ThreatAdvice President Brandon Jarrett was recently quoted in a Birmingham Business Journal article exploring increased cyberattacks on the healthcare industry and what healthcare executives can do to combat them. Here's what Jarrett had to say.
“Health care is really lagging on the security front,” Jarrett said. “I know because I’ve personally met with and talked to some larger private practices that have passed on the tool sets they should be implementing that other small to medium businesses are implementing.”
“(Health care entities) are going to have to invest in their security infrastructure and their security policies,” Jarrett said. “Otherwise, they’re really at risk. Patient records are cheap on the black market and the dark web and they have all the relevant data in them that you need to assume someone’s identity. ... Especially those in private practice really need to take a hard look at what they’re doing to protect their practices and their patients.”
Jarrett said rural hospitals are particularly vulnerable.
“I’m optimistic that, hopefully, there’ll be some form of funding available for those entities because they do provide a valuable service in those areas,” Jarrett said. “There are solutions out there such as virtual CISO solutions that will allow them to contract with a virtual chief information security officer without having to lay out a couple hundred thousand a year to hire someone full time.”
There are cost-effective things companies can do, however, to help improve cybersecurity posture that apply to large and small health care entities alike.
First, according to Jarrett, comes education of employees.
“We know they have to take their HIPAA training and things like that, but what are the practices or the hospitals doing to educate their employees from a cybersecurity perspective?” Jarrett said. “Are they leveraging ongoing security awareness training applications on a monthly basis? Are they running simulated phishing campaigns on their employees? Some really effective ones are patient record requests that might come in to a practice administrator or somebody like that, that are not legitimate.”
“Step one is always going to be securing your employees because they’re the ones who are most vulnerable to attack, and 90% of the breaches directly come from the employees themselves,” he said.
The second step to improving cybersecurity posture, Jarret said, is making sure that all endpoints are secured with advanced endpoint detection and response. He said health care entities should be using EDR solutions at all of their endpoints, and those should be managed 24/7 by a security operations center. Simple anti-virus applications are not intuitive enough and don’t detect zero day threats that come out real time. AI is a second layer security measure, he added.
“The third layer would be some sort of SIEM security incident event monitoring or XDR, some sort of broader technology that can ingest millions of logs from the endpoint detection and response, the firewalls, the network traffic, all of that stuff, again, managed by a security operation center that looks through all of those logs for indicators of potential breaches,” Jarrett said.
Read the rest of the article by Laurel Thrailkill including commentary from Ryan Allen, chief of information security for the University of Alabama at Birmingham Health System, Joan Hicks, chief information officer for the UAB Health System, Donald Monistere, CEO and president of Birmingham-based General Informatics, Ryland Byars, IT and cybersecurity director at Birmingham-based Medical Properties Trust, Mark Tarr, CEO of Encompass Health, and Matt Lyden, director of asset management and underwriting at Medical Properties Trust on the Birmingham Business Journal Website here.