The Department of Health and Human Services’ Cybersecurity Task Force has released new resources to assist healthcare and public health (HPH) sector fight the increasing number of cyberattacks on the sector and enhance their cybersecurity posture.
There is a new online educational platform with free cybersecurity training that HPH organizations can use to increase the security awareness of employees. There is an updated version of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which talks about the major cyber threats encountered by the HPH sector, and a report on the present status of cybersecurity readiness of hospitals, measured versus the NIST Cybersecurity Framework.
The online training platform is called Knowledge on Demand. It is the first platform by the HHS that offers free cybersecurity training. There are training materials to address the following threats to the HPH sector:
- Social engineering
- ransomware
- loss/theft of computer equipment
- accidental and malicious insider data loss
- attacks on network-linked medical devices
The platform has PowerPoint slides, videos, and job aids. With these training materials, HPH organizations will have guidance in satisfying the security awareness training requirements as mandated by the HIPAA Security Rule.
The HCIP publication has been updated to adapt to any size of healthcare organization. It includes best practices in security and resources that help healthcare companies to be ready to defend against cybersecurity threats and keep patients safe. The five key threats are addressed in the Knowledge on Demand training material.
The 405(d) Task Group developed this 47-page document and over 150 industry and federal professionals updated it. It contains information about the best measures to combat HPH sector cybersecurity threats and protect patients. There are two technical volumes that explain the 10 cybersecurity practices and sub-practices for fighting these threats. Volume 1 is developed for small healthcare companies, while volume 2 is created for medium and large healthcare companies.
The 405(d) Program conducted the Hospital Cyber Resiliency Landscape Analysis to review the present condition of cybersecurity at hundreds of hospitals and evaluate their readiness, capabilities and resiliency in addressing cyber threats. The document looks at the tactics, techniques, and procedures that cyber threat actors are presently using to breach U.S. hospitals and cause operational problems for financial profit. The results are benchmarked against particular practices discussed in the HCIP. The document points out best practices and ways to enhance cyber resiliency
Ongoing Challenges in Healthcare Cybersecurity
The healthcare sector still experience a lot of cyberattacks as well as data breaches. Healthcare companies have strengthened their cybersecurity plans, nevertheless, they still have many challenges. Their biggest challenge is not having enough cybersecurity staff. That was mentioned as the primary hindrance to strong cybersecurity by 61% of healthcare cybersecurity experts in-charge of daily operations or oversight of healthcare cybersecurity programs who responded to the 2022 HIMSS Healthcare Cybersecurity Survey.
The biggest challenge worldwide is hiring of cybersecurity professionals. Because of the high demand for staff, qualified cybersecurity experts can choose the employers they like. About 84% of respondents stated they find it difficult to hire skilled employees. Considering the high demand for employees, 55% of respondents stated that an insufficient budget for hiring staff was a problem, while 43% of respondents stated that non-competitive compensation was a problem.
Retaining skilled cybersecurity experts is also a problem according to about 67% of respondents. That is not surprising since cybersecurity experts are a prized commodity. The survey showed that the cybersecurity staff also lack training to keep them updated on the most recent threats. 61% of survey respondents said there is no time given to continuing cybersecurity training. 42% of survey respondents stated companies didn’t subsidize the cost (22%) or did not give enough subsidy for the cost (20%). What is disconcerting is that with substantial phishing used in healthcare cyberattacks, just 89% of cybersecurity experts are trained how to detect and mitigate phishing attacks, and just 47% are trained on how to identify and mitigate insider threats.
The IT department is not the only one responsible for cybersecurity. Each one in the company has a role in cybersecurity, yet the workforce is not provided this kind of training . 91.8% of survey respondents stated that technology staff get security awareness training; 69% said clinicians get security awareness training: 44% said contractors get trained, and 29% stated vendors get trained.
Besides staffing challenges, 51% of respondents state that insufficient budget is hindering cybersecurity enhancements. Only 51% of respondents reported the cybersecurity budget of their company increased from 2021 to 2022, while about 7% saw a decline in their budget. Although some healthcare companies set aside about 10% of their IT budget to cybersecurity, usually only about 6% of the IT budget are used for cybersecurity.
Other major problems to strong cybersecurity were
- 45% said not enough data inventory that show the data held and its location
- 38% said not enough data classification
- 31% said not enough teamwork in the company
- 31% said policies and procedures fail to reflect present practices
- 23% said not enough executive buy-in
With regards to phishing defense, only 9.4% of respondents said they have phishing-resistant multi-factor authentication (passwordless) set up. It’s such a low number despite CISA’s calls to set up phishing-resistant multi-factor authentication. 57% of respondents still use the basic single-factor authentication.
Though the survey indicates that there are cybersecurity improvements being done at healthcare companies due to the high level of threat, there are still a lot of hurdles to overcome. Perhaps it’s unlikely to resolve the problem of recruitment in the near future, there is something that healthcare companies could do to get the cybersecurity staff needed with additional support.