Healthcare GRC
Top 5 causes of cybersecurity incidents in Healthcare


Celebrating the 10th anniversary of becoming a cybersecurity consultant (the last 8 with Coalfire), I decided to look back on the top 5 things I find when conducting a healthcare risk analysis or advising on incident response.
5. Doing “just enough" to be compliant.
Frameworks such as NIST 800-53, CSF, and ISO27001 are great if you implement them with risk and privacy as the main drivers, but if you only implement the minimum baseline and conduct “checkbox” audits, you are potentially leaving risk on the table. The Office for Civil Rights (OCR) provides a 9-point checklist for conducting a HIPAA-compliant Risk Analysis, and internal security and privacy staff must understand and implement this, or the entity should use a professional third-party cyber risk assessor to evaluate threats and vulnerabilities to Protected Health Information (PHI) assets. The controls in the framework help mitigate those risks, but they shouldn’t be the sole focus of the information security program.
4. Supply Chain/Third-Party Risk.
Healthcare providers tend to have large, and often complex supply chains. Hospitals and other provider buildings tend to be transient environments with patients, visitors, contractors, delivery people, etc. Historically, we have seen a lack of investment in securing the supply chain or performing risk analysis of third parties. This has started to improve over recent years as more healthcare entities move to cloud-based solutions and inherit a lot of controls from their Cloud Service Provider (CSP), but this isn’t a practical solution for many smaller companies. On-premise solutions, especially coupled with legacy systems, remain a huge vulnerability.
3. Legacy Systems.
When budgets are unavailable for system upgrades, known vulnerabilities can often be exploited. The risk is increased when error messages are too descriptive; during Coalfire penetration testing, we are often able to obtain application names, version numbers, patch status, etc., from uncredentialed pen testing. If we can do it, so can the malicious actors. This information makes it a lot easier to conduct spear phishing and gain access to specific systems that may not have been patched for a number of years.
2. Insider Threats.
Sometimes malicious, but more frequently accidental, hospital staff working long hours are susceptible to dropping their cybersecurity guard. For example, they might click on links in malicious emails or hold doors open to secure areas for unauthorized people. Inadvertently giving out small pieces of information on C-Suite and senior hospital staff, which can be combined into a targeted Whale attack, is another vector to be considered. Staff need to be trained in recognizing and reporting behavior that might indicate an insider threat.
1. Lack of, or poorly executed, Risk Analysis.
During breach investigations, the most common OCR finding is that a thorough risk analysis has not been conducted. As such, the exploited vulnerability should have been identified and mitigated. Budget constraints are often cited as the reason for not having regular Risk Analyses, and some healthcare entities mistakenly purchase a much cheaper compliance gap assessment, which only looks at meeting the HIPAA security rule requirements, not the threats to PHI. The “OCR-9” starts with the scope of the system and identifies the PHI assets. Determining the level of risk doesn’t appear until step 7, so you can see there is a lot of work involved with conducting a risk analysis that would pass an OCR investigation.
Summary
A good cybersecurity program must always begin with an inventory of your assets and a risk analysis to determine what threats and vulnerabilities are associated with them. The risk analysis should help identify all the other potential weaknesses, e.g., identifying a legacy system that nobody knew about, discovering out-of-date or missing training, documenting which of your vendors use or disclose PHI on your behalf, etc.
Download Infographic:
Top 5 Cybersecurity Incidents in Healthcare
