It seems as though we read about another healthcare organization falling victim to a cyber attack every week. It doesn’t matter if you’re an urban, rural, large or small healthcare entity or if you’re a nursing home or a hospital. In the world of cybersecurity, you are a target.

The latest research suggests that protected health information (PHI) sells for an average of $250 per record and can reach up to $1000 per record. We’ve now progressed from the “it won’t happen to us” approach to the reality of “when it happens to us.”

This may have nursing homes wondering if they have taken the necessary steps to best protect PHI and ensure their incident response (IR) plans are viable, tested and thorough. This has led to discussions about how we should we be protecting PHI, and isn’t the incident response plan the same thing as our disaster recovery plan?

In March 2023, the Department of Health and Human Services (HHS) issued a concept paper on healthcare cybersecurity. In it, HHS described its strategy by introducing four pillars designed to provide a framework for strengthening cyber security and awareness. The pillars:

  • Establish voluntary cybersecurity performance goals (CPG)
  • Provide resources to incentivize implementation of stronger cybersecurity protocols and practices
  • Develop new enforceable cybersecurity standards through greater regulatory enforcement and accountability
  • Expand and mature HHS’s one-stop shop offerings for healthcare sector cybersecurity

The voluntary CPG pillar is split into two types of goals: Essential Goals and Enhanced Goals. For the purpose of this discussion, we’re going to focus on the Essential Goals. 

Although they are currently voluntary, the Essential Goals set a minimum level of standards for healthcare organizations to follow.

  • Mitigate known vulnerabilities: Ongoing mitigation of known vulnerabilities reduces the threat of a system exploitation.
    • This reduces the risk of zero-day vulnerabilities, as we have seen throughout healthcare this past year. It also helps mitigate the risk of easy entry by threat actors. Keeping systems, especially legacy systems, updated in a timely manner is critical. 
    • Developing a policy, with regular review and accountability, for ongoing, timely remediation of known vulnerabilities is a best practice. 
  • Email security: Protecting email accounts from unauthorized access.
    • Social engineering and email compromise are known attack vectors. 
    • Labeling external emails as such is a cost-effective approach that motivates users to pay attention.
    • Ongoing education of all staff on social engineering tactics and attempts like thread-jacking and business email compromise is important.
  • Multi-Factor Authentication (MFA): Adding a second layer of authentication beyond a password.
    • While not fool-proof, MFA thwarts a large percentage of attacks and helps mitigate risk.
    • Ongoing education for all staff on social engineering tactics and attempts, such as MFA fatigue is also important.
  • Basic cybersecurity training: Ongoing educational training for employees to recognize risk and practice secure behaviors.
    • Like all professional development, security awareness training, especially on emerging threats like AI and deep fake, is essential.
    • To be effective, professional development must be ongoing and job-embedded.
    • There is also test phishing, which can be leveraged to empirically show the user base is improving.
  • Strong encryption: Protecting confidential information at rest and when transmitted.
    • Encryption is essential on both the sending and receiving end, as well as in transit.
    • This blocks threat actors’ access to PHI and related critical confidential information. 
    • Careful evaluation of vendors providing these tools is key, as well as maintaining regular inspection and patching. 
  • Revoking credentials for departing workforce members, including employees, contractors, affiliates and volunteers: Removing credentials for anyone who no longer requires access to a system(s) and application(s).
    • Timely offboarding of prior employees who still have access, hardening password management policies and blocking the re-use of passwords are all critical.
  • Basic incident planning and preparedness: Developing and practicing a plan should a cyber incident be discovered. A disaster recovery plan is not an incident response plan.
    • Breaches are most likely inevitable, but not all breaches are created equal.
    • The difference between one that causes long-term harm and one that is quickly remediated in a time of crisis depends on proper preparation.
    • Undergoing IR Planning, developing an IR playbook and practicing real-life simulations works like a fire drill would for children in school and reduces risk. 
  • Unique credentials: Ensuring the correct users have access to the right functions needed to do their jobs.
  • Separate user and privileged accounts: Privileged accounts are created for those who may require administrative rights to the network or application.
    • Having a zero-trust methodology for central admin accounts and requiring additional verification is critical to avoid escalation of privilege.
    • These approaches can be implemented through network configuration and layers of security with independent and additional verification requirements.
  • Vendor/supplier cybersecurity requirements: Creating and ensuring compliance with cybersecurity standards for business associates. Cyber requirements may vary based on the services procured.
    • Holding third-party vendors accountable to the same or similar controls as those you have is clearly a risk reducer and best practice. To earn your business, they must invest in protecting their brand and yours.

The value of PHI has made healthcare the number one target for cyber-attacks. However, there are also other factors that play a role. It’s not simply about protecting PHI data that resides on-premise inside your network. The nature of healthcare requires the sharing of PHI between entities, which means data is in motion and provides a greater opportunity for attackers to exploit.

Healthcare providers may also lack the technical and financial resources to keep pace with the ever-changing cyber threats. Staffing shortages and the lack of cybersecurity training for all employees add to the challenge of protecting PHI.

The CPGs are a good start, but the responsibility ultimately remains with each healthcare provider to create a thorough cyber strategy to protect PHI from constantly evolving and sophisticated cyber criminals. 

David Mauro is the national manager, cybersecurity and compliance services for Konica Minolta. He has served as a CIO and managing director for private and public companies with a background in risk management and legal compliance. David holds a Juris Doctorate Law Degree from Loyola University.

Brian Nowak is a healthcare regional account executive for Konica Minolta. He has held senior leadership positions with Fortune 500 companies and has a background in business development, operations and compliance. Brian earned his MBA in Finance from Loyola University.

The opinions expressed in McKnight’s Long-Term Care News guest submissions are the author’s and are not necessarily those of McKnight’s Long-Term Care News or its editors.

Have a column idea? See our submission guidelines here.