It’s not a matter of if but when an organization will face a security incident. In 2023, the healthcare industry faced its toughest year, with over 124 million health records breached in a total of 725 hacking incidents, according to The HIPAA Journal. This trend shouldn’t come as a surprise given how hospitals and medical offices are relatively lucrative and easy targets for cyberattacks due to the combination of outsourced services and solutions, legacy systems, and varying degrees of network segmentation.

To make matters more challenging, the management of the administration network and the patient care networks are likely managed by different groups, but both hold large volumes of patient information coupled with interconnected third-party devices and outsourced operational functions – all of which must be kept secure. The administration side holds sensitive data such as personally identifiable information, credit card details, and medical records, making it an attractive target for hackers looking to facilitate identity theft. In contrast, patient care networks may be breached through basic methods like physical access or exploiting default credentials, especially in legacy environments like those connected to Oracle databases that have been in production for more than years.

While hospitals meticulously plan for mass casualty events like natural disasters and service continuity, discussions around IT infrastructure and backup plans often take a back seat. In times of crisis, the priority remains on ensuring uninterrupted patient care, with incident response protocols emphasizing the continuation of primary services above all else. Despite the healthcare industry’s focus on business disaster and recovery response capabilities, many healthcare organizations have yet to extend the same level of preparedness to their basic infrastructure, including IT operations.

To stay ahead, healthcare organizations need to proactively prepare for potential security incidents, including ransomware and business email compromise attacks, as they routinely result in data exfiltration and further compromise into a victim environment. This starts with establishing a comprehensive incident response plan, outlining procedures for incident response, system restoration, and ongoing operations to mitigate the impact of security breaches. 

1. Understand Where Your External Access Weaknesses Lie

Insufficient network segmentation, coupled with integrated third-party systems, poses significant risks and creates vulnerabilities that can be exploited by malicious actors targeting critical infrastructure. While administrative networks are usually more modernized and present a somewhat challenging target, patient care networks, which are often outsourced and less modernized, can be breached more easily. Accessing these networks can sometimes be as simple as following the manual provided by service companies maintaining medical equipment or exploiting known vulnerabilities. Maintaining an up-to-date inventory of all third-party systems vendors, including software and IT service providers, will aid in outlining responsibilities and understanding contractual obligations. 

When drafting your incident response plan, meticulously document communication strategies and ensure you have the right to review third party managed or owned assets. In cases where forensic reviews are necessary, clearly outline responsibilities tied to your contractual obligations and establish well-defined protocols within your incident response plan. While some aspects of risk management and incident response may be standardized procedures, healthcare organizations must also tailor their approaches to meet specific needs.

2. Maintain Compliance with Cyber Risk Insurance

We’ve observed a concerning trend where cyber incidents are increasingly cited as the final blow leading healthcare providers to shut down operations, finding it more cost-effective to close operations than to pay fines and recover from the attack. 

When documenting your incident response plan, understand the terms and limits of your insurance policies to avoid gaps in coverage. Threat actors often target stealing your insurance certificates and policies during the data exfiltration phase of an attack to understand your insurance payout limits and limit the negotiating power of the organization they’re attacking. Safeguarding these policies and detecting unauthorized access to such files as part of your security monitoring, is critical should bad actors make their way into your network. 

3. Plan for the Role Your Legal Counsel Will Play

As part of your incident response and communications plans, ensure you have contracts in place with both internal and external counsel. Your internal legal counsel should be prepared to consult with the leadership of the organization while external counsel is assisting with external communications and any other third-party interaction needs and is responsible for keeping information confidential. Documenting IT plans, communication strategies, and reviewing contracts are essential steps, particularly given the heavy reliance on third-party services prevalent in the healthcare industry.

4. Align Incident Response Plans with Available Resources and Expertise

Now that you’ve done your preparation work, it’s time to outline how you will handle the actual incident. We’ve seen numerous organizations with great documentation on all the various phases of incident response and procedures for handling an event and detailed documentation on those phases, which include detection, analysis, containment, eradication, recovery, and root-cause/post-incident, yet, they had no skilled staff on hand that could perform 95% of the documented plans.

Be honest with your incident response plans and procedures. Define what an incident looks like for your organization, and for all the other phases simply state who you plan to call to assist or to do the work. Ensure that you document the contact numbers and email addresses for whom you have an Incident Response retainer with.

5. Role Play with Tabletop Exercises and Review and Update Your Plan Annually

While HIPAA compliance requires an incident handling plan and policy, it’s not required for it to be tested. Once all roles and responsibilities have been delegated and your plan is in its final stages, put it to the test. Tabletop exercises are a great way to prepare your team more for a real-life attack. These simulated real-world cyber and physical security incident scenarios educate leadership and staff on breach detection and test your organization’s response and readiness plan.

Following NIST SP 800-61 standards to run your tabletop exercise is industry best practice, and proper tabletop exercises take anywhere from two to three weeks. Applying stress and a need for quick thinking is indicative of real-life scenarios. The more practice in these types of responses, the faster they can be handled and the faster a business can get back to regular operations. During that time, either a third-party security firm specializing in tabletops or your internal teamwork with both technical staff and leadership to create purposely overwhelming security incidents that will allow you to find vulnerabilities in your response plans and make improvements.

And ensure you are testing annually. Just as the threat landscape evolves, so does your business. Points of contact may change, and responsibilities may shift in your organization. Annual testing helps organizations be better prepared in the event of a security incident and maintain better business continuity during the incident. 

About Jim Broome 

Jim Broome is a seasoned IT/IS veteran with more than 20 years of information security experience in both consultative and operational roles. Jim leads DirectDefense, where he is responsible for the day-to-day management of the company, as well as providing guidance and direction for its service offerings.

What You Should Know: 

– The Federal Trade Commission (FTC) has finalized significant changes to the Health Breach Notification Rule (HBNR), aiming to improve consumer protection in the digital age.

– These updates clarify the rule’s application to modern technologies like health apps and expand the information healthcare providers must disclose in the event of a data breach.

Key Updates to Health Breach Notification Rule Summary

• Focus on Health Apps and Emerging Technologies: The revised rule clarifies its application to health apps and similar technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). This ensures these platforms are held accountable for safeguarding health data.
• Expanded Breach Definition: The rule now encompasses unauthorized access or disclosure of identifiable health information, providing broader protection for consumers.
• Clearer Scope and Definitions: Definitions like “PHR identifiable health information,” “covered healthcare provider,” and “healthcare services or supplies” have been revised for better clarity. Additionally, the revised definition of “PHR related entity” specifies that only entities accessing or sending unsecured health data to a personal health record qualify.
• Enhanced Consumer Notifications: The final rule mandates covered entities to provide more detailed breach notifications to consumers. This includes disclosing the identity of any third parties who acquired unsecured health data during the breach.
• Electronic Notification Options: The updated rule allows for wider use of email and other electronic means to deliver clear and effective breach notifications.
• Revised Timing Requirements: The FTC notification timeframe is adjusted for breaches impacting 500 or more individuals. Covered entities must now notify the FTC simultaneously with sending notifications to affected individuals, with a deadline of 60 calendar days after the breach discovery.
• Improved Readability: The revised rule simplifies language for better comprehension and promotes compliance.

Effective Date and Additional Actions

These changes will take effect 60 days after publication in the Federal Register. The FTC remains vigilant in protecting consumer data security, with recent enforcement actions against companies like GoodRx and Easy Healthcare (Premom app) for violating the HBNR. While the Commission approved the final rule with a 3-2 vote, dissenting statements were issued by Commissioners Holyoak and Ferguson.

The FTC offers resources to educate consumers about their rights and how to report scams and unfair business practices. 

“Protecting consumers’ sensitive health data is a high priority for the FTC,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “With the increasing use of health apps and connected devices, the updated HBNR will ensure it keeps pace with changes in the health marketplace.”

What You Should Know: 

– UnitedHealth Group is embroiled in a new ransomware saga, just as it recovers from a February attack, according to a blog post from threat intelligence firm SOCRadar.

– A hacking group called RansomHub claims to possess 4 terabytes of stolen data from UnitedHealth’s subsidiary, Change Healthcare and is demanding a ransom to prevent its release.

RansomHub’s Demands and Allegations

This data supposedly includes the personal details and medical records of “millions” of patients. RansomHub demands payment from UnitedHealth to prevent the data from being sold on the dark web. The group claims to be the same affiliate that conducted the February attack under the umbrella of the now-defunct ALPHV/Blackcat ransomware gang.

According to RansomHub, ALPHV pocketed the alleged $22M ransom paid by UnitedHealth and did not share it with the affiliate responsible for the breach. This has fueled speculation that RansomHub could be a rebranded ALPHV seeking their “cut” of the ransom.

Uncertainties and UnitedHealth’s Response

Security researchers remain cautious. RansomHub hasn’t provided proof of possessing the data by leaking samples. Additionally, some believe RansomHub might simply be a rebranded ALPHV. UnitedHealth has acknowledged the reports but offered no details on the ransom payment or the legitimacy of the claims.

Potential Repercussions

If RansomHub’s claims are true, UnitedHealth faces a difficult decision: pay another ransom or risk a massive data breach. This incident highlights the growing threat of ransomware attacks on healthcare providers and the sensitive data they manage.

What You Should Know:

– The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced an investigation into the recent cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG).

– The cybersecurity attack has significantly disrupted healthcare billing and information systems nationwide, potentially impacting patient care.

Investigation Focuses on HIPAA Compliance

The OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. These rules establish minimum standards for protecting patient privacy, securing electronic health information, and notifying individuals in case of a data breach.

The OCR’s investigation will focus on two key areas:

1. Determining if a Breach Occurred: The investigation will determine if the cyberattack resulted in a breach of protected health information (PHI) held by Change Healthcare.
2. Compliance with HIPAA Rules: The OCR will assess Change Healthcare’s and UHG’s compliance with the HIPAA Rules, specifically regarding data security measures and breach notification protocols.

Impact on Downstream Partners

The OCR emphasizes that healthcare providers, health plans, and business associates who partnered with Change Healthcare remain a secondary concern. However, the agency reminds them of their obligations under HIPAA, including:

• Maintaining valid business associate agreements with Change Healthcare.
• Implementing timely breach notification procedures as required by HIPAA, notifying both HHS and affected individuals if a breach is confirmed.

Growing Impact of Ransomware in Healthcare

Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

“OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together… We encourage all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected,” said Melanie Fontes Rainer, Director of OCR.

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

In healthcare, sensitive data comes with great responsibility. For companies entrusted with managing and protecting patients’ personal information, ensuring the privacy of that data must be the highest priority. These companies are called to act as vigilant guardians, especially when you consider that secure and accurate data can literally save lives.

Enter the concept of ‘privacy and security by design,’ an approach that goes beyond merely meeting compliance standards and, instead, embedding security at the very core of business operations. With privacy and security as non-negotiable foundations, organizations can effectively fortify their defenses — as long as they continue to adapt to new technology and ever-evolving cyber threats.

Here are some of the essential principles and practices that underpin ‘privacy and security by design,’ enabling health organizations to safeguard patient data and ensure the highest level of privacy and security in their operations.

Limit data collection to only what’s necessary

The first step in fortifying the security of healthcare data is to limit data collection to the bare essentials. Often, organizations collect more data than they actually need, inadvertently increasing the risk of exposure. By taking a minimalist approach to data collection, companies not only reduce the amount of sensitive information at risk but also simplify data management.

This approach aligns with the principle of data minimization, a key aspect of privacy regulations like the General Data Protection Regulation (GDPR) and HIPAA. By collecting only what is strictly necessary for the intended purpose, healthcare organizations reduce their data footprint and, at the same time, their potential attack surface.

Employ appropriate encryption for data in transit and at rest

Encryption lies at the heart of data security. It ensures that even if unauthorized actors gain access to data, they cannot decipher it without the necessary decryption keys. In healthcare, where patient data constantly moves between devices and systems, employing appropriate encryption for data in transit is a non-negotiable requirement.

Moreover, data at rest, stored on servers and in databases, is equally susceptible to breaches. Strong encryption measures, such as end-to-end encryption and advanced encryption algorithms, provide an additional layer of security. In the event of a breach, encrypted data remains indecipherable, safeguarding the privacy of patients and maintaining the integrity of healthcare records.

Practice daily blocking and tackling to maintain strong security posture

When it comes to healthcare data security, a proactive stance is vital. It’s not enough to set up defenses and assume they will remain impenetrable forever. Threat landscapes evolve, and cybercriminals become more sophisticated with every passing day. To uphold a strong security posture, healthcare organizations must prioritize daily blocking and tackling.

This means practicing not only the cybersecurity basics — like backing up data, using multi-factor authentication and handling passwords securely — but also employing more advanced tactics, including developing a hierarchical cybersecurity policy, simplifying technology infrastructure and ensuring IoT security. It also means continuously monitoring, threat hunting, patching and reducing your attack surfaces where possible. 

To hold organizations accountable to these cybersecurity best practices, it’s essential to regularly audit and test your systems. Audits serve as a comprehensive review of an organization’s security infrastructure, policies and procedures, and can help identify vulnerabilities and areas that require improvement. Readiness tests or mock event/breach exercises, on the other hand, involve simulated cyber attacks to assess the effectiveness of an organization’s current security measures in a real-world scenario. By continuously evaluating and refining their security protocols, healthcare companies can stay ahead of potential threats and vulnerabilities.

Stay informed about industry threats and security 

The field of cybersecurity is dynamic and ever-evolving. New threats emerge, and innovative solutions are developed to counter them. To remain effective in safeguarding healthcare data, organizations must stay informed about the latest developments in the security landscape.

Staying safe requires actively monitoring security news, particularly, reading reports and alerts from third parties as well as real-time feeds from the proper channels to stay up-to-date with the latest intel. Organizations should also seek out opportunities, where possible, to participate in industry-specific forums and collaborate with cybersecurity experts. In addition, it’s essential to prioritize regular staff training to keep cybersecurity skills sharp and foster a culture of security awareness within the organization. By keeping their knowledge current, healthcare organizations can adapt quickly to emerging threats and implement the necessary defenses, ensuring that patient data remains secure in the face of continuously evolving risks.

In healthcare, the responsibility of safeguarding sensitive data isn’t just a legal or ethical obligation — it’s a matter of life and death. By the same token, ‘privacy and security by design’ isn’t just a buzzword. It’s a fundamental approach that not only acknowledges the gravity of this responsibility but allows healthcare organizations to build an advanced security posture that goes above and beyond compliance requirements to protect the privacy and well-being of patients.

About Chris Bowen

Chris is the Founder and Chief Information Security Officer at ClearDATA. He leads ClearDATA’s internal privacy, security and compliance strategies as well as advises on the security and privacy risks faced by customers, which include global healthcare organizations, health insurance companies, providers, life science companies, and market-leading innovators from Asia Pacific, North America, and Europe. Mr. Bowen also leads ClearDATA’s international security risk consulting practice and has provided counsel to some of the world’s largest healthcare organizations.

He is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Technologist (CIPT) from the International Association of Privacy Professionals (IAPP), and Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional from (ISC)2. As one of the leading experts on patient privacy and health data security, Chris has authored dozens of articles and is a frequent speaker at national healthcare industry events.

Healthcare delivery organizations and those working with them that are still in business are either well aware of their duties under HIPAA, work with managed service providers that understand the law well, or…are lucky to have made it this far. Even for organizations that have steered clear of both cyberattacks and regulatory fines, vigilance is essential to maintaining a clean bill of (cybersecurity) health.

With HIPAA guidance and enforcement practices shifting increasingly quickly right now, businesses must adapt their cybersecurity strategies to remain alert and in step with regulators’ most current expectations.

The fines they are a-changin’

Historically, HIPAA regulators have most often levied fines in the seven-figure range—but levied them relatively sparingly. As a result, HIPAA enforcement actions have long been viewed as a force of nature akin to lightning strikes: extremely lethal to most businesses, but just as extremely rare. That state of play has made it easy for organizations to adopt a dangerous “It won’t happen to me” attitude, as well as the mindset that fines could happen to anyone with bad enough luck.

HIPAA regulators are now changing their enforcement practices to take that perception of luck out of the equation—and force every organization that touches sensitive patient data to get serious about cybersecurity.

Regulators’ new strategy: assign five-figure fines per violation that most businesses can afford, and ramp up enforcement to make sure all organizations might receive a fine if they aren’t meeting their regulatory obligations. Ironically, this affordable-pricing strategy was pioneered by ransomware attackers in recent years, who have moved away from huge price tags that had their victims defiantly abandoning data, and become clever in sizing ransoms such that a business’s easiest choice is to pay up. With HIPAA regulators now applying clear and constant pressure via fines, organizations are correctly incentivized to maintain compliant cybersecurity practices and avoid writing checks to either law enforcers or lawbreakers.

HIPAA security controls have caught up with the times

When HIPAA was first enacted in 1996, the law’s writers looked to contemporary cybersecurity frameworks (like the versions of ISO and NIST in use at the time) to borrow guidance on effective controls for ensuring the safety of patient health information. Needless to say, a thing or two has changed in the 27 years since, from the sophistication of cyberattack strategies to the introduction of more modernized cybersecurity frameworks. 

The recent bill H.R.7898 has now addressed this discrepancy, allowing organizations to align their HIPAA security policies with modern control sets. Organizations should take full advantage of this development, mapping HIPAA to today’s most effective security standards (such as NIST CSF or ISO 27001) in order to increase the effectiveness of their protections.

New guidelines suggest that HIPAA is no longer DIY for smaller businesses

Back in 2005, the government drafted the Health Industry Cybersecurity Practices (HICP) guidelines to provide healthcare organizations with recommendations and best practices for complying with HIPAA and protecting their patients’ data. Throughout the HICP’s history up until just recently, these guidelines maintained a DIY tone, telling organizations how to accomplish and maintain HIPAA-compliant cybersecurity internally. 

However, a recent substantial overhaul of 405(d) HICP guidelines now directly offers advice on how to select an effective and trustworthy security-minded MSP (or MSSP) partner. At the root of this change: cyber threats and corresponding cybersecurity countermeasures in the HICP guidelines have become so complicated that smaller-scale healthcare delivery organizations and businesses attached to them can no longer be expected to navigate those complexities without expert support. For example, prescriptive cybersecurity controls, including automated threat detection and mitigation, are quickly becoming essential. Getting this right substantially curtails security risk—if in the hands of those (internally or externally) who know how to leverage those tools optimally.

The more things change…

While the sophistication of modern-day cyberattacks and security protections has reached an unprecedented level, the fundamentals remain the same. Safeguarding patients’ HIPAA-protected data requires thorough risk assessments to flag vulnerabilities, effective data encryption and access control, continuous employee training, and incident response planning to meet and overcome challenges as they arrive. Pairing that strong foundation with evolving protections—aligned with an awareness of the latest regulatory behaviors, security controls, and HIPAA guidelines—is the recipe for successful healthcare cybersecurity today.

About Cam Roberson 

Cam Roberson is Vice President at Beachhead Solutions, a San-Jose-based cybersecurity company. Cam previously worked in product management roles at Apple.

Healthcare remains firmly in hacker crosshairs. A recent survey finds that four out of five healthcare operators in the past year experienced at least one cybersecurity incident. Adding to the concern, 60 percent of those incidents had a “moderate or substantial” impact on patient care, and an additional 15% reported a “severe” impact.

The repercussions of a health hack extend far beyond financial losses. This makes it all the more important to secure health networks and devices to keep out bad actors. Going forward, the sector must be more strategic in setting cyber defenses and protecting its most valuable asset: patients.

The dual dangers of health hacks

When it comes to cybersecurity, healthcare organizations are mainly worried about insider threats, ransomware, and supply chain attacks. In each of these threat vectors, cyber-physical devices connected to the internet remain the prime security weakness. About half (47 percent) of respondents cite at least one incident that affected cyber-physical systems such as medical devices and building management systems, and 30 percent say that sensitive data like protected health information (PHI) was affected.

For providers and operators, the impact of such hacks is two-fold. First, financial. Last year, for example, cybersecurity breaches cost healthcare organizations an average of $10 million each. Moreover, hospitals are more susceptible to big ransom payouts. This practice is typically discouraged by government authorities and cybersecurity industry experts but hospitals often see it as the fastest way to resolution. Of course, downtime can be a matter of life and death for patients in critical condition.

This brings us to the second impact: healthcare delivery. This was evident in a ransomware attack last year that forced CommonSpirit Health – the second-largest nonprofit hospital chain in the United States – to divert ambulances, shut down systems, and reschedule patient appointments. The hack affected more than 100 facilities across 13 states. In Washington, St. Michael Medical Center was even forced to delay critical procedures including a CT scan to check on a brain bleed. Healthcare workers at the time reported a “serious impact” on charting, lab results reporting, history gathering, and more.

Therefore, stopping hackers isn’t just about protecting healthcare networks and bottom lines, it’s vital to protecting patients.

Bigger budgets, known threats

The good news is that healthcare is responding to this serious threat in kind. More than two-thirds of health stakeholders are “very” or “somewhat concerned” about attacks on their organizations. As a result, they’re fighting back by identifying problem areas and increasing cybersecurity budgets.

As mentioned, the sector knows what it’s up against. Insider threats, for example, like phishing attacks or mishandled credentials are all too common. Likewise, ransomware is an ongoing problem, with successful attacks forcing providers to rely on paper records or sometimes close locations entirely. Lastly, supply chain attacks occur far too often against connected medical devices. In this type of attack, hackers attempt to damage an organization by targeting less secure portions of their supply chain. This is usually an out-of-date or unprotected medical device. For this reason, 78% of respondents say that patching vulnerabilities in medical devices is the biggest gap in their defenses.

Additionally, the sector now sees that cybersecurity requires more resources. In the five years between 2022 and 2027, the market for healthcare cybersecurity is predicted to double to $37 billion. With this money, the sector will need to better patch vulnerabilities in medical devices as well as improve asset inventory management and network segmentation.

Recommendations to protect devices and networks

First, the sector must gain better visibility into its assets. Unified endpoint management platforms, for example, oversee hardware and software through a single interface. Integrating an endpoint security solution, such as extended detection and response, further enhances protection by automating the detection of emerging threats and initiating appropriate responses. As a result, it’s possible to patch and secure a network of devices at once.

Second, assign devices to a separate network. Unfortunately, some healthcare operators remain at or below basic levels of network segmentation. This creates potential exposure to risk, especially when it comes to unpatched devices or hackable default settings. Storing devices on their own network means that successful hacks cannot move laterally into the larger ecosystem. 

Additionally, strengthen this posture by adhering to zero trust principles. This means configuring the network to continually validate credentials and provide devices with the least level of privilege. Done right, zero trust provides a comprehensive architecture that incorporates access based on individual identity, detailed network segmentation, ongoing surveillance, and security measures that focus on data protection.

In the ongoing battle against healthcare hacks, patient safety remains paramount. Recent incidents underscore the dire financial and health consequences of lapses in cybersecurity. While the industry is responding with increased budgets and awareness, a proactive approach is crucial to safeguarding both patients and healthcare systems. The sector must therefore remain vigilant to protect its devices, networks, and ultimately, patients.

About Apu Pavithran

Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu is a strong advocate for IT governance and information security management. His company, Hexnode, is a one-stop solution to secure and manage connected devices.

What You Should Know:

– A new critical vulnerability was discovered in NeuroWorks Natus Electroencephalogram (EEG) Software that could allow cybercriminals to take control of affected devices and steal medical data. NeuroWorks Natus Electroencephalogram (EEG) software solution is widely used across clinics, hospitals, large teaching facilities and medical device providers for EEG, LTM, ICU, sleep, and research studies.

– Trustwave SpiderLabs discovered the vulnerability affects the software’s default credentials, could be exploited by cybercriminals to remotely execute code on target devices. This could allow them to gain access to sensitive medical data, systems, and healthcare operations.

– The vulnerability is yet to be patched. All users of NeuroWorks Natus EEG Software are urged to update to the latest version of the software immediately.

What You Should Know: 

– Cybercriminals have been highly successful in their ransomware attacks on healthcare organizations, according to a new survey conducted by Sophos. “The State of Ransomware in Healthcare 2023, report reveals nearly 75% of the surveyed healthcare organizations reported that their data was successfully encrypted by the attackers. 

– In addition, only 24% of healthcare organizations were able to disrupt a ransomware attack before the attackers encrypted their data—down from 34% in 2022; this is the lowest rate of disruption reported by the sector over the past three years. 

– Ransomware remains a pressing concern for the healthcare industry. It’s essential for healthcare organizations to stay vigilant and continuously adapt their cybersecurity measures to counter evolving threats and protect patient information. 

Report Key Findings

The findings underscore the critical importance of robust cybersecurity measures in healthcare organizations. With the increasing frequency and sophistication of ransomware attacks, healthcare institutions must invest in advanced security solutions and incident response strategies to protect sensitive data and maintain uninterrupted healthcare services. Additional key findings from the report include:

• In 37% of ransomware attacks where data was successfully encrypted, data was also stolen, suggesting a rise in the “double dip” method 
• Healthcare organizations are now taking longer to recover, with 47% recovering in a week, compared to 54% last year
• The overall number of ransomware attacks against healthcare organizations surveyed declined from 66% in 2022 to 60% this year 
• Compromised credentials were the number one root cause of ransomware attacks against healthcare organizations, followed by exploits
• The number of healthcare organizations surveyed that paid ransom payments declined from 61% last year to 42% this year. This is lower than the cross-sector average of 46% 

3 Best Practices to Protect Healthcare Orgs Against Ransomware, Cyberattacks

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

1. Strengthen defensive shields with: 
   • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities 
   • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials 
   • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond 
   • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider 
2. Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan 

3. Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

What You Should Know: 

– Mirth Connect, by NextGen HealthCare, an open source data integration platform widely used by healthcare companies has been reportedly vulnerable that would allow cyberattackers to gain access compromise sensitive healthcare data. 
– The vulnerability, CVE-2023-43208 discovered a few months ago by IHTeam reveals versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability. NextGen has updated Mirth Connect with an updated patch release to address the issue and is urging users to upgrade to the latest patch release.

There’s no denying it – the need for stronger cyber defense is urgent. More ransomware attacks targeted healthcare in 2022 than any other critical infrastructure sector, according to the FBI’s Internet Crime Complaint Center (IC3). With attacks on healthcare negatively impacting patient care – including increased mortality rates – healthcare organizations must adopt proactive approaches to better protect their patients and sensitive information. 

In the spring, the Multi-State Information Sharing and Analysis Center(MS-ISAC) released new guidelines aimed at supporting healthcare organizations against cyber-attacks. Developed through collaboration between the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA), the counsel includes best practices for prevention and response to the six most common vectors for ransomware – internet-facing vulnerabilities and misconfigurations, compromised credentials, phishing, precursor malware infection, advanced forms of social engineering, and third parties and managed service providers. 

The guidance provides healthcare organizations and hospitals with a helpful starting point, offering a plan for implementing essential security steps. However, there are gaps where more can be done to better protect against ransomware.  

For starters, phishing accounted for up to 60% of the attacks on the healthcare sector in the first quarter of 2023, according to DNSFilter’s State of Internet Security report. Even more unnerving? Research shows that healthcare employees are twice as likely to click on phishing links as employees in other sectors.  

It’s time for the healthcare industry to take action – with a proactive approach to ransomware protection. 

Start With an Incident Response Plan 

The umbrella for ransomware defense is a thorough incident response plan, which is critical to protecting data and enabling a fast, effective response in the event of an attack. A plan should cover every aspect of an organization’s defense, including prevention, detection, response and recovery. In addition, it should incorporate a strategy for maintaining encrypted backups offline, should an attack occur.  

The key to an effective incident response plan is in how it is maintained and communicated to employees. Response plans should be tested regularly and updated when necessary. And, everyone in an organization should be aware of the plan and their part in it.  

A decent portion of the advice in MS-ISAC guidance concerns basic – but absolutely essential – measures. For example, steps to guard against compromised credentials are well-known, even if not always implemented. The basics of ransomware protection for healthcare organizations include:  

• Always using multi-factor authentication (MFA), which has been proven to be highly effective against credential-based attacks such as those used in phishing campaigns.  
• Updating the default usernames and passwords used for administrative accounts – an obvious precaution. 
• Avoid root accounts for day-to-day access; attackers who gain access to these accounts can get persistent access to the entire environment.  
• Educating all employees on proper password security in annual training.  

The Importance of User Education 

User education cannot be underestimated due to the sheer number of individuals who have access to Protected Health Information (PHI) and Personally Identifiable Information (PII). However, nurses, doctors and healthcare assistants are often not savvy in cybersecurity best practices. Thus, training must become standard in order to better protect the industry at large. 

We must evolve to institute proper cybersecurity training as an ongoing activity, rather than once a year. Frequent, short bursts of information are more likely to be digested and retained than information from longer annual sessions. In addition to IT and cybersecurity professionals, which the MS-ISAC guidance focuses on, it’s imperative to educate ALL employees – as many outside the cybersecurity and IT scope still have access to sensitive information. The access those employees have – and the sensitivity of the information at stake – increases the attack surface for healthcare organizations, potentially putting not only data, but the wellbeing and even lives of patients at risk. A thorough incident response plan must ensure that all employees regularly receive ongoing training to protect medical databases. A good cyber posture requires a baseline of knowledge for every person within an organization. 

Stay a Step Ahead of Phishing Attempts 

In addition to broad phishing campaigns that attempt to get any one of many employees to click a link, attackers today also conduct targeted campaigns with more sophisticated tactics such as pretexting (posing as a trusted source to gather information), baiting (offering free music or movie downloads to get login information) or even posing as a C-level executive to trick employees into providing information or performing a function. Without proper education and training, how can we expect employees in the healthcare sector to understand how to properly identify these attacks? We can’t. 

Many organizations omit continuous training simply because they aren’t sure where to begin. However, third-party resources are available, including Ninjio, which works with short, regular bursts of information and has kitschy but interesting videos. Or, there is HackNotice, which along with its other services encourages accountability by enrolling employees and family members in breach reports. 

Healthcare workers will make better choices when they feel they have autonomy, support and proper education. While mistakes will inevitably be made through human error, hospitals and medical offices can consider adding another layer of protection by implementing protective Domain Name Systems (DNS) services, which analyze queries and can block some malicious activity, including ransomware, at the source.   

Other Best Practices 

Asset management is a challenge for healthcare organizations due to the variety of connected devices in use, such as scanners, infusion pumps and monitoring devices. This includes monitoring devices that record private patient information like heart rate, blood pressure, and glucose levels. Not to mention the devices implanted inside patients, as well as devices many patients carry with them on a daily basis. While it can be a challenge to track and maintain an Inventory across every moving part in a healthcare system – asset management tools exist that fully eliminate that burden.  

Third-party managed service providers (MSPs) can help small and mid-size companies implement security measures that are beyond the capability they are able to provide on their own. However, it is important to remember that complete information on the systems, data and processes that need to be protected must be provided, as MSPs can’t help protect against what they don’t know about.  

As outlined in the MS-ISAC guidance, it’s imperative for healthcare organizations to ensure that least-privilege principles are applied across service providers. Service control policies to restrict access to specific services or prevent users from performing certain functions, such as changing cloud configurations or deleting logs, should be implemented. 

The threat of ransomware isn’t going anywhere. As a profitable attack vector for cyber threat actors, hospitals and medical offices remain at risk. While the MS-ISAC guidance provides a strong foundation for implementing measures to enhance prevention, response and recovery – there are areas we must improve upon to better protect sensitive information from exfiltration. Through proper organizational-wide education, continuous training, proper phishing awareness, asset management and third-party MSPs – healthcare organizations can establish a more robust cybersecurity posture and better protect against today’s ever growing ransomware threat. Not only will this protect patient data, but patient lives as well.   

About Rebecca Gazda

Rebecca Gazda is the Sr Director of Labs at DNSFilter where she is responsible for categorization innovation, classification accuracy, and threat protection. Rebecca has over 15 years of experience in data and analytics, statistics, data science, and technology team management. Her career has spanned several industries including psychology, neuroscience, cybersecurity, healthcare, academia, and clinical research. Her diverse background provides a perspective into cybersecurity that focuses on the human aspects of threats and threat protection.

What You Should Know:

• Zscaler, Inc., the leader in cloud security, today announced that it has teamed up with CrowdStrike and Imprivata to deliver a zero-trust cybersecurity solution from device to cloud that’s custom-made for medical institutions.
• The new Zscaler integration with the Imprivata Digital Identity Platform will provide visibility, threat protection and traceability for end-to-end, multi-user, shared device access control that are required for organizations to meet regulatory requirements, including HIPAA and HITECH.

Increasing Visibility and Creating Better Multi-User Shared Device Mechanisms for Improved Regulation

Through the new Zscaler integration with Imprivata, Zscaler is able to take Imprivata context and leverage the existing integration with CrowdStrike Falcon® Zero Trust Assessment (ZTA) score to control access to applications with adaptive, risk-based policies. 

As ransomware targeting healthcare organizations increases, more advanced cybersecurity is needed to protect sensitive patient data and maintain uninterrupted operations for the continuous delivery of life-critical medical services. With this new integration, users of the Zscaler Zero Trust Exchange™ platform, Imprivata OneSign®, and the CrowdStrike Falcon® platform will be able to more effectively adopt a zero trust architecture that offers granular access management, threat protection, and traceability capabilities to better protect against ransomware.

Hospitals and healthcare organizations face a unique security and identity challenge. With shared workstations among staff, they must determine how they can distinguish who is doing what on which device and enforce access control policies and threat protections based on both the user who logged in at the time and the device’s posture. They also need to keep track of all user activity with logs indicating their actions for traceability and compliance requirements.

“Cyberattacks on healthcare organizations are at an all-time high, and protecting patient data is critical to maintaining trust,” said Dhawal Sharma, Senior Vice President and General Manager at Zscaler. “Zscaler’s integrations with Imprivata, in addition to CrowdStrike, provide much needed help to healthcare organizations in their journey to a zero trust architecture. We’re aiding workers and technicians with least privileged access to the healthcare information they need to provide care and maintain the privacy and security of patient data.”

In the wake of the pandemic, the nursing field has continued to suffer large-scale burnout and a wave of retirements. An estimated 100,000 registered nurses have left the field since 2020 due to Covid-related stress, according to the National Council of State Boards of Nursing (NCSBN), accelerating the chronic understaffing crisis that already strained hospitals and healthcare organizations pre-pandemic. 

The remaining nurses are caught in a vicious burnout cycle, forced to bear an ever-increasing burden as their colleagues quit or retire. A survey by AMN Healthcare found that about a third of nurses intend to quit their jobs due to the stress of the pandemic, and the NCSBN reports that a whopping 600,000 nurses plan to leave the field within the next four years due to stress, burnout and retirement.

Yet, the demand for care continues unabated. Nurses are absolutely core to the day-to-day functioning of any hospital system, especially in the post-Covid environment. To bulk up nursing staff and keep up with care delivery demands, many hospitals have had no choice but to rely more heavily on transient staff to bolster their workforce.

The Cost of Addressing the Nursing Shortage

Hiring travel nurses has helped many overwhelmed hospitals mitigate the effects of the nursing shortage. According to the American Hospital Association, the average hospital currently spends 40% of their nursing budget on travel nurses, a far cry from the 5% they spent pre-pandemic. Travel nurses have always worked at a premium but the national increase in demand has also driven up prices dramatically. The average hospital’s contract labor expenditure costs rose 257% between 2019 and 2022—and at least 100,000 travel nurses were hired in the U.S. during this time period. These travel nurses are fulfilling a dire need for hospitals desperate for nursing staff, but the cost is significant to hospitals already struggling to make ends meet. 

The growing reliance on travel nurses illuminates a cybersecurity issue as well. Travel nurses require immediate access to a hospital’s digital systems, applications, and networks to effectively and securely care for patients. However, providing this access is often done manually, with IT teams creating accounts for each user based on the access privileges they need. This is a time-consuming, tedious process. It can take up to 3 months for practitioners to get onboarded with all the appropriate access privileges they need, and considering the contractual nature of the job, those nurses may well be nearing the end of their time at the hospital by the time access is granted. It’s not uncommon for travel nurses to arrive at a hospital for their first shift without having access to the electronic health record (EHR). 

To provide access, it’s often easier for overwhelmed residential staff to simply jot down a password on a sticky note to allow travel nurses to log in under a colleague’s credentials, presenting significant security risks.  When organizations don’t have the proper tools in place to streamline clinician interactions with technology, hospitals experience significant productivity delays, and workarounds as clinicians are still expected to care for patients despite not having the proper tools to streamline the process. Ultimately, this results in a diminished return on the travel nurse investment. 

How Hospitals Can Maximize IT and Travel Nurse Investments  

Considering that travel nurses are being hired to fill a critical resource gap, it is essential they have all required access privileges to the EHR and other critical applications to get to work caring for patients immediately. In addition, it’s essential they are able to access these technologies securely and efficiently. With inefficient processes for provisioning and deprovisioning, authentication, and access, cybersecurity and productivity will suffer. Healthcare’s digital environment is growing increasingly vast, complex, and vulnerable. Cyber attacks are steadily becoming more dangerous, sophisticated and frequent. For twelve years in a row, the healthcare industry has had the highest average data breach cost of any industry, with cyber attacks costing healthcare organizations an average of more than $10 million dollars. 

As healthcare organizations look to make strategic decisions with their limited IT and cybersecurity budgets, it is important to look for opportunities to implement solutions that address both cybersecurity and productivity. Not only is this important to maximize travel nurse investments, but also to improve residential nurse satisfaction and productivity.

Enabling Clinicians with Digital Identity

While the problems facing the healthcare industry are complex and layered, there is a multi-faceted solution. Digital identity technologies provide an opportunity for healthcare organizations to improve both clinician onboarding and the way clinicians access applications and critical systems. By implementing a digital identity strategy, healthcare organizations can tackle these issues with one dynamic approach.

By using an identity governance solution, healthcare IT teams can automate clinician onboarding through role-based user account provisioning. With just a few clicks, a travel nurse (or any other clinical staff member) can quickly get set up with all the necessary accounts and access privileges needed to do their job. This eliminates the need for manual on-boarding while making it easier to off-board users once they leave the organization, reducing the security risks of inactive credentials being compromised.

Another key component of a digital identity strategy is access management. As mentioned, security requirements like complex passwords and multifactor authentication (MFA) can slow down clinicians trying to access the EHR while caring for patients. With a proximity ID badge tap or biometric single sign-on solution, clinicians can seamlessly tap their ID badge or swipe their fingerprint onto a reader to log in to the EHR and other applications. This results in significant time savings for clinicians, giving them more time to focus on patient care while improving security. By implementing these solutions as part of a holistic digital identity strategy, healthcare organizations can provide travel nurses with access to the exact systems they need and ensure that those systems are strongly protected from cyber attacks. 

It appears that the nursing shortage will likely become even worse in the coming years. This means that healthcare organizations will continue to rely on expensive temporary staffing solutions to meet ever-growing care delivery demands. As hospitals continue to invest in travel nurses as well as their own clinical staff, they must also invest in technologies that can provide swift and secure access to applications and systems. Travel nurses can provide incredible support to healthcare organizations, but ensuring they can deliver high-quality patient care is reliant upon the hospital’s ability to reduce onboarding friction to empower staff to hit the ground running. Identity management eases the way forward for nurses, temporary or not, to focus on what matters most: providing exceptional patient care.

About Dr. Sean Kelly 
Dr. Sean Kelly is the Chief Medical Officer (CMO) and Sr. VP of Customer Strategy for Healthcare at Imprivata, where he leads the company’s Clinical Workflow team and advises on the clinical practice of healthcare IT security. In addition, Dr. Kelly practices emergency medicine at Beth Israel Lahey Health and is an Assistant Professor of Emergency Medicine, part-time, at Harvard Medical School. Trained at Harvard College, the University of Massachusetts Medical School, and Vanderbilt University, Dr. Kelly is board-certified in Emergency Medicine and is a Fellow in the American College of Emergency Physicians.

Recent advances in Generative AI Large Language Models, such as ChatGPT, have been making waves across various industries, not least in healthcare. With the ability to converse with users much like a friend, adviser, or assistant, these models have a broad appeal and immense potential. Their user-friendly nature is democratizing access to AI and stirring a cauldron of innovation, with healthcare emerging as a field ripe for exploration.

Nevertheless, as with any powerful tool, there’s a double-edged sword at play here. The very attributes that make these tools valuable—autonomy, adaptability, and scale—can also be exploited for malevolent ends. While we revel in the promise of transformative applications, growing apprehensions regarding misuse and abuse loom in the background.

As we stride into this brave new world of AI-enabled healthcare, the challenge before us is not just about harnessing the power of these solutions. It’s also about developing safeguards that allow us to tap into their value while mitigating risks associated with their use. Let’s delve into this exciting yet complex landscape, examining how to maximize benefits and minimize potential pitfalls.

Understanding Generative AI Large Language Models 

Generative AI Large Language Models like ChatGPT utilize advanced machine learning to generate text resembling human communication. Trained on extensive datasets consisting of billions of sentences using “transformer neural networks,” these models excel at predicting the next sequence in a text string, akin to an ultra-advanced auto-complete. 

This goes well beyond simply reproducing learned data, instead synthesizing patterns, themes, and structures to produce novel outputs. This impressive capability expands the scope for diverse applications, from patient interaction to medical literature review, heralding an exciting age of AI-assisted healthcare.

Applications in Healthcare

AI models are transforming healthcare with an increasing range of applications. They are used in medical triage and patient engagement, where AI chatbots guide patients based on their symptoms, enhancing healthcare accessibility. AI models also assist physicians by providing evidence-based recommendations for clinical decisions. Companies like eClinicalWorks are integrating AI into their systems to reduce administrative tasks. Additionally, AI models have ventured into mental health support, offering therapeutic interactions. Future prospects are extensive, from personalized patient education and routine task automation to aiding in pharmaceutical research. As innovation progresses, the potential applications of AI in healthcare seem boundless.

The Benefits of AI-Language Models in Healthcare

One of the main benefits of AI language models in healthcare is their ability to enhance efficiency and accessibility. For example, AI triage and patient engagement tools can provide round-the-clock service, reducing wait times and allowing patients in remote or underserved areas to access essential healthcare advice.

Moreover, these models democratize health information, offering clear, understandable insights to patients and promoting more informed decision-making. This is crucial in a field where comprehension gaps often impede patient engagement and treatment adherence. Another key advantage is the personalization of care. AI models can tailor their responses to individuals, potentially improving the relevance and effectiveness of health advice, educational materials, and therapeutic interactions. 

Additionally, AI language models could augment the accuracy and consistency of medical decisions. They can synthesize vast amounts of research, past patient data, and guidelines in real-time, offering clinicians decision support based on the latest evidence. When harnessed properly, these benefits could revolutionize patient experiences, clinical decision-making, and healthcare administration, driving a new era of efficient, personalized, and data-driven care.

The Dark Side: Potential Misuse and Ethical Considerations

While AI language models promise transformative benefits in healthcare, potential misuses and ethical challenges loom. One concern is the propagation of misinformation if models generate outdated or incorrect health information, posing a substantial risk in a field where accurate information is crucial.

The potential for AI tools to be exploited for malicious ends, such as improving phishing attacks or generating sophisticated malware, presents considerable cybersecurity threats. Privacy issues also arise as AI models, trained on extensive datasets, might unintentionally leak sensitive information. Bias in training data can lead to unfair outputs, highlighting the ethical issue of accountability in AI decision-making. Furthermore, the “black box” nature of AI complicates transparency and trust, critical factors for widespread adoption in healthcare. Lastly, increased technological dependence risks eroding human skill in identifying technological faults.

Addressing these concerns is essential to leverage AI’s benefits in healthcare without compromising safety, privacy, and ethical standards. As we delve deeper into the world of AI, striking this balance becomes an ever-evolving challenge.

Risks of Attacks on the AI Solutions Themselves

AI language models aren’t just tools; they’re also potential targets. Data or AI poisoning attacks can corrupt AI responses by injecting misleading information into the training sets. Prompt injection attacks present another risk, potentially revealing proprietary business information about the AI deployment. For instance, a recent experiment by a Stanford student prompted Bing’s AI model to disclose its initial instructions, typically hidden from users. Indirect prompt injection attacks are also emerging, where third-party attackers manipulate the prompt, opening the door to data theft, information ecosystem contamination, and more.

Even ChatGPT, a leading AI model, recently fell victim to a breach. Credentials of over 100,000 users were stolen and appeared for sale on the Dark Web, potentially exposing all information these unlucky users submitted to ChatGPT. These incidents highlight that as we advance in AI technology, security measures must concurrently evolve, ensuring the protection of both the tools and their users from the growing complexity of cyber threats.

Balancing the Benefits and Risks

Navigating AI-enabled healthcare requires a delicate equilibrium between embracing benefits and countering risks. Key to this balance is the formulation and enforcement of comprehensive regulations, demanding close collaboration between regulators, technology developers, healthcare providers, and ethicists.

Adopting ethical AI frameworks, like those proposed by global health organizations, can guide our way, focusing on transparency, fairness, human oversight, privacy, and accountability. Unfortunately, creating regulations and ethical frameworks is particularly difficult when we do not fully understand the implications of these AI technologies. Too many restrictions will stifle technological advancement, and too little may have catastrophic, life-threatening implications. 

Regular audits of AI systems are equally critical, facilitating early detection of misuse or unethical practices and guiding necessary system updates. Further, cultivating a culture of responsibility among all stakeholders, from developers and healthcare providers to end-users, is essential for ensuring ethical, effective, and safe AI applications in healthcare. We can harness AI’s transformative potential in healthcare through concerted efforts and stringent checks while diligently minimizing associated risks.

The Future of AI in Healthcare

AI’s future in healthcare promises transformative potential, with AI roles expanding into predictive analytics, drug discovery, robotic surgery, and home care. Trends indicate a rising use of AI in personalized medicine, where large datasets enable more personalized, predictive, and preventive care. This could shift treatment strategies from disease response to health maintenance. AI will also be crucial in managing burgeoning healthcare data, efficiently analyzing vast quantities to inform decision-making and enhance patient outcomes. However, the success of AI in healthcare hinges on health IT professionals, who bridge technology and care, ensuring effective system implementation, ethical usage, and continuous improvement. Their pivotal role will shape a future where AI and healthcare merge, delivering superior care for all.

Summing Up

AI-enabled healthcare presents an exciting journey with tremendous potential and notable challenges. AI language models can revolutionize healthcare, yet, potential misuse, privacy, and ethical concerns necessitate careful navigation. Balancing these aspects requires robust regulations, ethical frameworks, and diligent monitoring. Yet, this, too, has its risks. Health IT professionals’ roles are vital in shaping this future. Our stewardship of this technology is crucial as we launch a new era where AI and humans collaboratively enhance healthcare. We hold the key to optimizing AI’s potential while minimizing risks. The future of healthcare, powered by AI, is in our hands and promises to be extraordinary.

About Jon Moore

Jon Moore, MS, JD, HCISPP, Chief Risk Officer and SVP at Clearwater, a  company combining deep healthcare, cybersecurity, and compliance expertise with comprehensive service and technology solutions to help organizations become more secure, compliant, and resilient. Moore is an experienced professional with a background in privacy and security law, technology, and healthcare. During an 8-year tenure with PricewaterhouseCoopers (PwC), Moore served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. 

Among the significant federal clients supported by Moore and his engagements are: The National Institute of Standards and Technology (NIST), the National Institutes of Health (NIH), the Indian Health Service (IHS), the Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF). Moore holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.

What You Should Know: 

• Nearly 60% of healthcare providers experienced one or more security breaches and 45% experienced a data breach from an outside source or distributed denial-of-service since 2021, according to a new report from SOTI. 
• The annual report,  The Technology Lifeline: Charting Digital Progress in Healthcare explores the evolving landscape of healthcare technology adoption, its impact on patient satisfaction and the top security risks that every IT leader should keep top of mind.

Report Background

SOTI surveyed 1,450 healthcare IT professionals across the U.S., Canada, Mexico, UK, Germany, France, Sweden, Netherlands and Australia to gain insight into the evolving landscape of healthcare technology adoption, the impact of increasing technology implementation, the range of devices used and what challenges and security risks remain. 

Key findings of the report include: 

Security Concerns: Healthcare IT professionals in the U.S. are the most concerned about the security of patient records in their organization, including: 

More Money, More Devices, More Problems 

57% of organizations increased IT budgets. The greater investment, scale and diversification of devices has led to a 49% increase in the use of a mix of devices (mobile devices, tablets, rugged devices and printers) in their healthcare organization in the past year. An additional 65% of IT professionals also reported an increase in the use of personal devices to access company systems and networks.

Currently, 91% of healthcare IT professionals report their organizations use tablets and laptops, while 86% use smartphones and 73% use printers. However, findings show that tablets and laptops (32%) and smartphones (37%) were not being managed correctly a year ago. The report also found that 26% of printers were not being managed, including for the use of printing prescription labels.

Currently, 91% of healthcare IT professionals report their organizations use tablets and laptops, while 86% use smartphones and 73% use printers. However, findings show that tablets and laptops (32%) and smartphones (37%) were not being managed correctly a year ago. The report also found that 26% of printers were not being managed, including for the use of printing prescription labels.

Eliminating Outdated Processes and Legacy Technology

Concerns around the impact of outdated or legacy technologies extend, with 47% of healthcare IT workers believing legacy IT devices and systems expose their networks to security attacks. In addition to security vulnerabilities, respondents also believe legacy devices can hinder day-to-day operations by: 

• Being unable to detect new devices connected to system/makes network vulnerable: 54%
• Too much time fixing issues/not enough to work on essential IT issues: 53%       
• Being unable to detect new devices/support devices remotely/get detailed info on device usage: 49%
• An inability to support devices remotely/get detailed info on device usage: 41%
• Can’t deploy and manage devices/support remotely: 32%

Furthermore, IT professionals state the following manual processes used in healthcare organizations would benefit greatly from being automated:

SOTI also found that 95% of IT professionals are prioritizing the usage of new technologies to improve patient care, with 86% implementing and researching Artificial Intelligence (AI) and Virtual Reality (VR).