Healthcare relies on trust and reliability. When systems are down appointments are delayed, medication are delayed, and healthcare professionals do not have the right context at bedside. The criminals are aware of this. This is why healthcare remains one of the sectors that are most targeted and has the most cost of data breaches of any industry, year in and year.
The 2024 ransomware attacks on Change Healthcare, a major claims and pharmacy clearinghouse proved how a single third party interruption can affect the entire industry. A survey conducted by hospitals across the nation revealed that 94 percent of U.S. hospitals had cash flow issues and significant financial damage because of the delay in processing claims.
What is it that makes healthcare a highly-value area of focus
-
Life-or-death urgency Afflicts rely on hospitals that require immediately restoration. That may increase the leverage for ransoms and potential for a blast radius around downtime. This Change Healthcare incident disrupted eligibility checks and payment flow at a nationwide scale, affecting access to healthcare and solvency.
-
Complex, aged environment: Most health systems are juggling EHRs and imaging archives pharmacy systems, labs, and a myriad of other specialty applications. The older Windows boxes that run critical modality and devices typically aren’t updated as fast like IT-related endpoints.
-
Third-party dependency: Clearinghouses, billing providers cloud EHR hosting Health information exchanges, and clearinghouses broaden the attack range and provide the possibility of concentrating points of failure as the 2024 outage has demonstrated.
-
Highly commercially able data: PHI includes identification numbers, insurance details, and clinical information which fuel identity fraud and theft for a long time and make healthcare records important to criminal marketplaces. Research shows that healthcare is the most vulnerable to breaches.
Cyberattacks can harm health care operations
-
Safety risks for clinical use: Downtime forces paper processes, causes transcription errors to increase and reduces the process of making decisions.
-
delayed treatments and procedures Prior-auth, pharmacy and scheduling pipelines clog up.
-
Revenue disruption of the cycle: The ability to submit claims is not available or denied and smaller companies have to deal with the threat of bankruptcy as cash flow slows.
-
Reputational damage and regulatory scrutiny Infractions cause investigations and plans for corrective action.
-
The higher total cost of ownership Beyond ransoms, companies take on forensics, recovery, legal counsel, notification of patients and credit monitoring. technology reconstruction.
A Senate hearing exposed a painful but informative root cause of the 2024 Change Healthcare case: a server did not have multifactor authentication that allowed ransomware hackers to gain access with stolen credentials. The business eventually paid a ransom in order to restore access, highlighting how simple control can still affect the outcome.
Healthcare is at risk today, and the top threat to healthcare is undoubtedly cyber.
-
Extortion and ransomware: The use of encryption and data theft is the predominant pattern.
-
Phishing and theft of credential: Often the first domino.
-
Email compromise for business: Fraudulent vendor payments and payroll redirection.
-
Unpatched weaknesses: Especially in externally exposed services as well as remote access.
-
medical device as well as IoMT dangers: Long lifecycles, shared credentials, and restricted patches windows. FDA’s premarket guidance expects more robust security designs as well as threat modeling and vulnerability handling for devices that can be network-capable.
U.S. Food and Drug Administration
-
Supply-chain and third-party breaches: Concentration risk with clearinghouses, billing and cloud platform.
The rulesbook is maturing with frameworks and guidelines to learn from
-
HHS Healthcare and Public Health (HPH) Cybersecurity Performance Goals (CPGs): The voluntary “essential” as well as “enhanced” goals that help healthcare organizations identify security measures that have a high impact and are resilient. Consider these as a practical start point for your program if it is still in its early stage.
-
The NIST Cybersecurity Framework 2.0: The framework was released in February 2024. CSF 2.0 introduces a new govern function, along with Identify Protect, Detect, Respond and Recover. It clarifies the roles of leaders, risks, and responsibility for supply chains. It’s sector-neutral and easily maps to health guidelines.
-
FDA Security Guidance for Medical Devices Increases the expectations for secure-by-design medical devices, the documentation included for submissions, vulnerabilities communication and SBOM procedures. Co-ordinate with Biomed/CE teams in order to align deployment and procurement to this guideline.
U.S. Food and Drug Administration
A practical hospital plan (that doesn’t slow down the clinic)
1.) Stabilize the basic elements (first sixty-90 days)
-
Make sure to turn on MFA on all devices It is particularly important to turn on VPN, remote access account with privileged access, third-party portals. In the absence of MFA is a major reason for the problem.
-
Make sure you have the following safe backup strategy with offline or irrevocable copies, daily tests and quarterly restoration drills.
-
Install EDR on workstations and servers to ensure monitoring 24 hours a day and tuning to support clinical workflows.
-
Segment networks to keep medical devices and OTC systems away from the general IT network; limit east-west traffic.
-
Create the emergency response plan that includes ransomware-specific runbooks as well as specific decision rights; use on a tabletop.
2) Reduce exposure (next 3-6 months)
-
Quickly patch externally exposed services and include an online patching plan to protect fragile systems from the past.
-
Stand up with privileged Access management and admin rights that are just-in-time.
-
Release MFA that is phishing-resistant for roles that are high-risk or eliminate shared credentials in modalities when it is feasible.
-
Implement data security DLP policies to protect PHI, encrypted laptops and secure sharing of clinical images.
-
Formalize the risk management of third parties Tier vendors according to importance, require notification of incidents SLAs and test failover for the most crucial integrations (claims eligibility, claims, and e-prescribing).
3) Create resilience and build a strong the culture (6-12 weeks)
-
Your program should be mapped according to the NIST CSF 2.0; set target profiles and measure maturation as time passes.
-
Affiliate to the HPH HPH CPGs of HHS to ensure board-level visibility and rapid wins that are important to the quality of care delivered.
-
Create an Medical device-specific security plan that includes inventory risks, risk scoring and clinical patch windows in addition to compensating and security controls. demand SBOMs as well as hardening baselines during procurement.
U.S. Food and Drug Administration
-
Make investments in prevention and intervention Clinical networks with NDR, gamebooks to help with EHR downtime as well as joint drills with pharmacists imaging, imaging, and ED leaders.
-
Determine what is important in determining the duration of time needed to determine if an endpoint is infected and time required to restore an important app and click rate for phishing and vendor risk reviews that have been completed, and successful restoration tests.
How does this impact different stakeholders
-
Health professionals and teams Improved security should lessen friction, not increase it. Make sure that security is inaccessible during the patient’s care including isolation of the device’s background, a single sign-on using phishing-resistant MFA and streamlined downtime processes.
-
Finance and revenue cycle: Strong cyber hygiene is now a control of cash flow. According to Change Healthcare showed, outages could stop AR and cause financial instability, especially for smaller clinics as well as pharmacies.
-
Clinical Engineering / Biomedical Engineering The security of devices is now an aspect of the safety of devices. Collaboration with IT to separate networks, create patches for windows and validate compensating control systems that are based on FDA guidelines.
U.S. Food and Drug Administration
-
Executives and Boards: Treat cyber risk as a risk for the enterprise. Utilize CSF 2.0 and CPGs of HHS for an agreed-upon language, establish an appetite for risk, and invest in the controls that decrease downtime and risk for patients.
FAQs
Are cybersecurity services considered a “cost facility” or is it a risk-based investment for patient safety?
Both. By preventing downtime, you can reduce risk for patients and safeguards the revenue. The cost of breaches in the sector is the highest of to all other industries, therefore investing in proactive strategies pays dividends.
What are the small-scale practices that don’t require huge budgets?
Start with HHS “essential” CPGs and MFA backups Triage of vendors, EDR and a tried-and-tested incident plan. They are highly effective and cost-effective.
What framework should we choose?
Use NIST CSF 2.0 as the backbone and then map to HHS CPGs. For devices, make sure to check FDA guidelines and request security documents from vendors.
Does greater security cause delays for clinicians?
It isn’t. Get clinical champions involved early in the process of testing changes on high-volume devices, and employ SSO along with phishing-resistant MFA to enhance the security of workflow and also to improve productivity.
Bottom line
Cybersecurity in healthcare is more than only an IT issue. It’s a safety concern, a revenue-cycle risk, and also a brand-trust essential. The experience of the sector in 2024 showed that outages from third parties can cause financial and care delivery to be slowed all over the nation. Concentrate first on MFA backups as well as segmentation EDR and an incident plan. Then, you can use NIST CSF 2.0, HHS CPGs, and FDA device guidelines to grow effectively. The aim is to ensure that clinicians are moving and patients secure regardless of what’s happening in the network.
