Health care providers need Rx for new kinds of ‘viruses’

Martin Daks//December 4, 2023//

Medicine doctor working with modern computer interface

PHOTO: DEPOSIT PHOTOS

Medicine doctor working with modern computer interface

PHOTO: DEPOSIT PHOTOS

Health care providers need Rx for new kinds of ‘viruses’

Martin Daks//December 4, 2023//

Listen to this article

Earlier this year, the New Jersey Cybersecurity & Communications Integration Cell warned that, “with high confidence the cyber threat and overall risk to the health care and public health sector is high and increasing.” The sensitive medical and other personally identifiable information held by health care providers can be a goldmine for bad actors. We spoke with some experts about the steps they’re taking to protect patient data.

RWJBarnabas Health Chief Information Security Officer Hussein Syed
Syed

“Health care in general is a big target,” observed RWJBarnabas Health Chief Information Security Officer Hussein Syed. “According to federal agencies, more than 600 ransomware and other cybersecurity incidents a year targeting health care institutions have been reported. This is a continuing concern for all health care organizations, and it’s not going away soon, because the personally identifiable information and other sensitive data that makes up health care information has no expiration date.”

As a large organization, “maintains a cybersecurity management program, with strategic controls,” he noted. “We also have a framework in place to keep management updated on our activities.”

Measures like “endpoint detection and response [continuous monitoring] and multifactor authentication are no longer ‘nice things to have,’” according to Syed. “They, along with email security, are now ‘must-haves.’”

Multi-pronged approach

Those and other kinds of digital cybersecurity solutions need to be reinforced by periodic training and testing, he added. “Because cybersecurity is not the primary focus of our medical, support and administrative personnel, we have programs in place to provide education and training, so they are aware of current issues,” Syed explained. “Every organization should also test their cybersecurity systems and users periodically to ensure everything is functioning as it should, and users are following proper protocols and safeguards. This is typically accomplished with penetration testing, phishing exercises [simulated cyberattacks, and social engineering attempts], along with other simulations designed to test end-user awareness.”

The efforts don’t end there, though. “We also have third-party risk management procedures in place to ensure that vendors or other organizations who have relationships with us comply with HIPAA [Health Insurance Portability and Accountability Act] and other risk and regulatory standards,” Syed said. “Health care cybersecurity is challenging because it is a dynamic environment. Threat actors change repeatedly, and new geopolitical risks continue to emerge, so we are staying vigilant and responding as needed.”

John Novak, chief information officer and VP of information services for Bergen New Bridge Medical Center
Novak

At Bergen New Bridge Medical Center, “We take a layered approach, which starts with the end users,” according to Chief Information Officer John Novak. “We can implement all the technology, processes, and policies we want but the human factor is the most vulnerable part of the security ecosystem. As part of onboarding and annual training, we teach and reinforce the importance of privacy and cybersecurity.”

The medical center limits access “to only what is needed for employees to do their jobs,” he added. “Our approach includes continuing education, perimeter security, endpoint protection, active monitoring, and alerting. We are also focused on known vulnerabilities and implementing the fix or remediation as soon as possible.”

Staff training is also important. “We have multiple security training programs throughout the year, including specific training on phishing — which are attempts to trick a user into providing sensitive information such as usernames, passwords and credit card information while pretending to be a trusted source,” he noted. “If a user fails a test, they are assigned additional training and are assigned more frequent tests. We also instill in our employees that cybersecurity education is not only important in the workplace but also in their personal lives so that their identities are not stolen or compromised. And we send out alerts when we see specific threats, or active attacks are reported, with reminders on how to stay protected.”

As a fail-safe, “All of our internal systems are backed up regularly on a platform that allows us to keep the data encrypted and allows us to ‘air gap’ the backup,” according to Novak, referring to storing data in a secure location or platform that is not connected to the rest of the network. “This gives us options to protect the data in several ways, local and cloud, depending on sensitivity, volume and retention needs. Then we do periodic testing to ensure it works.”

Sometimes, though, threats do not come from within a hospital’s system. “We often hear of breaches happening with third-party providers,” Novak warned. “As part of our onboarding process, we do a review of the partners’ security policies, procedures and controls. We also look at the methodology they use and ask for and review their most recent security assessments and any findings.”

Depending on what is discovered, “we may ask for additional information or specific controls to be implemented,” he said. “Just like our internal staff, we try and limit access to only what is necessary. We also control their connectivity where possible so in the event of any specific activity or change in the relationship, we can discontinue access.

Laura Pursley, marketing director at CloudWave
Pursley

Third-party cybersecurity providers also play an important role, according to Laura Pursley, marketing director at CloudWave, “We encourage hospitals to do a cybersecurity maturity model to really understand where they need to prioritize investments in cybersecurity,” she explained. “We also work with hospitals to encourage them not to just focus on the patient data.”

With the increased use of “smart” devices, the “most critical asset that needs to be protected are the patients,” noted Pursley. “If you focus on securing your systems and network, especially those connected medical devices that could impact human life, then you’re doing what is right for your patients. We help hospitals implement solutions that allow them to comply with best practices, detect threats and respond to any incidents quickly.”

The cybersecurity agency also backs up its services with education. “We believe that every health care cybersecurity strategy needs a strong educational component,” Pursley explained. “Since a high majority of incidents are due to human error, constant education of all departments is crucial. Cybersecurity is not just an IT problem. has a tremendous amount of educational resources that we make available, regardless of if you are a client or not. In February, we launched the Cybersecurity Insider Program, a strictly educational community. We host monthly live educational webinars on topics like medical device security, AI, and other cybersecurity topics. This community gets access to threat intelligence usually reserved for our clients, and it includes an annual virtual tabletop exercise. In addition, we’ve put together a Cybersecurity Toolkit for Health Care that gathers resources from [federal agencies] CISA [Cybersecurity and Infrastructure Security Agency], DHS [Department of Homeland Security] and others that can be used to train hospital teams.”

Game-changer

One of the biggest changes in the past year for cybersecurity “has been the rapid adoption of generative AI,” according to Pursley. “Not only are the hackers using generative AI to greatly advance their attacks, using AI in the hospital setting brings security challenges and HIPAA challenges. We’ve been working with hospitals to educate on how they should approach AI, how they can protect against AI-driven attacks, and what AI policies and procedures they should put in place.”

eMazzanti Technologies President Carl Mazzanti
Mazzanti

Other cybersecurity providers are also sounding the alarm. “Health care providers of all sizes are increasingly being held hostage by ransomware attacks,” said Carl Mazzanti, president of eMazzanti Technologies. “These are serious threats, which are compounded by the fact that there is so much personally identifiable information involved that could expose the health care institution to regulatory sanctions.”

He noted, however, that layered network security solutions are a defense against ransomware and other attacks.

“One must-have layer involves a ‘zero trust security’ framework, which assumes no entity can be trusted by default,” explained Mazzanti. “It begins with automated verification of every access request, while strict security policies and controls, based on the principle of least privilege, grant only the minimum access necessary. Multifactor authentication – where a user must provide a combination of two or more authenticators via mobile or other devices to verify their identity before the service grants them access – is a key component of this security layer.”

Network segmentation or dividing digital systems into multiple segments based on business needs and risk levels, provides further protection, Mazzanti said. “This approach allows businesses to limit the exposure of sensitive assets to unauthorized or compromised entities on the network. It also helps reduce the impact of a breach by preventing lateral movement of attackers within the network.”

Hackers often deploy “phishing” attacks — or social engineering designed to get users to click on malicious links or divulge passwords and other sensitive information, he warned. “But health care and other institutions can use email security solutions to detect spam and phishing attempts, provide dynamic analysis of links and attachments, and offer policy-enforced encryption and data loss prevention that can help deter cybercriminals.”