A summary of the findings in HHS’s Hospital Cyber Resiliency Landscape Analysis Report.
The rapid digital transformation of healthcare has produced significant strides in improving efficiency, accessibility, and quality of care but has also exposed healthcare organizations to unprecedented cybersecurity risks.
Recognizing the need for a comprehensive assessment of cyber resiliency in hospitals, the U.S. Department of Health and Human Services (HHS) examined the landscape of cybersecurity measures employed by healthcare institutions and produced the HHS Hospital Cyber Resiliency Landscape Analysis Report. The report, published close to the 2023 405(d) HICP updates, sheds light on hospitals’ cybersecurity preparedness and resilience nationwide. This comprehensive analysis aims to identify vulnerabilities, best practices, and areas of improvement in the face of evolving cyber threats. The resulting report uncovered these ten common trends across hospitals and health systems:
1. Ransomware remains the top threat. Directly targeted attacks to disrupt clinical operations continue to grow, and because ransomware attacks can result in delays in patient care, longer length of stay, and even higher mortality rates, The FBI and DOJ are now treating cyberattacks on hospitals as “threat to life” crimes.
Ransomware is becoming more challenging for hospitals for multiple reasons, including the time it takes it detect threat actors as they deploy ransomware across an organization. A report from CrowdStrike found that it can take up to 250 days to identify these attacks, and their Global Threat Report discovered that 80% of cyberattacks leverage identity-based attacks to compromise legitimate credentials to move laterally across an organization, avoiding detection.
2. Security controls are inconsistent. Variable adoption of critical security features and processes, coupled with a continually evolving threat landscape, can expose hospitals to more cyber-attacks.
While 90% of surveyed hospitals indicated they’re using multi-factor authentication (MFA), they aren’t necessarily using these controls consistently across key systems and critical entry points, which introduces risk. Without full adoption of controls across all critical assets, a single credential theft, for example, through phishing, could lead to other compromises.
While 89% of hospitals indicated they’re conducting regular vulnerability assessments at least quarterly, advanced testing such as red team, purple team, or pen tests is only used by 20% or fewer. And even though they’re internet-facing, only 70% of hospitals conduct vulnerability scans against their websites.
Unfortunately, only 53% of respondents indicated they had documented plans to address vulnerabilities when they’re discovered, meaning they can’t effectively mitigate those security risks.
Finally, the rapidly growing adoption of in-home care delivery technologies that use connected medical devices poses challenges to ensuring that the devices and the data communicated to and from them are protected. These are further exacerbated in rural communities where internet bandwidth and availability can be limited.
3. Email protection has improved, but cyber attackers continue evolving their tactics. 99% of hospitals say they’ve implemented email protections, which is good news since email is a key attack vector. Still, while hospitals are using a variety of controls, such as spam and phishing protections and URL detection, newer strategies deployed by malicious attackers don’t turn malicious until after they are delivered, bypassing basic spam and anti-virus protections.
4. The supply chain poses significant risk. In a recent H-ISAC Threat Report, third-party and supply chain risks are listed as the third most important threat among healthcare CISOs, yet less than half of hospitals in HHS’s report indicated they have adequate coverage to manage and assess supply chain risks, largely due to a lack of resources and technologies. More concerning is that in a separate report, 50% or less of hospitals said they evaluate third-party vendors for risks to patient safety.
5. Medical devices haven’t yet been a prominent attack target. Although not a prominent attack vector, medical devices are still a cybersecurity concern that needs attention. Legacy and unsupported devices are vulnerable to cyberattacks, and many hospitals don’t employ network segmentation because it could limit device usefulness. Teams have also found it challenging to scan older medical devices for vulnerabilities because it could disrupt the device during scanning and negatively impact patient care.
6. Resiliency varies significantly from hospital to hospital. Smaller hospitals, not surprisingly, have more limited resiliency and minimal ability to stay current on cyber threat trends. It’s challenging for them to keep up because they don’t have the resources they need, and security teams are essentially trying to stay above water. Resiliency investment varies from .07% to .75% of revenue across hospitals.
7. An alarming number of hospitals still use legacy hardware and software. Many hospitals invested in large, complex hardware and software systems that house an extensive amount of data, making it difficult to move away from these systems as newer, more nimble technology becomes available. Still, hospitals should understand that threat actors commonly look to exploit the known vulnerabilities of these outdated systems—making them incredibly risky to an organization. Yet approximately 96% of small, medium, and large hospitals surveyed are using end-of-life operating systems or software, including medical devices.
8. Increasing cyber insurance premiums have led some hospitals to forgo coverage or self-insure. Cybersecurity insurance premiums rose by an average of nearly 50% in 2021; some hospitals reported increases of more than 100%. For those with cyber insurance, failure to meet the security standards means they could have coverage exclusions, limiting the efficacy of their policies. These exclusions are most likely to impact smaller and rural hospitals that have less to invest in cyber controls.
9. There’s a serious shortage of cybersecurity talent and experience. This is especially true for smaller hospitals. According to CyberSeek, a heatmap of cybersecurity jobs, there are currently more than 755,000 cybersecurity openings in the U.S. healthcare industry. Individuals with cybersecurity skills often seek positions in other industries known to pay higher salaries and support work-from-home policies. For rural hospitals, this is especially difficult because the talent they can hire often wears multiple hats as resources are spread very thin.
10. Adopting Health Industry Cybersecurity Practices (HICP) improves resiliency. The HHS report found that for every 1% increase in HICP coverage, there was an average increase of .78% in NIST coverage, indicating a strong correlation between the two.
Recommendations to Address Cyber Risks
While the HHS landscape analysis focused on hospitals, the reality is that all healthcare covered entities and their business associates likely face similar risks. The following seven best practices can help you protect your organization against the changing cyber threat landscape and mature your existing cybersecurity practices:
1. Perform ongoing risk analysis of all information systems at the asset level to identify where gaps exist and create risk response plans based on risk level.
2. Consider following NIST SP 800-37 when implementing new systems, which includes categorizing systems, selecting and implementing controls, performing an OCR-compliant risk analysis, and determining from a governance perspective if your organization is going to accept, reject or mitigate risk based on your organization’s risk tolerance and risk threshold.
3. Move from quarterly vulnerability scans to vulnerability management with ongoing scanning and remediation. Security teams constantly uncover new vulnerabilities. While it is challenging to keep up with them all, it’s important to go beyond identifying these risks and ensuring they’re addressed, especially if they affect critical systems and assets. Shifting to a vulnerability management program can help your teams more quickly and effectively respond to these risks in a more strategic way.
4. Conduct more sophisticated penetration testing, such as red teaming, especially for organizations already doing penetration testing. Another recommendation is to conduct security controls validation assessments to test implemented controls to determine if they’re actually working as intended and, if not, address those issues.
5. Review network segmentation, especially if you have unpatched and unsupported devices.
6. Employ more advanced security awareness training and phishing/social engineering testing.
Phishing is a form of social engineering, and it’s becoming more advanced. That means your security awareness training program must also advance to address new techniques threat actors employ, including more complex social engineering testing more frequently.
7. Architect your third-party risk management program in a tiered approach to assess vendors based on risk to patient safety. This can be challenging for healthcare organizations with limited resources; however, it can be accomplished. First, understand the level of assessment you need to conduct for each vendor type and then determine how frequently you will conduct assessments based on potential risk impact on your organization so you can maximize the resources you have to manage risk more effectively.
Not sure where to start? We can help. You can find more resources in our resource library or connect with us to learn more about how the Clearwater team can help you establish and mature your cybersecurity program.