By Michael Coden and Mike Czumak
The number of cyber attacks on US health care systems has reached epidemic proportions. According to the Protenus Breach Barometer, in 2020 hackings jumped 50%, affecting more than 41 million patient records. COVID-19 has played no small role in the surge, as cyber criminals take advantage of the fact that more people are working from home on insecure devices and are focused more on protecting their health than on maintaining cybersecurity.
Left unchecked, cyber attacks can do incalculable damage to health care providers. Personal health information (PHI) and pharmaceutical research intellectual property are at risk, as is a hospital’s ability to deliver health care services.
To stem the tide, we recommend that health care provider systems and hospitals pursue a small number of key actions immediately, from assessing the risk of breaches to conducting tabletop simulations. At the same time, organizations should take steps to ensure a secure cyber environment for the long term.
Health care providers and hospitals should focus on six primary threats:
Given the urgency of the situation, health care providers and hospitals need to improve their cybersecurity at once. Five essential steps are key:
Perhaps strong phishing controls are in place, but malware prevention capabilities need to be bolstered. Segmenting or isolating critical assets on your network may also be an effective strategy. Since no one control is ever 100% effective, it’s important to put in place multiple layers of controls that can interrupt the attack chain of events in as many places as possible.
Memorial Sloan Kettering Cancer Center (MSK) has implemented a number of technical controls to address each step of a ransomware or malware attack. Other hospitals can similarly adopt these actions, which include (among others) email protections, multifactor authentication (MFA), privileged access management (PAM), advanced malware prevention, network security, data activity detection, and enterprise security information and events management (SIEM). (See Exhibit 1.)
It’s equally important to conduct a risk assessment for espionage threats. While this analysis may overlap somewhat with a ransomware assessment, there’s a key difference: Ransomware tends to be very easy to detect, because it generates a great deal of “noise”—in other words, network traffic and disk access, which are easy to pick up in a security operations center that uses a SIEM system.
By contrast, espionage is very quiet. Cyber espionage attackers patiently and slowly exfiltrate the valuable information they are seeking because they don’t want to be noticed by generating network and disk traffic. So depending on your threat profile, more controls may be required, such as additional layers of cyber protection and special training for researchers.
Depending on the threat, there may be many other layers of controls that an organization will want to consider (data loss prevention (DLP) software, encryption, and so on), but there may be competing priorities and resource restraints to deal with. Taking into account existing controls and using a risk-based approach can help hospitals determine which processes, procedures, and technologies to invest in for the greatest reduction in cyber risk.
But getting employees to adopt different behaviors is difficult. Many users are simply looking for the quickest and easiest way to get their job done. Rather than outright prohibiting things like collaboration or file sharing, hospitals should consider providing securely configured and managed enterprise solutions like Box, Office 365, G-Suite, or Slack, which can help reduce the use of personal accounts while putting the necessary oversight and risk reduction controls in place. Additionally, technical safeguards like disabling unsigned macros and sandboxing (separating apps from critical resources) can mitigate the fallout from users opening attachments or clicking malicious links.
While technical controls are key to a robust risk mitigation strategy, they are not a replacement for a strong culture of security awareness. It’s critical both to show employees why cybersecurity is as vital as safety and ethics and to teach them how to avoid causing an incident in the future. In addition, hospitals should consider not only punishing risky behavior but also acknowledging and rewarding good security practices. MSK has implemented a security awareness program that leverages activities such as formal training, webinars, office hours, contests, and organization-wide phishing assessments.
Developing the necessary playbook and response plan is also essential. Like MSK, many hospitals already have an incident command team that responds to significant events. Instead of creating a completely new team, organizations may prefer to develop response plans that leverage the processes, participants, and command structure of the existing group. Cyber events may require additional participants and workstreams, but using familiar, well-tested procedures can ensure a more seamless response.
Conduct tabletop exercises (TTXs). Very few cyber incidents follow a script, of course. Nevertheless, it’s important to test all plans well in advance of any incident. As part of this testing, a hospital should conduct TTXs so that senior executives, the CMT, and the CSIRT can develop the necessary knowledge and muscle memory to respond effectively in the event of an attack, when they could have only a few seconds to make decisions. They can use the opportunity to learn about restoring backups, contacting law enforcement, issuing press releases, and ensuring continuous patient care operations.
This also means that hospitals need to determine ahead of time who should have the authority to make monumental decisions, such as shutting down the network. It’s essential to delegate this authority to someone who can make those decisions without fear of recrimination. And everyone on the CMT and the CSIRT should have at least one delegate with full authority to act in their absence.
Conducted properly, these TTXs will uncover gaps well before an incident occurs.
To ensure their systems are protected by cyber threats over the long haul, hospitals need to consider six strategic imperatives:
This approach also makes it easier to design secure software in a uniform way across the entire organization. Not only will development costs will be lower as a result, but operating costs will be, too, since operations and maintenance processes are the same for many applications. Training costs will also be lower, and security and operations teams will be more efficient and effective.
As the pandemic has so vividly demonstrated, health care provider systems and hospitals need to make cybersecurity a top priority today. The health and well-being of the patients they serve depend on it.
ABOUT BOSTON CONSULTING GROUP
Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.
Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.
© Boston Consulting Group 2024. All rights reserved.
For information or permission to reprint, please contact BCG at permissions@bcg.com. To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com. Follow Boston Consulting Group on Facebook and X (formerly Twitter).