There’s no denying it – the need for stronger cyber defense is urgent. More ransomware attacks targeted healthcare in 2022 than any other critical infrastructure sector, according to the FBI’s Internet Crime Complaint Center (IC3). With attacks on healthcare negatively impacting patient care – including increased mortality rates – healthcare organizations must adopt proactive approaches to better protect their patients and sensitive information. 

In the spring, the Multi-State Information Sharing and Analysis Center(MS-ISAC) released new guidelines aimed at supporting healthcare organizations against cyber-attacks. Developed through collaboration between the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA), the counsel includes best practices for prevention and response to the six most common vectors for ransomware – internet-facing vulnerabilities and misconfigurations, compromised credentials, phishing, precursor malware infection, advanced forms of social engineering, and third parties and managed service providers. 

The guidance provides healthcare organizations and hospitals with a helpful starting point, offering a plan for implementing essential security steps. However, there are gaps where more can be done to better protect against ransomware.  

For starters, phishing accounted for up to 60% of the attacks on the healthcare sector in the first quarter of 2023, according to DNSFilter’s State of Internet Security report. Even more unnerving? Research shows that healthcare employees are twice as likely to click on phishing links as employees in other sectors.  

It’s time for the healthcare industry to take action – with a proactive approach to ransomware protection. 

Start With an Incident Response Plan 

The umbrella for ransomware defense is a thorough incident response plan, which is critical to protecting data and enabling a fast, effective response in the event of an attack. A plan should cover every aspect of an organization’s defense, including prevention, detection, response and recovery. In addition, it should incorporate a strategy for maintaining encrypted backups offline, should an attack occur.  

The key to an effective incident response plan is in how it is maintained and communicated to employees. Response plans should be tested regularly and updated when necessary. And, everyone in an organization should be aware of the plan and their part in it.  

A decent portion of the advice in MS-ISAC guidance concerns basic – but absolutely essential – measures. For example, steps to guard against compromised credentials are well-known, even if not always implemented. The basics of ransomware protection for healthcare organizations include:  

• Always using multi-factor authentication (MFA), which has been proven to be highly effective against credential-based attacks such as those used in phishing campaigns.  
• Updating the default usernames and passwords used for administrative accounts – an obvious precaution. 
• Avoid root accounts for day-to-day access; attackers who gain access to these accounts can get persistent access to the entire environment.  
• Educating all employees on proper password security in annual training.  

The Importance of User Education 

User education cannot be underestimated due to the sheer number of individuals who have access to Protected Health Information (PHI) and Personally Identifiable Information (PII). However, nurses, doctors and healthcare assistants are often not savvy in cybersecurity best practices. Thus, training must become standard in order to better protect the industry at large. 

We must evolve to institute proper cybersecurity training as an ongoing activity, rather than once a year. Frequent, short bursts of information are more likely to be digested and retained than information from longer annual sessions. In addition to IT and cybersecurity professionals, which the MS-ISAC guidance focuses on, it’s imperative to educate ALL employees – as many outside the cybersecurity and IT scope still have access to sensitive information. The access those employees have – and the sensitivity of the information at stake – increases the attack surface for healthcare organizations, potentially putting not only data, but the wellbeing and even lives of patients at risk. A thorough incident response plan must ensure that all employees regularly receive ongoing training to protect medical databases. A good cyber posture requires a baseline of knowledge for every person within an organization. 

Stay a Step Ahead of Phishing Attempts 

In addition to broad phishing campaigns that attempt to get any one of many employees to click a link, attackers today also conduct targeted campaigns with more sophisticated tactics such as pretexting (posing as a trusted source to gather information), baiting (offering free music or movie downloads to get login information) or even posing as a C-level executive to trick employees into providing information or performing a function. Without proper education and training, how can we expect employees in the healthcare sector to understand how to properly identify these attacks? We can’t. 

Many organizations omit continuous training simply because they aren’t sure where to begin. However, third-party resources are available, including Ninjio, which works with short, regular bursts of information and has kitschy but interesting videos. Or, there is HackNotice, which along with its other services encourages accountability by enrolling employees and family members in breach reports. 

Healthcare workers will make better choices when they feel they have autonomy, support and proper education. While mistakes will inevitably be made through human error, hospitals and medical offices can consider adding another layer of protection by implementing protective Domain Name Systems (DNS) services, which analyze queries and can block some malicious activity, including ransomware, at the source.   

Other Best Practices 

Asset management is a challenge for healthcare organizations due to the variety of connected devices in use, such as scanners, infusion pumps and monitoring devices. This includes monitoring devices that record private patient information like heart rate, blood pressure, and glucose levels. Not to mention the devices implanted inside patients, as well as devices many patients carry with them on a daily basis. While it can be a challenge to track and maintain an Inventory across every moving part in a healthcare system – asset management tools exist that fully eliminate that burden.  

Third-party managed service providers (MSPs) can help small and mid-size companies implement security measures that are beyond the capability they are able to provide on their own. However, it is important to remember that complete information on the systems, data and processes that need to be protected must be provided, as MSPs can’t help protect against what they don’t know about.  

As outlined in the MS-ISAC guidance, it’s imperative for healthcare organizations to ensure that least-privilege principles are applied across service providers. Service control policies to restrict access to specific services or prevent users from performing certain functions, such as changing cloud configurations or deleting logs, should be implemented. 

The threat of ransomware isn’t going anywhere. As a profitable attack vector for cyber threat actors, hospitals and medical offices remain at risk. While the MS-ISAC guidance provides a strong foundation for implementing measures to enhance prevention, response and recovery – there are areas we must improve upon to better protect sensitive information from exfiltration. Through proper organizational-wide education, continuous training, proper phishing awareness, asset management and third-party MSPs – healthcare organizations can establish a more robust cybersecurity posture and better protect against today’s ever growing ransomware threat. Not only will this protect patient data, but patient lives as well.   

About Rebecca Gazda

Rebecca Gazda is the Sr Director of Labs at DNSFilter where she is responsible for categorization innovation, classification accuracy, and threat protection. Rebecca has over 15 years of experience in data and analytics, statistics, data science, and technology team management. Her career has spanned several industries including psychology, neuroscience, cybersecurity, healthcare, academia, and clinical research. Her diverse background provides a perspective into cybersecurity that focuses on the human aspects of threats and threat protection.

What You Should Know:

• Zscaler, Inc., the leader in cloud security, today announced that it has teamed up with CrowdStrike and Imprivata to deliver a zero-trust cybersecurity solution from device to cloud that’s custom-made for medical institutions.
• The new Zscaler integration with the Imprivata Digital Identity Platform will provide visibility, threat protection and traceability for end-to-end, multi-user, shared device access control that are required for organizations to meet regulatory requirements, including HIPAA and HITECH.

Increasing Visibility and Creating Better Multi-User Shared Device Mechanisms for Improved Regulation

Through the new Zscaler integration with Imprivata, Zscaler is able to take Imprivata context and leverage the existing integration with CrowdStrike Falcon® Zero Trust Assessment (ZTA) score to control access to applications with adaptive, risk-based policies. 

As ransomware targeting healthcare organizations increases, more advanced cybersecurity is needed to protect sensitive patient data and maintain uninterrupted operations for the continuous delivery of life-critical medical services. With this new integration, users of the Zscaler Zero Trust Exchange™ platform, Imprivata OneSign®, and the CrowdStrike Falcon® platform will be able to more effectively adopt a zero trust architecture that offers granular access management, threat protection, and traceability capabilities to better protect against ransomware.

Hospitals and healthcare organizations face a unique security and identity challenge. With shared workstations among staff, they must determine how they can distinguish who is doing what on which device and enforce access control policies and threat protections based on both the user who logged in at the time and the device’s posture. They also need to keep track of all user activity with logs indicating their actions for traceability and compliance requirements.

“Cyberattacks on healthcare organizations are at an all-time high, and protecting patient data is critical to maintaining trust,” said Dhawal Sharma, Senior Vice President and General Manager at Zscaler. “Zscaler’s integrations with Imprivata, in addition to CrowdStrike, provide much needed help to healthcare organizations in their journey to a zero trust architecture. We’re aiding workers and technicians with least privileged access to the healthcare information they need to provide care and maintain the privacy and security of patient data.”

In the wake of the pandemic, the nursing field has continued to suffer large-scale burnout and a wave of retirements. An estimated 100,000 registered nurses have left the field since 2020 due to Covid-related stress, according to the National Council of State Boards of Nursing (NCSBN), accelerating the chronic understaffing crisis that already strained hospitals and healthcare organizations pre-pandemic. 

The remaining nurses are caught in a vicious burnout cycle, forced to bear an ever-increasing burden as their colleagues quit or retire. A survey by AMN Healthcare found that about a third of nurses intend to quit their jobs due to the stress of the pandemic, and the NCSBN reports that a whopping 600,000 nurses plan to leave the field within the next four years due to stress, burnout and retirement.

Yet, the demand for care continues unabated. Nurses are absolutely core to the day-to-day functioning of any hospital system, especially in the post-Covid environment. To bulk up nursing staff and keep up with care delivery demands, many hospitals have had no choice but to rely more heavily on transient staff to bolster their workforce.

The Cost of Addressing the Nursing Shortage

Hiring travel nurses has helped many overwhelmed hospitals mitigate the effects of the nursing shortage. According to the American Hospital Association, the average hospital currently spends 40% of their nursing budget on travel nurses, a far cry from the 5% they spent pre-pandemic. Travel nurses have always worked at a premium but the national increase in demand has also driven up prices dramatically. The average hospital’s contract labor expenditure costs rose 257% between 2019 and 2022—and at least 100,000 travel nurses were hired in the U.S. during this time period. These travel nurses are fulfilling a dire need for hospitals desperate for nursing staff, but the cost is significant to hospitals already struggling to make ends meet. 

The growing reliance on travel nurses illuminates a cybersecurity issue as well. Travel nurses require immediate access to a hospital’s digital systems, applications, and networks to effectively and securely care for patients. However, providing this access is often done manually, with IT teams creating accounts for each user based on the access privileges they need. This is a time-consuming, tedious process. It can take up to 3 months for practitioners to get onboarded with all the appropriate access privileges they need, and considering the contractual nature of the job, those nurses may well be nearing the end of their time at the hospital by the time access is granted. It’s not uncommon for travel nurses to arrive at a hospital for their first shift without having access to the electronic health record (EHR). 

To provide access, it’s often easier for overwhelmed residential staff to simply jot down a password on a sticky note to allow travel nurses to log in under a colleague’s credentials, presenting significant security risks.  When organizations don’t have the proper tools in place to streamline clinician interactions with technology, hospitals experience significant productivity delays, and workarounds as clinicians are still expected to care for patients despite not having the proper tools to streamline the process. Ultimately, this results in a diminished return on the travel nurse investment. 

How Hospitals Can Maximize IT and Travel Nurse Investments  

Considering that travel nurses are being hired to fill a critical resource gap, it is essential they have all required access privileges to the EHR and other critical applications to get to work caring for patients immediately. In addition, it’s essential they are able to access these technologies securely and efficiently. With inefficient processes for provisioning and deprovisioning, authentication, and access, cybersecurity and productivity will suffer. Healthcare’s digital environment is growing increasingly vast, complex, and vulnerable. Cyber attacks are steadily becoming more dangerous, sophisticated and frequent. For twelve years in a row, the healthcare industry has had the highest average data breach cost of any industry, with cyber attacks costing healthcare organizations an average of more than $10 million dollars. 

As healthcare organizations look to make strategic decisions with their limited IT and cybersecurity budgets, it is important to look for opportunities to implement solutions that address both cybersecurity and productivity. Not only is this important to maximize travel nurse investments, but also to improve residential nurse satisfaction and productivity.

Enabling Clinicians with Digital Identity

While the problems facing the healthcare industry are complex and layered, there is a multi-faceted solution. Digital identity technologies provide an opportunity for healthcare organizations to improve both clinician onboarding and the way clinicians access applications and critical systems. By implementing a digital identity strategy, healthcare organizations can tackle these issues with one dynamic approach.

By using an identity governance solution, healthcare IT teams can automate clinician onboarding through role-based user account provisioning. With just a few clicks, a travel nurse (or any other clinical staff member) can quickly get set up with all the necessary accounts and access privileges needed to do their job. This eliminates the need for manual on-boarding while making it easier to off-board users once they leave the organization, reducing the security risks of inactive credentials being compromised.

Another key component of a digital identity strategy is access management. As mentioned, security requirements like complex passwords and multifactor authentication (MFA) can slow down clinicians trying to access the EHR while caring for patients. With a proximity ID badge tap or biometric single sign-on solution, clinicians can seamlessly tap their ID badge or swipe their fingerprint onto a reader to log in to the EHR and other applications. This results in significant time savings for clinicians, giving them more time to focus on patient care while improving security. By implementing these solutions as part of a holistic digital identity strategy, healthcare organizations can provide travel nurses with access to the exact systems they need and ensure that those systems are strongly protected from cyber attacks. 

It appears that the nursing shortage will likely become even worse in the coming years. This means that healthcare organizations will continue to rely on expensive temporary staffing solutions to meet ever-growing care delivery demands. As hospitals continue to invest in travel nurses as well as their own clinical staff, they must also invest in technologies that can provide swift and secure access to applications and systems. Travel nurses can provide incredible support to healthcare organizations, but ensuring they can deliver high-quality patient care is reliant upon the hospital’s ability to reduce onboarding friction to empower staff to hit the ground running. Identity management eases the way forward for nurses, temporary or not, to focus on what matters most: providing exceptional patient care.

About Dr. Sean Kelly 
Dr. Sean Kelly is the Chief Medical Officer (CMO) and Sr. VP of Customer Strategy for Healthcare at Imprivata, where he leads the company’s Clinical Workflow team and advises on the clinical practice of healthcare IT security. In addition, Dr. Kelly practices emergency medicine at Beth Israel Lahey Health and is an Assistant Professor of Emergency Medicine, part-time, at Harvard Medical School. Trained at Harvard College, the University of Massachusetts Medical School, and Vanderbilt University, Dr. Kelly is board-certified in Emergency Medicine and is a Fellow in the American College of Emergency Physicians.

Recent advances in Generative AI Large Language Models, such as ChatGPT, have been making waves across various industries, not least in healthcare. With the ability to converse with users much like a friend, adviser, or assistant, these models have a broad appeal and immense potential. Their user-friendly nature is democratizing access to AI and stirring a cauldron of innovation, with healthcare emerging as a field ripe for exploration.

Nevertheless, as with any powerful tool, there’s a double-edged sword at play here. The very attributes that make these tools valuable—autonomy, adaptability, and scale—can also be exploited for malevolent ends. While we revel in the promise of transformative applications, growing apprehensions regarding misuse and abuse loom in the background.

As we stride into this brave new world of AI-enabled healthcare, the challenge before us is not just about harnessing the power of these solutions. It’s also about developing safeguards that allow us to tap into their value while mitigating risks associated with their use. Let’s delve into this exciting yet complex landscape, examining how to maximize benefits and minimize potential pitfalls.

Understanding Generative AI Large Language Models 

Generative AI Large Language Models like ChatGPT utilize advanced machine learning to generate text resembling human communication. Trained on extensive datasets consisting of billions of sentences using “transformer neural networks,” these models excel at predicting the next sequence in a text string, akin to an ultra-advanced auto-complete. 

This goes well beyond simply reproducing learned data, instead synthesizing patterns, themes, and structures to produce novel outputs. This impressive capability expands the scope for diverse applications, from patient interaction to medical literature review, heralding an exciting age of AI-assisted healthcare.

Applications in Healthcare

AI models are transforming healthcare with an increasing range of applications. They are used in medical triage and patient engagement, where AI chatbots guide patients based on their symptoms, enhancing healthcare accessibility. AI models also assist physicians by providing evidence-based recommendations for clinical decisions. Companies like eClinicalWorks are integrating AI into their systems to reduce administrative tasks. Additionally, AI models have ventured into mental health support, offering therapeutic interactions. Future prospects are extensive, from personalized patient education and routine task automation to aiding in pharmaceutical research. As innovation progresses, the potential applications of AI in healthcare seem boundless.

The Benefits of AI-Language Models in Healthcare

One of the main benefits of AI language models in healthcare is their ability to enhance efficiency and accessibility. For example, AI triage and patient engagement tools can provide round-the-clock service, reducing wait times and allowing patients in remote or underserved areas to access essential healthcare advice.

Moreover, these models democratize health information, offering clear, understandable insights to patients and promoting more informed decision-making. This is crucial in a field where comprehension gaps often impede patient engagement and treatment adherence. Another key advantage is the personalization of care. AI models can tailor their responses to individuals, potentially improving the relevance and effectiveness of health advice, educational materials, and therapeutic interactions. 

Additionally, AI language models could augment the accuracy and consistency of medical decisions. They can synthesize vast amounts of research, past patient data, and guidelines in real-time, offering clinicians decision support based on the latest evidence. When harnessed properly, these benefits could revolutionize patient experiences, clinical decision-making, and healthcare administration, driving a new era of efficient, personalized, and data-driven care.

The Dark Side: Potential Misuse and Ethical Considerations

While AI language models promise transformative benefits in healthcare, potential misuses and ethical challenges loom. One concern is the propagation of misinformation if models generate outdated or incorrect health information, posing a substantial risk in a field where accurate information is crucial.

The potential for AI tools to be exploited for malicious ends, such as improving phishing attacks or generating sophisticated malware, presents considerable cybersecurity threats. Privacy issues also arise as AI models, trained on extensive datasets, might unintentionally leak sensitive information. Bias in training data can lead to unfair outputs, highlighting the ethical issue of accountability in AI decision-making. Furthermore, the “black box” nature of AI complicates transparency and trust, critical factors for widespread adoption in healthcare. Lastly, increased technological dependence risks eroding human skill in identifying technological faults.

Addressing these concerns is essential to leverage AI’s benefits in healthcare without compromising safety, privacy, and ethical standards. As we delve deeper into the world of AI, striking this balance becomes an ever-evolving challenge.

Risks of Attacks on the AI Solutions Themselves

AI language models aren’t just tools; they’re also potential targets. Data or AI poisoning attacks can corrupt AI responses by injecting misleading information into the training sets. Prompt injection attacks present another risk, potentially revealing proprietary business information about the AI deployment. For instance, a recent experiment by a Stanford student prompted Bing’s AI model to disclose its initial instructions, typically hidden from users. Indirect prompt injection attacks are also emerging, where third-party attackers manipulate the prompt, opening the door to data theft, information ecosystem contamination, and more.

Even ChatGPT, a leading AI model, recently fell victim to a breach. Credentials of over 100,000 users were stolen and appeared for sale on the Dark Web, potentially exposing all information these unlucky users submitted to ChatGPT. These incidents highlight that as we advance in AI technology, security measures must concurrently evolve, ensuring the protection of both the tools and their users from the growing complexity of cyber threats.

Balancing the Benefits and Risks

Navigating AI-enabled healthcare requires a delicate equilibrium between embracing benefits and countering risks. Key to this balance is the formulation and enforcement of comprehensive regulations, demanding close collaboration between regulators, technology developers, healthcare providers, and ethicists.

Adopting ethical AI frameworks, like those proposed by global health organizations, can guide our way, focusing on transparency, fairness, human oversight, privacy, and accountability. Unfortunately, creating regulations and ethical frameworks is particularly difficult when we do not fully understand the implications of these AI technologies. Too many restrictions will stifle technological advancement, and too little may have catastrophic, life-threatening implications. 

Regular audits of AI systems are equally critical, facilitating early detection of misuse or unethical practices and guiding necessary system updates. Further, cultivating a culture of responsibility among all stakeholders, from developers and healthcare providers to end-users, is essential for ensuring ethical, effective, and safe AI applications in healthcare. We can harness AI’s transformative potential in healthcare through concerted efforts and stringent checks while diligently minimizing associated risks.

The Future of AI in Healthcare

AI’s future in healthcare promises transformative potential, with AI roles expanding into predictive analytics, drug discovery, robotic surgery, and home care. Trends indicate a rising use of AI in personalized medicine, where large datasets enable more personalized, predictive, and preventive care. This could shift treatment strategies from disease response to health maintenance. AI will also be crucial in managing burgeoning healthcare data, efficiently analyzing vast quantities to inform decision-making and enhance patient outcomes. However, the success of AI in healthcare hinges on health IT professionals, who bridge technology and care, ensuring effective system implementation, ethical usage, and continuous improvement. Their pivotal role will shape a future where AI and healthcare merge, delivering superior care for all.

Summing Up

AI-enabled healthcare presents an exciting journey with tremendous potential and notable challenges. AI language models can revolutionize healthcare, yet, potential misuse, privacy, and ethical concerns necessitate careful navigation. Balancing these aspects requires robust regulations, ethical frameworks, and diligent monitoring. Yet, this, too, has its risks. Health IT professionals’ roles are vital in shaping this future. Our stewardship of this technology is crucial as we launch a new era where AI and humans collaboratively enhance healthcare. We hold the key to optimizing AI’s potential while minimizing risks. The future of healthcare, powered by AI, is in our hands and promises to be extraordinary.

About Jon Moore

Jon Moore, MS, JD, HCISPP, Chief Risk Officer and SVP at Clearwater, a  company combining deep healthcare, cybersecurity, and compliance expertise with comprehensive service and technology solutions to help organizations become more secure, compliant, and resilient. Moore is an experienced professional with a background in privacy and security law, technology, and healthcare. During an 8-year tenure with PricewaterhouseCoopers (PwC), Moore served in multiple roles. He was a leader of the Federal Healthcare Practice, Federal Practice IT Operational Leader, and a member of the Federal Practice’s Operational Leadership Team. 

Among the significant federal clients supported by Moore and his engagements are: The National Institute of Standards and Technology (NIST), the National Institutes of Health (NIH), the Indian Health Service (IHS), the Department of Health and Human Services (HHS), U.S. Nuclear Regulatory Commission (NRC), Environmental Protection Agency (EPA), and Administration for Children and Families (ACF). Moore holds a BA in Economics from Haverford College, a law degree from Penn State University’s Dickinson Law, and an MS in Electronic Commerce from Carnegie Mellon’s School of Computer Science and Tepper School of Business.

What You Should Know: 

• Nearly 60% of healthcare providers experienced one or more security breaches and 45% experienced a data breach from an outside source or distributed denial-of-service since 2021, according to a new report from SOTI. 
• The annual report,  The Technology Lifeline: Charting Digital Progress in Healthcare explores the evolving landscape of healthcare technology adoption, its impact on patient satisfaction and the top security risks that every IT leader should keep top of mind.

Report Background

SOTI surveyed 1,450 healthcare IT professionals across the U.S., Canada, Mexico, UK, Germany, France, Sweden, Netherlands and Australia to gain insight into the evolving landscape of healthcare technology adoption, the impact of increasing technology implementation, the range of devices used and what challenges and security risks remain. 

Key findings of the report include: 

Security Concerns: Healthcare IT professionals in the U.S. are the most concerned about the security of patient records in their organization, including: 

More Money, More Devices, More Problems 

57% of organizations increased IT budgets. The greater investment, scale and diversification of devices has led to a 49% increase in the use of a mix of devices (mobile devices, tablets, rugged devices and printers) in their healthcare organization in the past year. An additional 65% of IT professionals also reported an increase in the use of personal devices to access company systems and networks.

Currently, 91% of healthcare IT professionals report their organizations use tablets and laptops, while 86% use smartphones and 73% use printers. However, findings show that tablets and laptops (32%) and smartphones (37%) were not being managed correctly a year ago. The report also found that 26% of printers were not being managed, including for the use of printing prescription labels.

Currently, 91% of healthcare IT professionals report their organizations use tablets and laptops, while 86% use smartphones and 73% use printers. However, findings show that tablets and laptops (32%) and smartphones (37%) were not being managed correctly a year ago. The report also found that 26% of printers were not being managed, including for the use of printing prescription labels.

Eliminating Outdated Processes and Legacy Technology

Concerns around the impact of outdated or legacy technologies extend, with 47% of healthcare IT workers believing legacy IT devices and systems expose their networks to security attacks. In addition to security vulnerabilities, respondents also believe legacy devices can hinder day-to-day operations by: 

• Being unable to detect new devices connected to system/makes network vulnerable: 54%
• Too much time fixing issues/not enough to work on essential IT issues: 53%       
• Being unable to detect new devices/support devices remotely/get detailed info on device usage: 49%
• An inability to support devices remotely/get detailed info on device usage: 41%
• Can’t deploy and manage devices/support remotely: 32%

Furthermore, IT professionals state the following manual processes used in healthcare organizations would benefit greatly from being automated:

SOTI also found that 95% of IT professionals are prioritizing the usage of new technologies to improve patient care, with 86% implementing and researching Artificial Intelligence (AI) and Virtual Reality (VR).

In IBM’s 2022 Cost of a Data Breach report, the company revealed that the global average cost of a data breach was $4.35 million. In the healthcare sector, however, that number skyrocketed to $10.1 million. Why is an attack on a healthcare organization so much more costly? While part of this comes down to the fact that healthcare organizations often have big budgets, and so might be able to pay big ransoms, the biggest part of the answer is consequences. In there, real lives are at stake. Downed systems don’t just mean a loss of profit, it means a loss of life. Faced while the choice of paying up or letting people die, the decision to pay a ransom is not a hard one, even if the asking price is very large indeed.

State of the Industry

The healthcare industry is a particularly attractive target for ransomware for two main reasons. First, irrespective of benefits, healthcare companies tend to be large businesses with large balance sheets. Total expenses for U.S. hospitals reached above one trillion dollars in 2022, indicating that on any given day, a massive amount of money is flowing in and out of hospitals nationwide. For cybercriminals, this means an easy target with an almost-guaranteed payout to some degree. 

Second, healthcare is an extremely vital industry for humankind. For many organizations in other verticals, ransomware may be a “pay up or go offline” situation. Devices may be taken offline and productivity may slow temporarily, but ransomware is a temporary setback- organizations may even take their time coming up with a way to circumvent payment. For healthcare, however, time is not on the side of the organization. The effects of a ransomware attack are far more useful for criminals when actual lives are on the line.

The deeper problem is that as long as healthcare organizations have to keep paying ransomware to save lives, criminals will keep attacking- it’s, unfortunately, part of the overall risk factor for these providers. 

A Different Breed of Risk

However, it’s not just the attractiveness of the target that keeps criminals attacking healthcare organizations- it’s also the risk profile of the average healthcare employee.

More than most other industries, we see extremely high mobility of staff within healthcare. Across many healthcare businesses, we see a substantial contingent of staff that are out in the field or is more mobile within their office space. Doctors and nurses are constantly on the move, even if they never actually leave the hospital. Many devices become mobile out of necessity. This creates a physical risk of device loss or theft, increasing the need for a strong, resilient connection and the ability to track or wipe a device should it be stolen. 

Additionally, healthcare data is extremely valuable to criminals. This isn’t simply because of the deeply personal nature of the data. It is because it’s a trove of extremely valuable Personal Identifiable Information (PII) point of view. This sort of personal information is just what cybercriminals need to get the answers to personal questions connecting bank accounts, site logins, and more. 

Finally, healthcare systems are often large and interconnected – if security is not ironclad, criminals can rapidly gain the ability to move from end-user laptops to departments like billing, to the pharmacy, to control systems – always finding the weakest link as long as a valuable target exists. This creates an endless game of ‘whack-a-mole’ for healthcare IT teams, where the objective is to simply become less of a target while routing out malware infections across a wide range of systems. 

Overall, with their large attack surface, interconnected systems and highly valuable data, devices in healthcare settings are a perfect target. They are also a perfect use case for a zero-trust network access approach to security. 

Reducing Risk

Risk is usually defined as the product the probability of a successful attack and the impact of the attack. Protecting your organization to minimize the chances of success is the cost common way people try to reduce risk, but it has its limits. No organization is ever going to be perfectly protected. This means that in most cases the best way to minimize risk is by being ready for an attack so that you can minimize its impact. This means that IT teams must find ways to get their organization to a point where it’s possible to recover without paying. This allows them to break the vicious cycle: as long as attacks lead to payments then payment will lead to more attacks. Breaking the cycle is crucial because if you can’t, then no matter how strong your defenses are, criminals will just find a different part of your business to attack. The ultimate goal is to get to a point where if your organization is ransomed it’s only a minor setback – you have the safeguards and backups to minimize the blowback. When you’re able to recover without paying then you win. Criminals aim to attack where the ROI is the greatest – if you reduce don’t need to pay then they’re more likely to move on. 

In the case of ransomware, minimizing impact means being able to restore your systems to the pre-attack state as quickly and efficiently as possible. Naturally, to do this you need to have backups, but you need more than that if you want a rapid response, especially when you have a mobile workforce. What you need is remote control of the devices and you need remote control tools that will survive a complete, clean slate reinstall of the systems. Surviving a reinstall is crucial because, in an ever-changing world of malware infections, it’s often impossible to be sure that you’ve successfully removed the infection without completely wiping the entire disc. The ability to bounce back in the face of an attack, what IT and Security people call “resilience”, is one of the most effective tools you can deploy to minimize the overall risk from ransomware attacks.

Importance of Forward-Planning

Reducing risk is impossible without a forward-planning, but with a little foresight, healthcare organizations can dramatically reduce the risk from ransomware attacks. The key to this is to balance existing cybersecurity techniques to help prevent attacks with cyber-resilience techniques to help IT teams bounce back. Everyone in healthcare knows that no matter how young and healthy you may be, health insurance is a necessity if you want to get healthy again when illness happens. Cyber-resilience is just the same; if you want to keep your systems healthy you don’t just need to practice good hygiene, you need to ensure that you can get prompt and effective treatment when an infection happens. That way your organization can spend less time and energy keeping PCs healthy and more time keeping the humans healthy!

About Nicko van Someren

Nicko van Someren serves as Chief Technology Officer at Absolute Software, where he oversees the direction and strategic vision of Absolute’s product architecture and security roadmap. He has more than two decades of experience leading, developing and bringing to market disruptive security technologies. Prior to his role at Absolute, Nicko served as Chief Security Officer and Chief Information Officer at nanopay, Inc, a financial services technology company. He has also served as Chief Technology Officer at the Linux Foundation, Good Technology (now a part of BlackBerry) and nCipher (now a part of Entrust Datacard) as well as the Chief Security Architect at Juniper Networks.

Nicko also serves as a board member and advisor for numerous startups and is a mentor for the Techstars accelerator program in Boulder, CO. He has a PhD from the University of Cambridge and fellowships from the Royal Academy of Engineering and British Computer Society.

In 2020, the Dental Care Alliance (DCA) experienced a significant cyberattack on its systems, which lasted approximately an entire month. This gave the threat actor an extended period to compromise the healthcare organization’s servers and extract the private and confidential information of around one million patients. 

This is just another example of how vulnerable the healthcare industry is to cyber criminals looking to exploit security weaknesses. Healthcare organizations are prime targets for threat actors who are fully aware that their targets are invested in keeping their systems and businesses up and running efficiently and securely. This is especially critical in protecting patient privacy and data, particularly when it comes to impacting life-saving information and equipment.

The incident

The cyberattack on the DCA was launched between Sept. 18 and Oct. 11, 2020. During the month of the breach, a cybercriminal was able to access various confidential files, including patient data such as names, contact details, treatments, diagnoses, patient account numbers, their dentist’s names as well as billing details and health insurance data. In 10 percent of the cases, bank account numbers also were compromised, making this the second-largest reported attack that year. 

The attack resulted in a class-action lawsuit, which ended in a $3 million settlement against the DCA. The DCA was accused of negligence for its failure to protect and maintain its systems and infrastructure against breaches, and for failing to implement proper security monitoring. It also was cited for neglecting to upgrade its security measures and to implement proper cybersecurity hardware and software, as well as adequately train its employees. As a result, patients feared an increased risk of fraud. 

While it was not publicized how the attacker gained initial access to the company’s network, plaintiffs argued that it was the DCA’s poor cybersecurity practices that exposed them to the risk of identity theft and fraud. 

Unfortunately, this is not the only case in which an organization has been sued over alleged negligence. Eye Care Leaders was accused of concealing multiple ransomware attacks in 2021, which resulted in a provider-led lawsuit. Not only does this highlight the frequency of attacks on healthcare organizations, but it also underscores the immense cost that is associated with failing to understand risk and provide adequate cybersecurity protocol and measures. Just a single security incident can lead to reputational damage and significant financial losses. This is further exacerbated by the consequences of breaches of confidential patient and client information.

Both cases are windows into the high-stakes cyber risk landscape for healthcare providers and payers, particularly when it comes to an organization’s being fined by the federal government for HIPAA violations. 

Cyber risk in healthcare

In 2021 alone, the healthcare industry was hit with 849 cyber incidents, with 571 of these confirmed that private data had been accessed, according to the Verizon Data Breach Investigations Report. This placed healthcare in eighth place for industries targeted by attacks, and in third place for number of data breaches, out of a total of 21 categories in the Verizon report.

By using past cyber events and parameters such as revenue, number of employees and number of database records, it is possible to estimate a quantified value of risk to which companies are exposed. By using benchmark values, one can deduce that the healthcare industry shows relatively higher rates of reported breaches in comparison to other sectors (though that is in part driven by stronger data privacy policies and required reporting for smaller incidents to meet federal regulations). There is a 9.3 percent overall probability of an annual incident targeting this industry.

The probability of incidents happening in a year and the estimated cost by risk category within healthcare is as follows:

• Insider Error: Probability: 29.95 percent, cost: $73.6 million 
• Insider Misuse: Probability: 24.99 percent, cost: $47.2 million 
• Basic Web Application Attacks: Probability: 9.19 percent, cost: $42.1 million 
• System Intrusion: 4.83 percent, cost: $5.4 million 
• Social Engineering (Phishing, etc.): Probability 3.80 percent, cost: $6.6 million 
• Denial of Service (DoS): 2.19 percent, cost: $7.5 million 
• Ransomware: 3.85 percent, cost: $929.9 thousand

In quantifying the risk, healthcare organizations can better calculate their risk appetite and allocate spending more efficiently to bolster security where needed. This not only will increase overall cybersecurity, it also will reduce wasted spending on protecting infrastructure that isn’t as vulnerable or may not need as strong measures as other areas. 

Bolstering cybersecurity 

In order to prevent falling victim to a cyberattack and avoid being entangled in costly lawsuits, organizations should foster a strong cybersecurity culture and be aware of the risk to which they could be exposed as well as the potential value associated with it. In addition to increasing overall visibility over devices on and connections to the network, expanding cyber threat awareness training for staff and implementing multi-factor authentication, organizations should know their risk. 

What does this mean? Understanding risk can best be done by quantifying its value. By using an international standard, such as FAIR (Factor Analysis of Information Risk™), organizations can estimate their risk financially, which allows them to better implement cybersecurity strategies according to where higher risk exists.  They can allocate budgets and understand their risk appetite more thoroughly as it allows them to see how much different risks could cost the business. 

Ultimately, quantifying risk would allow organizations to understand what’s at stake and to prepare and invest accordingly. 

About Bryan Smith

Bryan Smith is the CTO of RiskLens, which helps organizations make better cybersecurity and technology investment decisions with software solutions that quantify cyber risk in financial terms. Smith is a broad technologist with over 20 years of software engineering experience. His expertise includes building enterprise scale web applications, cybersecurity, and big data. Smith led the development of RiskLens’ enterprise cyber risk quantification and management platform. Prior to RiskLens, Smith helped build the nation’s first digital archives enabling it to scale 3400% over five years.

It’s a fact: More than 80% of data breaches involve a human in some way. That could involve someone falling for a spear-phishing campaign designed to solicit credentials, clicking on a malicious link, or a simple error that leaves a security vulnerability open to bad actors. Creating a culture of security in your organization will keep security at the forefront of everything from operations to care delivery.

Monitoring and maintaining the security of IT infrastructure is often overemphasized within hospitals and health systems, while the human side of reducing risk is often under-emphasized. And unlike APIs, software, and technology hardware, employees can’t be patched; they can’t be reconfigured; and they can’t be reset after making a mistake.

The answer is training, continual training to help create a culture of security within your hospital or health system. But with so many competing training programs — everything from HIPAA and regulatory compliance to handwashing and job-specific training — it’s difficult to break through the noise and gain traction. But as the average recovery cost for a healthcare organization after a breach has now passed the $10 million mark in 2022, a 40% increase from 2020, the time for definitive action is now.

If a doctor, nurse, or other hospital employee sees a suspicious package in a hallway, chances are good they will alert the physical security department who will take appropriate measures. But what about a suspicious email? Some IT departments don’t want to know, believing it’s just more work for them. But for every potentially damaging email that’s deleted without taking any action, there could be thousands more in waiting. 

The key to creating a mature and robust security awareness program starts with executive leadership support, followed by continual training to reinforce the security message. Across industries, some companies have a dedicated position for security awareness or give an existing IT person some additional duties as a security awareness officer. With continued IT staffing shortages in healthcare, that might not be possible, so consider outsourcing security awareness and training to a vendor well-versed in the unique nature of healthcare.

Some healthcare organizations are minimally training their staff for compliance, hoping it will be sufficient. But minimal training delivered once a year can’t address the dynamic nature of cyber threats, which are continually evolving. As organizations harden their security posture in response to specific threats, new threats emerge that companies may not be aware of.

Two recent emerging threats:

1. Last August, the FBI warned healthcare organizations about a fraud scheme where scammers impersonate law enforcement or government personnel, targeting specific individuals to extort money or steal personally identifiable information. The scammers spoof authentic phone numbers and use names of real security personnel, informing the target they missed a court date and owe a fine or are subject to arrest unless they comply.
   
2. The following month, a new, sophisticated phishing attack was revealed, using multiple fake email accounts to trick a user into believing he/she is part of a conversation among colleagues. Called multi-persona impersonation, multiple interactions take place to convince the target the conversation is real before a malicious link is sent. The “grooming” process can take weeks, underscoring the lengths hackers will go to steal information.

The SANS Institute, a leading authority on cybersecurity training, certifications, and resources, recommends monthly training noting, “Organizations that engage and train their workforce only annually or on an ad hoc basis cannot effectively change behavior and are thus stuck at the compliance level, checking the box.” The information security organization recommends monthly training that’s “communicated engagingly and positively that encourages behavioral change” to help employees understand the importance of cybersecurity so that they will actively recognize, prevent, and report incidents.

Training doesn’t have to be overly formal. Some of the most effective training involves humorous videos depicting fictional hospital employees failing at HIPAA security or allowing someone to openly walk through administrative areas simply because they have an official-looking badge. This kind of training connects with trainees, offering better retention and creating an “a-ha!” moment when they are later faced with a similar situation.

To make it more fun, you might hold a prize drawing among those who report a potential security incident during a certain time period. The key is a constant drumbeat of training that helps create the culture of security that healthcare organizations need.

To build on the training, phishing exercises carried out by your organization’s security group can help gauge the effectiveness of the training. Users who struggle with identifying phishing scams should receive additional training. Phishing training is complex and requires purpose-built tools, such as education software designed to be impactful, but also something employees don’t dread. Phishing education software can also give IT tools to create fake emails, and some vendors provide dashboards or other metrics to determine effectiveness by employee or department. Third-party vendors can also conduct phishing campaigns on behalf of organizations.

It’s recommended that each employee is phished at least once a quarter. Some healthcare organizations phish everyone during a limited time, which can create bottlenecks for IT staff. Consider a drip email campaign of weekly or bi-weekly emails that phish each employee quarterly.

Creating a culture of security is critical for hospitals and health systems, as important as the physical security of network infrastructure, monitoring network traffic, and maintaining a robust software patching program. Given the tight IT workforce environment and competing demands on existing IT staff, outsourcing a managed security awareness and training program might make sense.

About Don Kelly

Don Kelly is the Manager of the Virtual Information Security Program at Fortified Health Security, healthcare’s cybersecurity partner protecting patient data and reducing risk for healthcare organizations. By partnering with healthcare organizations through a host of managed service offerings and technical security solutions.

What You Should Know:

– MedCrypt, Inc., a proactive cybersecurity solutions provider for medical device manufacturers, announced its financing of the School of Engineering for a Tufts University fellowship program that will support research focusing on the investigation of medical device security and threat modeling.

– MedCrypt acknowledges the vital role that evidence-based security practices play in the MedTech industry and recognizes the need to address the existing gaps. Additionally, the organization encourages research initiatives that drive the industry forward. By taking a hypothesis-driven approach, the findings from this research fellowship could inform sustainable, scalable advances in medical device security processes.

– This is not only beneficial but also necessary, as the FDA relies on threat modeling to generate evidence that medical devices have been built with security in mind. Threat modeling artifacts are used to conduct safety risk assessments, which then inform vulnerability surveillance for products in the field.

The pandemic has accelerated the adoption of digital health technologies across the healthcare industry. Digital transformation is now the top priority for many healthcare leaders as they seek to build resilient systems. At its core, this means implementing emerging digital technologies to modify essential operations, processes, and services to ease staff workload and withstand future challenges.

The primary drivers of digital transformation are consumerism, cost, and experience/expectations, each largely stemming from the pandemic. According to the Deloitte Center for Health Solutions, health systems are considering emerging digital technologies as the conduit to transform their relationship with consumers and increase staff efficiency and satisfaction. In fact, 92% relayed that increased consumer satisfaction and engagement are the top outcomes facilities aim to achieve from digital transformation, followed by improved care quality at 56%. Additional top outcome goals include enhancing the patient experience, IT/cybersecurity, clinical care delivery, and staff satisfaction.

As these goals and digital investments progress, the once golden standard of optimizing healthcare performance has shifted from the Triple Aim (enhancing the patient experience, improving population health, and lowering costs) to the Quadruple Aim, which factors the clinician’s well-being into the equation. Over the last few years, the pandemic has repeatedly demonstrated the effects of clinician burnout and how it impacts the patient experience, health outcomes, and financial costs. As healthcare organizations seek improvements to the patient experience, care quality, and costs, they must also consider the clinician’s well-being. Digital transformation holds the key to fully re-engineering healthcare processes for the better, which will benefit the patients, clinicians, and healthcare organizations overall.

Delivering Value and Operational Efficiency

Digital transformation isn’t about removing the human component but focuses on using technology at each step to optimize the experience for all parties. In healthcare, the transformation means adopting different tools to enable patients to take a more active role in their care journey while also reducing provider involvement in non-clinical tasks to increase their time with patients.

Advanced technology leverages capabilities that keep patients and healthcare professionals better connected, helping to address the Quadruple Aim. In most industries, the customer (or patient) is a significant part of the equation. This can be better mirrored and developed within the healthcare industry through interactive patient care systems leveraging open APIs. This allows added functionality via electronic health records (EHR) and integrations with existing systems such as nurse call, environmental controls, and meal ordering to drive patient satisfaction and operational efficiency. For example, the patient can change the room’s temperature, lower the lights, order a meal, and place a service request without needing facetime with a nurse. These systems give the patient a sense of independence and control in an unfamiliar space and allow staff to remain focused on care, improving healthcare experience and efficiency through digital enhancements. 

Digital Transformation provides new ways to deliver value and can do so in a variety of ways by integrating systems at scale. The benefits of these integrations range from supplying the patient the ability to self-schedule appointments on the front end to staff using advanced analytics and Robotic Process Automation (RPA) to settle claims on the back end. The options are endless with an open API.

The ability to integrate data from different providers and systems into one easy-access platform, also known as interoperability, holds great promise for patient care and staff satisfaction. By leveraging a secure and advanced digital platform, patients can become more involved with their care. Patients can review their health records, check prescriptions, schedule appointments, request additional information from doctors, view lab results, and share health data with their providers. These tools also pair with personal devices, allowing individuals to navigate their health journey easily and safely from the comfort of their own phone, tablet, or even the television anytime, anywhere. 

At the point of care, integrations between the latest television technology and existing HIT applications are cost-effective and open the door to an enhanced patient experience with customized educational materials, easy communication methods, and improved collaboration tools. Integrations on the patient’s in-room television incorporate patients into their care, lowering costs and elevating satisfaction on all levels of the facility. When patients gain easy access to their health data, they’re empowered to make more informed decisions about the kind of care they would like to receive during and after hospital admission. Patients who are actively engaged in their own healthcare journeys see more improvement than passive participants. 

Outcome-Driven Acceleration

Empowering patients and families to be informed partners in their care improves outcomes while creating opportunities for staff to receive real-time patient feedback and make immediate adjustments to improve the patient experience. Digital transformation is accelerating healthcare using a focus on people — this means the patient experience, quality outcomes, and staff satisfaction come first. 

Transparency and open communication between patients, providers, and loved ones are at the heart of the people-focused approach and drives better results. This patient-centric focus must be at the center of every innovation and be based on listening to the consumer with empathy and putting the other person first (patient, family, and clinician). 

For example, innovative technologies that address patient pain points have been frequently leveraged to reduce new barriers. During the height of the pandemic, as necessary infection controls resulted in separation between families and admitted patients, tools such as video chat integrated with the television system in patient rooms were able to return comfort as patients could communicate virtually with their loved ones. This technology continues to be utilized and returns trust between patients and providers, reduces family separation, eases anxiety, and empowers patients and providers to communicate more effectively.

These digital transformations make care delivery more accessible and approachable for all patients. Data-driven solutions that are patient-focused present an engagement roadmap to enhance the experience while preparing the patient and family for smooth transitions throughout the care journey. This shift toward patient-focused cross-continuum care creates opportunities to accelerate mobile-optimized digital care journeys that engage and activate patients before, during, and after care. Digital technology bolsters more efficient care coordination, giving patients the right care and support at the right times in the right settings. With digital transformation, indirect communication and redundancy are eliminated, response times are reduced, and the overall care journey is more efficient. 

The Future of Healthcare

All industries, including healthcare, will continue to transform and advance using digital innovations. There are significant benefits to it in healthcare including reducing the amount of data that is siloed and providing more accessible health information to increase efficiency. 

As consumerism, costs, experiences, and expectations continue to drive digital transformation, healthcare facilities should select an end-to-end partner with a secure patient engagement system that fully integrates with the existing HIT and helps healthcare teams seamlessly collaborate with patients and families across the care continuum. A trusted service provider will be equipped in delivering value to customers and patients alike in a quickly evolving ecosystem. 

Digital transformation is designed to increase staff efficiency and benefit operations while improving patient outcomes and experience. With new ways of delivering value, digital transformation will allow patients, families, and providers to become more connected and ensure better health outcomes.

About Dave Bennett 

Dave Bennett is the CEO of pCare. His visionary approach to patient engagement, digital and mobile technologies, and IT integration ensure continuous innovation of the #1-KLAS ranked pCare platform and a company culture dedicated to delighting customers. Prior to joining pCare, Dave served in a variety of executive roles at ViiMed, GetWellNetwork and StayWell. Dave holds a CISM certificate from ISACA and is an active member of the Healthcare Information and Management Systems Society (HIMSS), The American Health Information Management Association (AHIMA), Information Systems Audit and Control Association (ISACA), and the American College of Healthcare Executives (ACHE).

What You Should Know:

• 2023 started off with the hallmarks of a rebound year. While Q4 2022 signaled the tail end of the digital health funding cycle, January and February funding numbers began to suggest that sector investment was slowly but surely inching back upwards. Inflation was easing ever so slightly. Investors were rediscovering their confidence and launching new projects, signaling optimism in the sector, according to a new Rock Health report.
• However, recent news—the collapse of Silicon Valley Bank, the seizure of Signature Bank, Moody’s downgrading of bank credit ratings, and another Fed rate hike—was a stark reminder that the choppy waters of 2022 aren’t over yet. 

Key Trends and Insights from Q1 2023 – Digital Health Funding

There’s no denying that Q1 2023’s economic conditions, bank scares, and regulatory changes have digital health startups of all sizes nervous, whether they’re trying to raise their next funding round or waiting for the right time to exit.

The following key trends from Rock Health’s report are a review of the venture, banking, and policy waves breaking within digital health, coupled with insights regarding the volatility of the modern-day regulatory landscape, how the financial market seems different for everyone, and how small-scale startups have it the hardest.

Q1 Funding Soars, But 2023 May Struggle to Catch Up to 2019

Q1 2023 U.S. digital health funding closed with $3.4B across 132 deals, with an average deal size of $25.9M. While this quarter exceeded both Q4 2022’s $2.7B and Q3 2022’s $2.2B funding pots, Q1 isn’t enough to signal a new “bull run.” If funding for the next three quarters matches the average funding across the prior three quarters, 2023 is on pace for the lowest level of annual funding since 2019. The truth remains that the founder-friendly market of 2021 and early 2022 has tilted sharply toward investors.

Notably, within its $3.4B raised, Q1 2023 saw heavy representation of mega deals. After only six digital health raises over $100M across Q3 and Q4 2022 combined, Q1 2023 logged six megadeals from Monogram Health ($375M), ShiftKey ($300M), Paradigm ($203M), ShiftMed ($200M), Gravie ($179M) and Vytalize Health ($100M)—accounting for 40% of the quarter’s total digital health funding.

Silicon Valley Bank’s Collapse

SVB’s collapse nearly precipitated a liquidity crisis in the sector, and concerns circulated that startups might need to engage in distressed debt buys or raise emergency bridges—possibly with “lender-friendly” terms or at slashed valuations—in order to secure working capital. It’s worth pointing out that not all digital health startups carried the risk burden equally. Startups with well-established investors were more likely to have the assurances of cash floats and level-headed perspectives from advisors who have been around the block a few times, while those with greener syndicates were left unsure of whether their own funders could even weather the storm.

After seeing their investors operate in crisis mode this March, several digital health founders may feel compelled to re-evaluate their cap tables and possibly move forward with different investors for future raises. Startups were left with another conundrum after SVB’s collapse—which banking institution to choose next. SVB was known to offer startups loans during high-growth periods and took on companies that were too early to demonstrate product-market fit. While late-stage startups likely have the capital and credit requirements to bank with high-street institutions, nascent teams or those based outside of the US will need to turn to more restrictive and expensive alternatives to establish financial operations and secure loans.

The IPO Market and Q1

Q1 2023 logged another quarter with zero digital health IPOs. Digital health stocks started 2023 trading almost 50% lower than they did at the start of 2021, pushing some recently-exited players like Pear Therapeutics to explore going private. No later-stage digital health players felt compelled to venture into IPO territory this quarter, fearing that the market would yield bottom-barrel issue prices.

In December 2022, healthcare data startup Komodo Health raised $200M alongside a restructuring plan that laid off 9% of its workforce. In January, hybrid care provider Carbon Health closed a $100M Series D while also trimming its RPM and chronic care divisions and completing its second round of layoffs.1 That same month, nurse staffing solution Shiftkey announced its $300M raise, accompanied by a quartet of new executives. Connected fitness startup Tonal is rumored to be pursuing private funding at a $200M-$300M valuation, a nearly 90% decline from the $1.9B valuation it floated back in September 2022.

Regulatory Developments and Adapting Digital Health Startups

If circumstances weren’t treacherous enough, digital health startups are bracing for impending regulatory changes. In Q1 2023, an acronym soup of federal agencies (FDA, CMS, DEA, FTC) announced preliminary steps and timelines for refining policies across digital health. These revised guidelines have far-reaching impacts, affecting telehealth reimbursement, controlled substance distribution, healthcare service pricing and rebates, and patient data management. Top of mind is the announcement to end the COVID-19 public health emergency (PHE), which is slated to expire on May 11, 2023.

In the realm of telehealth delivery—perhaps the biggest area of healthcare expansion during the pandemic—telemedicine will officially lose its status as an excepted benefit2 and certain federal penalties for HIPAA non-compliance of telehealth platforms will be reinstated. In alignment with PHE’s conclusion, other government bodies are rolling back pandemic-era measures. State agencies are beginning to unwind expanded Medicaid coverage in conjunction with the expiration of a 2020 federal provision requiring continuous enrollment.

States resume disenrollments, anywhere from 5 to 14 million Americans stand to lose Medicaid coverage and associated benefits, with the hardest-hit populations being low-income youth and working individuals without employer-sponsored plan access. In terms of data privacy and security, Congress introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act to regulate companies’ use of health data, the FTC settled investigations into BetterHelp and GoodRx with hefty fines, and the FDA enhanced cybersecurity requirements in regulatory applications for medical devices. Finally, on the billing and coding front, CMS issued its 2024 Medicare Advantage Advance Notice to root out aggressive upcoding practices.

The world we live in is becoming increasingly integrated, and as it does, the amount of data also increases. It is estimated that 2.5 quintillion bytes – that’s 2,500,00,00,000 million, for perspective – are created, captured, and shared every day, and experts predict that number will grow exponentially in the coming years. Estimates show that the healthcare industry generates about 30% of the world’s data volume. That number is expected to reach a compound annual growth rate of 36% within the next few years. This is no surprise; electronic health data can improve the speed and quality of care by giving providers easy access to a patient’s medical history, medications, test results, diagnoses, and treatment plans. 

Unfortunately, the compounding growth presents vast opportunities for those with malicious intentions to wreak havoc through cyberattacks on healthcare systems. The surge in cyberattacks in recent years has strained IT departments and highlighted vulnerabilities in electronic health record (EHR) systems that store sensitive protected health information (PHI). Ransomware, malware, and other malicious attacks have disrupted service operations, damaged system integrity, and shut down means of communication across health systems – all of which put patient safety at risk. 

The potential damage caused by a successful attack on an EHR could be catastrophic, not only in terms of financial loss but the loss of patient data, disrupted communication and care delivery, and reputational damage. With so much at stake from these malicious cyberattacks, healthcare organizations must take proactive steps to protect their systems from hackers and other threats. Thus, there is an urgent need for healthcare IT professionals to develop robust security protocols and find solutions to safeguard against such threats and ensure care teams can communicate in the event of an attack to reduce risks to patients.

Maintaining Care Team Communication During a Cyberattack

The effectiveness of EHRs as a means of communication for healthcare professionals has been called into question due to their original purpose being primarily systems of record and revenue cycle management tools. This has led to an increased emphasis on finding new ways of securely sharing information that does not rely solely on the use of EHRs and, in fact, augment the ability to utilize the data within. With hackers continually improving their methods, the industry must step up its focus to protect patient information. As cyberattacks against on EHRs specifically grow in frequency and magnitude, organizations need to develop robust strategies for safeguarding data, including exploring alternate means of communication and collaboration outside the scope of EHRs as part of overall security plans in the event of a cyberattack or another emergency. 

With the explosive growth of data in the healthcare industry, effort must be placed on bolstering security measures. Unfortunately, cybercriminals have done a masterful job of recognizing and taking advantage of vulnerabilities, leveraging them for ransom, or selling sensitive information on the dark web. Healthcare organizations rely heavily on EHRs to acquire and store patient data. Still, the structural limitations of an EHR make it incredibly challenging to continue providing that care should the EHR be compromised.

Transformative Solutions

A growing number of healthcare organizations have turned to advanced clinical communication and collaboration (CC&C) platforms to address the structural limitations of EHRs and ensure they can continue to deliver high-quality care in an emergency. These workflow solutions not only integrate with hospital systems like EHRs; but also work outside of them and will remain operational in the event of an outage. Additionally, cloud-based CC&C platforms offer data encryption and are HIPAA-compliant to protect patient data. Furthermore, they can auto-delete messages after a set period and even remotely wipe devices, an invaluable feature considering the rise in malicious attacks on healthcare organizations using sophisticated techniques. 

Along with encryption, these systems provide additional functionality such as scheduling, patient engagement, alarm management, and event notification, all without sacrificing user experience. When implemented alongside advanced security strategies, CC&C solutions help organizations keep patients and their data safe, streamline critical workflows, and protect patient information from malicious actors, enabling cross-functional teams to focus on improving patient outcomes and allowing healthcare organizations to offset the threat of cybercrime with more robust patient data security and optimal care delivery in an emergency. With cyberattacks becoming increasingly sophisticated and difficult to combat, CC&C platforms have become essential for strengthening security measures, protecting critical data, and ensuring the safe operation of critical systems in the healthcare industry. 

It has never been more critical to have the right platform in place – and now is the time for healthcare organizations to take steps toward bolstering their defenses against cyberattacks.

About Andrew Brooks, M.D.Andrew A. Brooks, M.D., is a fellowship-trained, board-certified orthopedic surgeon. He currently serves as the chief medical officer at TigerConnect, a company he co-founded in 2010 to revolutionize healthcare workflow and productivity. He has authored numerous peer-reviewed articles and book chapters in his field of interest. In addition to his work at TigerConnect, Dr. Brooks is also a managing partner for 111 West Capital; his primary focus is early-stage healthcare software businesses. Dr. Brooks is board certified by the American Board of Orthopedic Surgery and is a Fellow of the American Academy of Orthopedic Surgeons.

In recent years, a wave of high-profile cyber attacks has shaken the healthcare industry to its core. Sensitive data has been breached; essential services have been forced offline; and healthcare providers have found themselves faced with unhappy customers and unsympathetic regulators.

As a result, many in the healthcare industry are now familiar with third-party vendors and the risks they pose. This is a positive development, but it is also insufficient. Because the fact is that any comprehensive understanding of healthcare security needs to factor in fourth-party vendors as well.

Consider this blog post a guide to everything you need to know about fourth-party vendors and the risks they pose. Below, in addition to setting definitions, we’ll outline current risk mitigation models and challenges, and suggest innovative solutions.

Fourth-party risk management: a quick definition

To understand what fourth-party vendors are, let’s start by getting a handle on third-party vendors.

Around fifteen or twenty years ago, healthcare organizations began the long, arduous process of moving from paper to electronic health records. To accommodate these oceans of paperwork, healthcare organizations began enlisting the services of third-party cloud and SaaS companies. And over the last decade or so, as it became commonplace to share large volumes of electronic patient data outside of healthcare entities for research, optimization, debt collection, and more, an unprecedented amount of sensitive patient data began to be hosted on third-party servers.

The serious risks that this presents are well-known. Less discussed are the fourth-party vendors that these third-party vendors work with, and how a breach of one of those can have equally dire effects. The fourth-party vendors used by third-party vendors––like, Adobe, Microsoft, Auth-0, Okta, etc.––are just as vulnerable to being breached, and cyber-criminal gangs and nation-states like Russia have taken serious notice of this. The fact is that a single compromised fourth-party vendor can lead to the compromise of thousands of organizations.

Cyber-criminal syndicates are continually on the lookout for thus-far-unexploited vulnerabilities; if there is an unmonitored opening, you can be sure they will pour right in. This is particularly troubling in the case of fourth-party vendors, as once an organization has been compromised in this way, malicious actors are then free to launch a variety of attacks including ransomware, data theft, extortion and more. Recent examples of this can be seen with the Log4j, SolarWinds, and Microsoft Exchange breaches.

A troubling lack of transparency

Hearteningly, in recent years healthcare organizations have taken a serious interest in data protection, devising VRM programs to help guard against third-party breaches. At the same time, though, very little effort has been made to manage fourth-party risks; it can sometimes feel like they’re not even on the radar.

Making matters worse is the fact that healthcare entities have little to no transparency when it comes to fourth-party vendors. It is often impossible for them to know, when a fourth-party breach occurs, which specific third-party vendors have been affected; accordingly, it’s nearly impossible for them to take proper action. Alarmingly, the third-party vendors themselves often have a limited idea of the extent of their vulnerability, as many fail to maintain accurate inventories of their own supply-chain vendors or products. During a breach event, this can lead to utter chaos, with no party––not the third-party vendor, not the healthcare organization––able to accurately assess and fix the problem.

Innovative solutions to the fourth-party problem

Obviously, this problem isn’t limited to healthcare organizations: any entity that enlists the help of third-party vendors is at risk during a fourth-party breach. Accordingly, the US government has begun to proactively address the problem, with President Biden issuing an executive order on supply chain risk last year in response to the catastrophe of the SolarWinds attack. This executive order and other recent initiatives have gone some way towards remedying the extreme unpreparedness of most industries when it comes to fourth-party breaches.

Key to Biden’s order is something called a Software Bill of Materials, or SBOM. A SBOM is, essentially, an ingredients list for software or hardware: it lists in detail every single third- and fourth-party software component used to deliver a given product or solution, allowing affected entities to act quickly to remedy the situation in the event of a breach.

So a simplified SOBM might look like:

Operating system: Microsoft XP

Java (version x.x)

Apache (version x.x)

Beyond SBOMs, a number of solutions have arisen in recent years to help mitigate the risk of fourth-party breaches. These include leveraging existing assessment data on fourth-party suppliers to identify known exposures; conducting targeted reach-out campaigns to third-party vendors to get a better sense of how they use fourth-party products; and tracking and reporting risk exposure and remediation status to customers.

For healthcare workers just wrapping their heads around third-party breaches, the introduction of an entire new category of risk might seem overwhelming. But it’s important to stress that this isn’t some peripheral risk––it’s not secondary to third-party risk. A fourth-party breach can be just as destructive and cause equally lasting damage. Staying on top of those risks––through SBOMs and the countless mitigation procedures currently coming into wide use––is not simply an option: when it comes to staving off catastrophe and keeping patient data safe, it’s a necessity.

About Brian Selfridge

Brian Selfridge is the Healthcare Cybersecurity & Risk Leader at CORL Technologies, the leading provider of risk management solutions for healthcare.

What You Should Know:

– Critical Insight, the Cybersecurity-as-a-Service provider specializing in helping critical organizations Prepare, Detect, and Respond in today’s threat environment releases its H2 2022 Healthcare Data Breach Report, which analyzes ​​breach data reported to the U.S. Department of Health and Human Services by healthcare organizations.

– The number of data breaches affecting healthcare providers declined in the second half of 2022, consistent with a downward trend over the past two years, but a deeper dive into the data reveals that current breach totals are still higher than pre-pandemic levels; breaches are affecting more individuals; and hackers are shifting tactics to attack weak links in the healthcare system supply chain, most notably attacking EHR systems.

Key Findings From the Healthcare Data Breach in 2H 2022

The report shows that while the number of data breaches affecting healthcare providers declined in the second half of 2022, the number of individual records exposed by these breaches increased by 35%. The report also highlights the evolving tactics of hackers and the need for healthcare organizations to prioritize preparation, detection, and incident response.

Key Findings: 

● Breach numbers are down: Total breaches dropped 9% between the first six months of 2022 and the year’s second half, declining since a high-water mark at the height of the pandemic from 393 breaches in the second half of 2020 to 313 in the latest reporting period.

● Records affected are up: The number of individual records exposed by breaches skyrocketed by 35% in the second half of 2022 to hit 28 million. In other words, fewer but more significant breaches reflect consolidation within the industry and the evolving tactics of attackers.

● Hacking remains high: Most data breaches are due to hacking. Healthcare organizations have done an excellent job of shoring up their policies around handling and storing medical records. Hacking accounted for 79% of all incidents and 84% of individual records exposed in 2022.

● Most common breach causes: Unauthorized access/disclosure now affects more records per breach than any other breach type. On average, the number of individuals affected per unauthorized access/disclosure breach spiked from 5,700 in the first half of 2022 to over 143,000 in the second half. By comparison, the average number of individuals affected per hacking breach grew from 73,900 to 87,000 in 2022.

● Who’s getting breached?: Attackers continue to attack hospitals but have found increasing success targeting business associates and third-party vendors such as electronic medical record providers, lawyers, accountants, billing companies, and medical device manufacturers. In the second half of 2022, more records were exposed due to breaches at business associates (48%) than actual healthcare providers (47%). 

● What we’re watching: Attacks against EMR systems which were non-existent in past years, spiked to 7% in the first half of 2022 and 4% in the second half of 2022. For the full year 2022, EMR-related breaches accounted for 6 million individual records exposed.

“As the healthcare industry continues to face a rapidly evolving threat landscape, it’s crucial for organizations to stay ahead of the curve and stay prepared,” said John Delano, Healthcare Cybersecurity Strategist at Critical Insight and Vice President at CHRISTUS Health. “Our latest H2 2022 Healthcare Breach Report highlights the shifting tactics of attackers, who are now targeting smaller entities with weaker cyber defenses. Organizations must stay vigilant and proactively defend against these threats to protect patient data and maintain the trust of their patients and the public.”

This report provides valuable insights into the current state of healthcare breaches and the need for organizations to implement a comprehensive security strategy, including risk assessments, third-party risk management, and incident response planning.

How secure is your data? If your organization does not have the right security certifications in place, it’s not a matter of if a data breach will occur – but when. A lack of regulatory compliance, network and technical vulnerabilities, unencrypted information, unsecured mobile devices, and weak credentials all play a part in putting a healthcare organization at risk for a data breach. 

Today, the cost of a data breach comes with a hefty price tag – an average of $9.44 million in the U.S. alone, according to IBM Security’s 2022 Cost of a Data Breach Report. Not surprising, the healthcare industry gets hit the hardest with an average of $10.1 million per data breach.

In just the first six months of 2022, the healthcare sector suffered about 337 breaches according to Fortified Health Security’s mid-year report. More than 19 million records were implicated. In addition to the monetary costs stemming from a data breach, organizations also face remediation activities, regulatory inquiries, service disruptions, and a hit to their reputation.

How Can a Data Breach Be Prevented?

The first step in preventing a data breach is to utilize solutions and services that meet strict regulatory compliance standards. Cloud-based fax solutions, for example, make it possible for organizations to keep pace with the myriad of PHI and business-critical information being transmitted every day while offering more security and reliability than email and traditional fax machines ever could.

When choosing a cloud-based fax service provider, it’s essential for healthcare organizations to verify that their chosen provider meets or exceeds HITRUST CSF, PCI DSS, and SOC 2^® cybersecurity framework criteria , thus ensuring that all regulatory compliance standards for data protection are met. Here’s a quick overview of each framework and standard:

HITRUST CSF – The HITRUST Common Security Framework (CSF) has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC Red Flag, and state laws.

PCI DSS – The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that helps organizations protect their payment systems from data breaches, fraud, and theft of cardholder data. 

SOC 2^® – The voluntary compliance standard Service Organization Control (SOC) 2, developed by the American Institute of CPAs (AICPA), specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy. 

Show Me Your Certifications

The days of an organization simply saying “We are HIPAA compliant” without proving it are long gone. Self-attestations or self-audits should be a red flag to any organization that processes confidential information. 

Organizations must require their cloud vendors to be third-party audited. Independent software vendors (ISVs) that offer products utilizing cloud services must also do their due diligence and ensure that their cloud services provider has third-party certifications such as HITRUST or PCI DSS compliance to protect their customers’ data and their reputation as a trusted vendor. 

Multiple defense-in-depth strategies should also be implemented into the technology, such as end-to-end encryption over the internet, to guarantee that patient data and business-critical information remain protected. Encrypting data while in transit and at rest can ward off data breaches and keep sensitive information such as social security and credit card numbers safe from the dark web. Even if a cybercriminal was able to access the data, it would be indecipherable. Most importantly, end-to-end encryption schemes allow secure transmissions even over unsecured channels. 

If you’re ready to protect your organization from data breaches, it’s easier than you think – choose a cloud-based fax provider that is HITRUST CSF and PCI DSS certified, ensuring HIPAA and SOC 2 compliance. While it may cost them a significant amount of money and time to ensure that these rigorous regulatory compliance standards are met, the right provider knows that’s worth every penny to prevent a cyberattack and the ripple effect it has on customer trust and your company’s reputation.   

About Paul Banco

As CEO of etherFAX, Paul Banco is responsible for the strategic direction of the company and leads technology development, including the patented etherFAX and etherFAX SEN intellectual property. In 2009, he identified the need to leverage the cloud for secure document delivery and co-founded etherFAX with fellow telecom industry veterans.