This audio is generated automatically. Please let us know if you have any feedback.
Editor’s Note: Retired General Keith Alexander is the CEO of IronNet and Adrian Mayers is the Chief Information Security Officer at the non-profit health insurance company Premera Blue Cross.
With a mine of valuable patient information and a low tolerance for downtime, the healthcare industry continues to be hit hard by cyberattacks. Healthcare suffers the highest average cost of a breach for any industry, a figure that has increased 42% since 2020. This is painful.
We can – and should – do better to stem the impact of relentless cyberattacks on the healthcare sector, especially when most organizations are essentially victims of well-funded cybercrime activities carried out by outlets of highly organized cybercriminals and national attackers (e.g. Korea).
With the digital transformation taking place across the industry, encompassing an endless network of vendors and third-party providers, the healthcare ecosystem is a target-rich environment for adversaries. We all know they’re primarily looking for protected health information that can fetch about $1,000 per record on the dark web (compared to about $5 per credit card number and $1 per Social Security number), according to Experian.
Despite this backdrop, the investment in protecting non-patient IT infrastructure is typically lower than in other industries, even though the ultimate impact may directly compromise patient care. In addition, many healthcare organizations are not adequately staffed for security risks commensurate with their environment.
How can we tip the balance in our favor? The answer: Take a “whole-health” approach to cybersecurity to scale your cyber defense.
The days of defending yourself are over
The entire healthcare ecosystem needs to be stitched together and tied together to enable not only a better advocacy for any given organization, but a stronger collective advocacy for the industry at large. This means enabling healthcare professionals, payers, and even employers involved in group healthcare programs to collaborate in real time to defend the healthcare ecosystem at scale.
We call this strategy a “total” approach to cybersecurity, an approach based on two-way trust so that all stakeholders can lean, together, to share real-time threat intelligence as cyberthreats are forming (e.g. , as the command and control infrastructure, or C2, is being set up, well before the attack itself occurs. As an industry, we must also be open to sharing anonymous threat data with the government when needed, to act on critical cyberthreats detected on private sector networks.
For this approach to be successful, the healthcare industry must overcome its systemic fear of sharing threat data, a legitimate fear fueled by stringent data privacy regulations and compliance requirements.
It is important to realize that cybersecurity threat sharing is based on completely anonymous data. This is the easy part handled by technology. Cyberthreats on networks can be detected using behavioral analytics, without the need for corporate or personally identifiable information. This level of security applies to businesses and organizations with on-premises, cloud-based, or hybrid network environments.
The tough part is working with the long-standing trepidation that sharing the information will lead to compliance penalties for the reporting organization. This is why the language in the Cyber Incident Reporting for Critical Infrastructure Act 2022 on protecting private entities if they share information about cyber threats is so important in shedding light on what threat sharing really means for assistance healthcare and, most importantly, to reformulate the relationship between the public and private entities. We have to make this collective mind shift.
A “whole-health” approach to cybersecurity complements Health-ISAC’s current efforts, as it adds to the mix both actionable attack intelligence on new and emerging threats as well as a radar-like, real-time picture of the threat landscape computer science .
Let’s create a “phalanx of capabilities”
This approach creates a “phalanx of capabilities” that allows the sector to defend itself on a large scale.
We draw this analogy from military campaigns, which depend on the convergence of specialized capabilities such as battlefield intelligence, special operations intelligence, expertise in multi-weapon operations, and more. In cyberspace, when you start thinking about creating a phalanx of capabilities, your ability to achieve your objective and mission success increases exponentially, making it much more difficult for the adversary to degrade mission objectives.
In addition to leveraging the pooled expertise and resources of a collective advocacy community for health care, this phalanx requires layering the capabilities of public sector and government to complement private sector insights. By tapping into this phalanx, a global cybersecurity community helps all stakeholders understand the shared outcome: collective defense for the betterment of industry and the nation.
Leaving no health entity
A collective advocacy community that brings together payors, providers, and employers changes the overall adversarial calculus with respect to health care, especially for small and medium-sized organizations that face ongoing resource constraints. They are able to capitalize on the volume by leveraging the experience of hands-on analysts from larger, better resourced organizations. As Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group, recently said at the HIMSS Healthcare Cybersecurity Forum, “None of us individually are as smart as all of us collectively.”
This comprehensive approach creates a sort of cyber-peloton that draws in those who may not be as cyberstrong as the pack leaders, cutting through headwinds so everyone can run past opponents as a collaborative group with an eye on the same goal: better defense.
Global cybersecurity returns to protect patient care
Cyber security is not a computer problem. It is an integral part of a healthcare organization’s ability, whether it is a provider, payer or affected employee, to deliver high-quality patient care while keeping data safe and secure. A member of the US Health and Human Services Cyber Task Group, CIO David Finn isolated this particular challenge: “Cybersecurity is still considered a security and IT ‘issue’. While we are making progress in this area , the industry has been slow to recognize that this is a business risk issue,” he said, adding that “security does not understand or suffer the impacts of an attack.
Acting now is imperative. Adherence to collective defense is no longer an option for the health sector. We need public and private collaboration across the provider-payer-employer ecosystem if we have any fighting chance against cyber adversaries. Don’t put off this critical health care cyber health check any longer.