Droves of nameless and faceless hackers attack the U.S. healthcare industry every day. According to alerts from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency, strikes against “healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments” intended to steal personal data and intellectual property are increasing. Whether independent operators, organized crime groups, or nation states, these malicious actors force victims to constantly test, reinforce, and maneuver digital shields to protect patient health data and corporate intelligence.
The “whys” include the desire to steal COVID-19 vaccine research, financial gain, and ease. The growing use of mobile medical devices complicates cybersecurity, as many are utilized prior to the installation of security features. In January 2019, the International Data Corporation (IDC) predicted global spending on Internet of Things (IoT) devices to sustain double-digit annual growth through 2022. The IDC and Deloitte forecasted the healthcare industry to experience compound growth within these aggressive projections.
As stated by former President Theodore Roosevelt, “[c]omplaining about a problem without proposing a solution is called whining.” Aside from utilizing information security professionals and high-end software, two overlooked solutions are: 1) information sharing with law enforcement and private information sharing analysis centers (ISACs); and 2) implementing policies to mitigate insider threats.
Beginning in 1998, critical infrastructure sectors formed ISACs to rapidly share threat information on a 24/7 basis. The Information Sharing and Analysis Organization Standards Organization recognizes four ISACs devoted to healthcare, wherein members treat cybersecurity like a game of Dominos – one falls, others may follow.
While communicating delicate information outside an organization invites a negative knee-jerk reaction, Louisiana and Federal law provides protections. La. R.S. 51:2101 et seq., entitled the Louisiana Cybersecurity Information Sharing Act and the federal Cybersecurity Information Sharing Act of 2015, 6 U.S.C.A. § 1501 et seq., provides legal protections to entities and individuals that lawfully share cyber threat indicators and defensive measures with certain public and private entities.
A victimized business may share cyber threat information with the Louisiana State Analytical and Fusion Exchange (LA-SAFE) (part of Louisiana State Police), the Federal Bureau of Investigation, ISACs, or other approved organizations while maintaining legal privileges. A disclosing entity may also enjoy statutory immunity from certain causes of action, regulatory, and enforcement actions. Sharing indicators of compromise (IOCs) with such entities, public or private, can elicit successful defensive measures and identifiers for malicious code.
In addition to information sharing, internal policies effectively combat threats. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), cybersecurity breaches and incidents in the healthcare sector increased by 53% last year, attributable to insider threats and hackers in nearly equal proportions.
A security risk that originates from within an organization, insider threats range from employees that open phishing emails to disgruntled employees selling proprietary information. For hospitals, which regularly use contracting services, the possible sources for insider threats grow substantially.
Difficult to spot or predict, insider threats require the routine enforcement of strict access control, equipment use, and employee termination policies. Albeit best practices for any organization, such policies are supremely important in healthcare as state and federal laws regulate the privacy and security controls of the data.
Access control policies clearly delineate each employee’s authorized area of operation within the network – in short, what files he or she can or cannot access. Combined with equipment use policies, which should permit the employer to virtually monitor its employees, prohibit the use of personal devices, and oversee inter-company communications, access controls alert IT staff to employees misusing privileges. Attempts to view unauthorized data may signal the presence of an insider threat and/or require the removal of an employee.
Each time an employee is either terminated or decides to leave, a termination policy should notify the IT staff, enabling them to timely revoke employee credentials for network access (remote and direct) and preserve electronically stored records. Without adequate notice of a termination, the IT staff cannot prevent the terminated employee from tampering with patient records or installing malware. Working with legal counsel in developing and drafting such policies brings the benefit of attorney-client privilege.
By reducing insider threats and sharing information with other entities committed to cybersecurity, healthcare entities can significantly reduce vulnerabilities. Legal counsel, management, and information security professionals can collaborate to build effective internal defenses.
 CISA Alert (AA20-126A), APT Groups Target Healthcare and Essential Services.  Marcus Torchia and Michael Shirer, “IDC Forecasts Worldwide Spending on the Internet of Things to Reach $745 Billion in 2019, Led by the Manufacturing, Consumer, Transportation, and Utilities Sectors,” January 9, 2019.  Greg Reh, “Eight IoT barriers for connected medical devices…and how to overcome them,” August 14, 2018.  Verizon 2020 Data Breach Investigations Report, pp. 54-55.