by threatening to leak the data publicly, violating regulations like HIPAA.

Despite reportedly paying $22 million to the Alphv/BlackCat ransomware gang, Change Healthcare finds itself remaining in a vulnerable position. Despite the massive payment, an affiliate of Alphv/BlackCat claims Alphv/BlackCat kept the full ransom while still retaining possession of over 4TB of stolen data from insurance companies and pharmacies.

Healthcare practices face a constant threat of cyberattacks. 

These malicious attempts aim to steal valuable patient data, disrupt critical operations, and extort money. Recognizing the different types of attacks allows healthcare providers to implement effective prevention strategies.

Here's a breakdown of the most common healthcare cyberattacks with real-world examples:

Deceptive emails that often appear to come from legitimate sources like colleagues, patients, or even healthcare institutions. They may contain urgent requests or enticing offers, tricking recipients into clicking malicious links or downloading attachments that infect devices with malware:

Unauthorized individuals gain access to protected patient information. Data breaches can happen through various means — including hacking into computer systems, exploiting software vulnerabilities, or even physical theft of devices containing sensitive data:

This malicious software can take many forms, including viruses, spyware, and ransomware. Malware can steal sensitive patient data, disrupt operations, and even hold systems hostage for ransom payments:

The following is what a ransomware attack looks like in reality:

1. Cyberattack occurs: For instance, a cybercriminal sends a deceptive email posing as a legitimate source (colleague, patient, healthcare institution) to an employee. This email tricks the recipient into clicking a malicious link or downloading an attachment containing malware.

2. Account is compromised: Unaware of the deception, the employee falls victim to the phishing attempt and enters their login credentials on a fake website designed to steal them. This grants unauthorized access to the employee's account.

3. Network is further infiltrated: Leveraging the compromised employee account, the attacker can infiltrate the healthcare network. They then begin exploring and navigating through different systems, searching for accounts with higher privileges.

4. Privilege escalation occurs: The attacker actively seeks administrative or privileged accounts within the network. These accounts grant broader access to sensitive data and systems.

5. Data is exfiltrated: Once the attacker acquires privileged credentials, they exploit them to access confidential patient information. This data could include medical records, financial details, or other sensitive information.

6. Data is encrypted: In some cases, the attacker may deploy malware that encrypts critical systems, rendering them unusable. This often comes with a ransom demand, forcing the healthcare organization to pay to regain access to their data.

7. Data is leaked: As a pressure tactic to extort money, the attacker might selectively leak stolen patient data online if the ransom demands aren't met. This further emphasizes the urgency for the victim to comply.

Now that we've established the critical role of cybersecurity in healthcare and the potential consequences of cyberattacks, let's go into the actionable steps to take.

This cyberattack prevention checklist outlines essential measures to significantly reduce the risk of a successful attack.

Remember — cybersecurity is an ongoing process. Regularly review and update your security measures to stay ahead of evolving threats. Secure vendors like Tebra will provide many of these safeguards for healthcare organizations such as encryption and backups.

Implementing this cyberattack prevention checklist will mean that healthcare providers can significantly bolster their cybersecurity posture. However, even with the most comprehensive preventative measures, no system is entirely foolproof. 

Therefore, having a crisis management plan in place is essential to effectively respond to and recover from a potential cyberattack.

A cybersecurity framework bridges the communication gap between security leaders. 

By applying the same set of standards, healthcare providers can effectively compare the security practices of any vendor they might collaborate with.

With a framework in place that follows common cybersecurity standards, it becomes much easier to define the processes and procedures that your practice must take to assess, monitor, and mitigate cybersecurity risk.

There are 6 common US healthcare-specific cyber risk frameworks:

It’s worth noting that the HIPAA Privacy and HIPAA Security Rules are not actually cybersecurity frameworks. They serve to outline the absolute minimum security standards for compliance with HIPAA.

As best practices, healthcare practices should:

Consider implementing multi-factor authentication solutions. These should include phishing-resistant multi-factor authentication where appropriate. 

Robust authentication serves as the first line of defense against malicious intrusions and attacks, yet a recent analysis of cyber breaches reported that 86% of attacks to access an organization’s internet-facing systems (such as web and email servers) used stolen or compromised credentials.

Have effective cybersecurity strategies that require mobilization and coordination of resources across public and private stakeholders. These can include hospitals, IT vendors, connected medical device manufacturers, and governments. Mobilizing and coordinating resources across these stakeholders can help mitigate the risks and minimize the impacts of a cyberattack.

Require vendors to demonstrate strong security measures. These can include encryption, strict access controls, comprehensive backup and disaster recovery processes, secure transmission protocols, advanced endpoint protection, and mandatory security awareness training for all personnel. 

"By contractually obligating vendors to adhere to these security essentials and provide proof of independent validation, practices can offload much of the cybersecurity burden," says Jesse Salmon, Manager of Information Security at Tebra.

Set up your network and machines from a centralized control point. This can make maintaining a vigilant posture easier. Many IT professionals who work with small businesses manage their IT infrastructure with automation tools. Check to see if your vendor uses such tools and can provide you with reports on a periodic basis. It’s helpful to see the most recent versions of various software programs running in your ecosystem and which versions you’re currently on.

Let’s turn to actionable strategies to handle cyberattacks in healthcare practices. 

We’ll look at both how to create an Incident Response Plan (IRP) and a crisis management plan. An IRP and the crisis management plan work collaboratively to address a cyberattack.

Imagine a hospital's network is compromised by a ransomware attack that encrypts critical patient data.

The IRP acts as the hospital's IT security team responding to the malware attack.

There are 6 phases in the incident response process: 

The ultimate goal is to contain the immediate threat (ransomware attack), recover critical data, and minimize the long-term consequences (loss of patient trust, legal issues).

Each phase of the IRP is critical, and it is important everyone knows which phase is current. As threats can change quickly, it is vital to focus on the most important task.

For the best cybersecurity in healthcare practices, it is crucial to refer to and follow the documented incident response or crisis management plan immediately. 

"The biggest mistake one can make is being unprepared and having to make up the response on the fly," Salmon notes. "Such unpreparedness can result in missteps, compliance lapses, and potentially greater impacts."

By incorporating lessons learned from cyber incidents and following industry best practices, you can continuously strengthen your overall security posture, enhance your incident response capabilities, and better protect your organization against evolving cyber threats.

Building upon the foundation of the IRP, let's explore how to create a comprehensive crisis management plan to address the broader consequences of a cyberattack in a healthcare setting.

Here's a breakdown of the key steps involved:

Establish a dedicated team of individuals from various departments, including IT security, public relations, legal counsel, and senior management. It’s essential to clearly define roles and responsibilities for each team member.

Pre-determine communication channels for internal and external stakeholders. Internally, ensure staff are informed about the situation, potential consequences, and recommended actions. Externally, establish protocols for communicating with patients, media outlets, and regulatory bodies.

Develop pre-approved communication templates and statements to ensure consistent and factual messaging during a crisis. Identify a designated spokesperson to deliver official information to the public.

Regularly train the crisis management team on their roles, communication protocols, and media relations best practices.

To test the effectiveness of the crisis management plan and identify areas for improvement, simulate potential cyberattack scenarios through tabletop exercises.

Consult with legal counsel to understand reporting requirements and potential legal ramifications associated with a data breach.

Familiarize yourself with relevant data privacy regulations (such as HIPAA) and establish procedures for complying with reporting mandates in case of a cyberattack.

Regularly review and update the crisis management plan to reflect changes in the regulatory landscape, evolving cyber threats, and lessons learned from past incidents. Part of this phase includes analyzing the root cause, identifying gaps, and updating defenses and staff training accordingly.

By following these steps and working in close collaboration with the established IRP, healthcare organizations can effectively manage the broader consequences of a cyberattack. 

This includes mitigating reputational damage, ensuring patient trust, and navigating any legal or regulatory hurdles that may arise. A well-defined crisis management plan serves as a critical roadmap for guidance through a complex and potentially damaging situation.

One of the most effective ways to enhance your organization's cybersecurity is to learn from real-world cyber incidents and incorporate those lessons into your security measures. 

While details of high-profile breaches may be limited, there are reputable sources that can provide valuable insights and best practices, such as:

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the US Department of Health and Human Services (HHS) have released version 3.4 of the Security Risk Assessment (SRA) Tool. 

Conducting a yearly security risk assessment is required to be compliant with HIPAA, so this tool is designed to aid small and medium-sized healthcare organizations in their efforts to assess security risks. 

"Businesses should conduct a risk assessment at least annually, but given the pace at which new threats are emerging, businesses would benefit from a semi-annual or possibly quarterly review process," says Anthony Comfort, VP of Product Management at Tebra. Comfort says that one way to make this more achievable is by separating checklist items into those that can be reviewed annually vs. items that should be reviewed more frequently. "For example, checking your systems for needed updates should be a frequent activity, but security and awareness training for employees may be something you do yearly," he adds.

In addition, consider using EDR (Endpoint Detection and Response) tools for an extra layer of security.

Here's why EDR is helpful:

Tebra is dedicated to helping doctors build an industry-leading security program to ensure all patient data is safe and protected. To ensure a top level of security, Tebra implements the best practice security frameworks, using both in-house and third-party tools and services.