Get Ahead of New Healthcare Cybersecurity Standards

MarketScale
MarketScale
Jul 12, 2022
Share this post

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge.

The bill, enacted on March 15, takes a carrot and stick approach to security. It comprises three distinct acts. The Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022 could be described as carrots. They encourage covered entities to be proactive in improving their resilience to attacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is more of a stick. It stipulates harsher sanctions for breach notifications.

The rulemaking process, conducted by the Cybersecurity and Infrastructure Agency (CISA), is yet to begin in earnest. Accordingly, the extent of the law’s coverage is unclear. Currently only federal agencies and operators of critical infrastructure are definitely covered. However, the “Healthcare and Public Health Sector” is one of CISA’s 16 previously earmarked critical sectors. So the Strengthening American Cybersecurity Act will likely usher in new healthcare cybersecurity standards. The sooner they come, the better, given how the threat landscape is evolving.

Stricter Reporting Is Likely

Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. The law requires covered entities to notify CISA within 72 hours of a breach occurring. When ransom payments are made, organizations must tell CISA within 24 hours. (Read The Life-Threatening Rise of Ransomware in Healthcare.) Reports to CISA must be detailed and provide information about how the incident happened and which security controls were in place.

Healthcare providers are familiar with the need to report certain types of HIPAA breaches. Indeed many have been busy instituting procedures to notify Protected Health Information (PHA) exposure within 60 days to comply with the most recent version of the law. However, few organizations are likely ready for the swift response reporting stipulated by the Strengthening America Cybersecurity Act.

HIPAA is designed to secure PHA only. The reporting requirements in the Strengthening America Cybersecurity Act are much broader. And the new law’s definition of a cybersecurity incident is still unclear. What is clear is that covered organizations must respond to cyberattacks much faster than they do now.

Unfortunately, when responding to security incidents healthcare organizations perform exceptionally poorly. A cross-sectoral study by Immersive Labs found health care organizations received an average cyber incident performance score of only 18 percent. This was the worst of any sector in the study. (Read The Top Three Weaknesses in Healthcare Cybersecurity.)

Stopping Attacks Is the Best Way to Beat Reporting Requirements

The best way to reduce the stress of reporting requirements is to stop breaches in the first place. Regrettably, preventing attacks is also something healthcare organizations are poor at. Last year almost 1 in 2 residents in many US states had their personal healthcare information exposed by a cyberattack.

Tighter healthcare cybersecurity standards may bring increased risk of legal action. And the average healthcare data breach already costs over $9 million and takes 75 days to contain.

Healthcare’s poor record at stopping and reporting attacks is partly a product of culture. Cybersecurity has traditionally been under-prioritized. Even in 2021, with ransomware attacks on healthcare soaring, a ComputerWeekly report showed barely 1 in 10 hospital executives prioritized cybersecurity.

Another part of the recently passed law, the Federal Information Security Modernization Act of 2022, sets out a framework for changing this status quo. This act requires covered organizations to implement a range of preventive cybersecurity measures. Implementing zero-trust architecture may soon become mandatory.

The Case for Zero-Trust in Healthcare

Taking a zero-trust approach to security essentially means no network entity is automatically assumed to be safe, even after initial verification. This approach is urgently required within healthcare.

Providing care to patients means healthcare organizations offer threat actors an immense range of attack vectors. These are both technological and human. With endpoint numbers soaring, it’s chilling to note more than half of healthcare IoT devices host a known unpatched vulnerability. No less unsettling is that almost a quarter of healthcare staff have not received any security awareness training.

Healthcare organizations can’t overcome these inherent and long-standing vulnerabilities by plastering over cracks. Instead of trusting verified endpoints and devices, organizations need a security strategy that never trusts anything or anyone connected to its network. Making this happen is part technological and part cultural.

The obvious challenge of implementing zero-trust in healthcare is how to balance healthcare professionals’ operational requirements with tighter security controls. Healthcare professionals and hospital staff need to access patient data effortlessly. In many cases, security controls that get in the way can be dangerous to patient health.

Security teams must work with practitioners and administrators to develop authentication procedures and policies that fit real-world scenarios to overcome these obstacles.

In healthcare, an effective zero-trust strategy is one that strikes a balance between accessibility and security.  Zero-trust technology protects hospital networks from malicious code execution and provides deterministic protection without impacting performance or straining networks.

With Regulation Looming, Don’t Delay Security Improvements

We don’t yet know precisely what the Strengthening American Cybersecurity Act requires of healthcare organizations. By the time the rulemaking process finishes, CISA may choose to apply a different version of the law’s current statutes.

However, it’s clear regulators will ask more of healthcare organizations’ cybersecurity. Zero-trust architecture is a central part of the security improvements federal regulators will require for healthcare organizations.

Learn more about how zero-trust architecture and Moving Target Defense protects against the advanced cyberthreats healthcare needs to defend against. Read the white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.

Follow us on social media for the latest updates in B2B!

Image

Latest

sustainable building practices
Galvanized Steel Leads the Way in Sustainable Building Practices From Cost Savings to Environmental Benefits
April 22, 2024

As the construction industry navigates the complexities of sustainability and economic pressures, the role of galvanized steel has become increasingly pertinent in sustainable architecture. This material, celebrated for its durability and low environmental impact, is gaining attention amid global steel market fluctuations and rising demands for sustainable building practices. With significant shifts in manufacturing […]

Read More
Edge AI
The Winning Combination in Edge AI is Combining Cutting-Edge Hardware with Smart Software
April 22, 2024

As the world heads towards a technology-driven future, the integration of AI and edge computing is proving to be a game changer, particularly in the realm of IoT. These innovations are making it possible to process and analyze data where it’s collected, drastically reducing latency and enhancing real-time decision-making capabilities. The burgeoning field of […]

Read More
cloud environments
Rethink Everything: Modern Cloud Environments Demand a Fusion of New Security Architectures, Continuous Education and Educated Partnerships
April 22, 2024

As businesses increasingly transition to cloud environments, the conversation around cybersecurity has become more crucial. The shift from on-premise to cloud-based infrastructures offers notable benefits like scalability and cost savings, yet it introduces unique challenges and complexities in security management. The stakes are high, with a significant rise in cyber threats exploiting the vulnerabilities […]

Read More
Bullying, Suicide, and Society The Unseen Crisis in K-12 Education
April 22, 2024

In a recent episode of the Secured podcast hosted by Mike Matranga and Mike Monsive of ASAP Security Services, the tragic case of a transgender student named Nicks Benedict from Oklahoma grabbed national attention. Benedict, a 16-year-old who identified with he and they pronouns, died by suicide after a bullying incident at school. The […]

Read More
Related
Geek Squad
Software & Technology
It’s About Time Healthcare Had a Geek Squad
April 22, 2024
health equity
Healthcare
Rhythms of Change: A Mixtape for Health Equity
April 19, 2024

In today’s healthcare landscape, the focus on health equity signifies a collective awakening to the needs of historically underserved communities. Amidst this backdrop, a pertinent conversation unfolds about how to tailor and scale culturally competent care to address the disparities in health outcomes. Recent studies suggest marginalized groups face a multitude of barriers to […]

Read More
Healthcare
Healthcare-Focused High Schools Boost Career Mobility and Address Workforce Crises
April 18, 2024

In an innovative stride towards bridging the gap between education and career readiness, Bloomberg Philanthropies has initiated a pioneering project to integrate healthcare training within high school curricula across several American communities. This $250 million investment aims to cultivate a new generation of healthcare professionals by creating healthcare-focused high schools in collaboration with major healthcare […]

Read More