Get Ahead of New Healthcare Cybersecurity Standards

MarketScale
MarketScale
Jul 12, 2022

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge.

The bill, enacted on March 15, takes a carrot and stick approach to security. It comprises three distinct acts. The Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022 could be described as carrots. They encourage covered entities to be proactive in improving their resilience to attacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is more of a stick. It stipulates harsher sanctions for breach notifications.

The rulemaking process, conducted by the Cybersecurity and Infrastructure Agency (CISA), is yet to begin in earnest. Accordingly, the extent of the law’s coverage is unclear. Currently only federal agencies and operators of critical infrastructure are definitely covered. However, the “Healthcare and Public Health Sector” is one of CISA’s 16 previously earmarked critical sectors. So the Strengthening American Cybersecurity Act will likely usher in new healthcare cybersecurity standards. The sooner they come, the better, given how the threat landscape is evolving.

Stricter Reporting Is Likely

Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. The law requires covered entities to notify CISA within 72 hours of a breach occurring. When ransom payments are made, organizations must tell CISA within 24 hours. (Read The Life-Threatening Rise of Ransomware in Healthcare.) Reports to CISA must be detailed and provide information about how the incident happened and which security controls were in place.

Healthcare providers are familiar with the need to report certain types of HIPAA breaches. Indeed many have been busy instituting procedures to notify Protected Health Information (PHA) exposure within 60 days to comply with the most recent version of the law. However, few organizations are likely ready for the swift response reporting stipulated by the Strengthening America Cybersecurity Act.

HIPAA is designed to secure PHA only. The reporting requirements in the Strengthening America Cybersecurity Act are much broader. And the new law’s definition of a cybersecurity incident is still unclear. What is clear is that covered organizations must respond to cyberattacks much faster than they do now.

Unfortunately, when responding to security incidents healthcare organizations perform exceptionally poorly. A cross-sectoral study by Immersive Labs found health care organizations received an average cyber incident performance score of only 18 percent. This was the worst of any sector in the study. (Read The Top Three Weaknesses in Healthcare Cybersecurity.)

Stopping Attacks Is the Best Way to Beat Reporting Requirements

The best way to reduce the stress of reporting requirements is to stop breaches in the first place. Regrettably, preventing attacks is also something healthcare organizations are poor at. Last year almost 1 in 2 residents in many US states had their personal healthcare information exposed by a cyberattack.

Tighter healthcare cybersecurity standards may bring increased risk of legal action. And the average healthcare data breach already costs over $9 million and takes 75 days to contain.

Healthcare’s poor record at stopping and reporting attacks is partly a product of culture. Cybersecurity has traditionally been under-prioritized. Even in 2021, with ransomware attacks on healthcare soaring, a ComputerWeekly report showed barely 1 in 10 hospital executives prioritized cybersecurity.

Another part of the recently passed law, the Federal Information Security Modernization Act of 2022, sets out a framework for changing this status quo. This act requires covered organizations to implement a range of preventive cybersecurity measures. Implementing zero-trust architecture may soon become mandatory.

The Case for Zero-Trust in Healthcare

Taking a zero-trust approach to security essentially means no network entity is automatically assumed to be safe, even after initial verification. This approach is urgently required within healthcare.

Providing care to patients means healthcare organizations offer threat actors an immense range of attack vectors. These are both technological and human. With endpoint numbers soaring, it’s chilling to note more than half of healthcare IoT devices host a known unpatched vulnerability. No less unsettling is that almost a quarter of healthcare staff have not received any security awareness training.

Healthcare organizations can’t overcome these inherent and long-standing vulnerabilities by plastering over cracks. Instead of trusting verified endpoints and devices, organizations need a security strategy that never trusts anything or anyone connected to its network. Making this happen is part technological and part cultural.

The obvious challenge of implementing zero-trust in healthcare is how to balance healthcare professionals’ operational requirements with tighter security controls. Healthcare professionals and hospital staff need to access patient data effortlessly. In many cases, security controls that get in the way can be dangerous to patient health.

Security teams must work with practitioners and administrators to develop authentication procedures and policies that fit real-world scenarios to overcome these obstacles.

In healthcare, an effective zero-trust strategy is one that strikes a balance between accessibility and security.  Zero-trust technology protects hospital networks from malicious code execution and provides deterministic protection without impacting performance or straining networks.

With Regulation Looming, Don’t Delay Security Improvements

We don’t yet know precisely what the Strengthening American Cybersecurity Act requires of healthcare organizations. By the time the rulemaking process finishes, CISA may choose to apply a different version of the law’s current statutes.

However, it’s clear regulators will ask more of healthcare organizations’ cybersecurity. Zero-trust architecture is a central part of the security improvements federal regulators will require for healthcare organizations.

Learn more about how zero-trust architecture and Moving Target Defense protects against the advanced cyberthreats healthcare needs to defend against. Read the white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.

Follow us on social media for the latest updates in B2B!

Image

Latest
DJI Matrice M30 Series: Unveiling a New Era in Public Safety & Inspections
December 22, 2024

Dive into the latest episode of Drone Dispatch with Connor Smith from Exertis Almo as he unveils DJI’s formidable Matrice M30 series. This video peels back the layers on the M30 series’ upgraded features, its practical applications in public safety and infrastructure inspection, and offers essential tips for dealers. Witness how this weatherproof workhorse outperforms…

Read More
drone technology
Cutting-Edge Drone Technology Unfolded in New Video
December 22, 2024

Curious about how expert-guided drone solutions can revolutionize your operations? Tune into our latest video where we unpack the power of full-solution drone distribution. From handpicking the finest products to seamless deployment and unwavering support, we cover it all. Witness how pivotal industries like public safety and energy are gaining mileage with our customized solutions.

Read More
Direct View LEDs, Milk Holidays, and Gaming Chair Woes: AV Antics Unplugged
December 22, 2024

Curious about the latest in AV technology and industry insights? In Episode 4 of the AV Antics Podcast, we dive into the buzz (or lack thereof) from InfoComm, with a focus on the rise of Direct View LED technology and its impact on the market. Along the way, we explore the challenges of innovation, reminisce…

Read More
Unlocking Business Synergy: The Role of Category Managers
December 22, 2024

Dive in and explore the influential role of category managers in shaping successful business development strategies. Witness how they seamlessly coordinate with diverse suppliers — from audio and video companies to LED manufacturers — embodying the ‘quarterbacks’ of industry advancement. Their unique role is not only multifaceted but also a powerful symbol of value addition….

Read More
Related
Software & Technology
Erin Osbourne at CHIME Fall Forum
December 18, 2024
chime fall forum
Healthcare
Jesse Folds at CHIME Fall Forum
December 18, 2024

Jesse Folds, Director of IT Operations and Cybersecurity at Opelousas General, discusses the growing focus on zero trust policies, cybersecurity, and the challenges of understaffed IT departments in healthcare. He highlights the importance of vendor partnerships that understand budget cycles and emphasizes shifting ROI metrics toward improving patient satisfaction and equipping nurses with tools to…

Read More
chime fall forum
Healthcare
Ryan Thousand at CHIME Fall Forum
December 18, 2024

Ryan Thousand, CIO of Dahl Memorial Healthcare in rural Montana, discusses the unique challenges and opportunities of leading a critical access hospital in a small community. From leveraging AI and strategic partnerships to enhance patient care and operational efficiency, to his decision to join the Panda Health family for its vendor-agnostic, community-driven approach, Ryan shares…

Read More