Original source: GigamonTV
This video from GigamonTV covered a lot of ground. 8 segments stood out as worth your time. Everything below links directly to the timestamp in the original video.
Understanding the new cybersecurity landscape is crucial for anyone involved in healthcare, as the threats are evolving, and the stakes for patient safety and financial stability have never been higher.
State-Level Threats Drive New Cybersecurity Urgency for Healthcare
Healthcare institutions face an escalating cybersecurity threat from state-level actors, moving beyond individual hackers, according to Steven Goodro. These sophisticated adversaries are dedicated to disrupting operations and extracting value, with cyber events now costing an average of $10 million per breach. Beyond financial impact, these incidents have led to documented negative patient outcomes, underscoring the critical need for robust security measures.
The shift to state-sponsored or sanctioned threat actors fundamentally changes the risk landscape for healthcare, demanding a proactive approach to security. Goodro emphasizes that improving cybersecurity is no longer merely a compliance exercise but a strategic imperative to become a more resilient target and safeguard patient care.
"We're not doing it just for the sake of doing it. We're doing it because it's going to lead to better security outcomes or make us a harder target."
Healthcare Tech's 'Uptime First' Design Poses Security Challenge
The healthcare industry's technology infrastructure was historically designed with a primary focus on resiliency and continuous uptime, rather than inherent security, according to Steven Goodro. This foundational bias means many legacy systems and data protocols, some 30 to 40 years old, are not inherently secure, creating vulnerabilities that modern threat actors can exploit. This necessitates a fundamental shift in how security is integrated into new technology acquisitions, particularly for medical IoT devices.
Goodro advocates for embedding security planning from the outset when acquiring new products, rather than treating it as an afterthought. For instance, when purchasing new medical IoT fleets, organizations must understand device communication pathways, data flow, and remote connections. This proactive approach is essential for building a more secure and resilient healthcare ecosystem, moving away from simply installing a device and adding a password.
"It's no longer good enough to just buy something, turn it on, put a password on it, and go. We're going to have to start planning security into these."
Protected Health Information Tops Hacker Target List, Outpacing Financial Data
Protected Health Information (PHI) has become the number one target for cyber threat actors, surpassing financial data, according to Samantha Jocks. While consumers often assume bank card data is the prime target, PHI is far more valuable to criminals because, unlike a credit card number that can be easily changed, health information is nearly impossible to alter once compromised. This permanence makes PHI a highly sought-after asset on the black market.
This insight underscores the critical need for government and healthcare entities to prioritize cybersecurity and strengthen regulations like HIPAA. Despite clear recommendations for enhanced security, Jocks notes that political transitions, such as the shift between presidential administrations, can delay the finalization and implementation of these crucial cybersecurity measures, leaving sensitive patient data vulnerable.
"Unfortunately, it's nearly impossible for us to change our health information. And so that information is actually much more useful for threat actors."
Proposed HIPAA Changes Face 'Astronomical' 180-Day Implementation Challenge
Proposed updates to HIPAA regulations, if finalized, would impose a standard 180-day implementation period on healthcare organizations, a timeframe deemed "astronomical" and insufficient by Samantha Jocks. This period, dictated by federal rule 45 CFR 106.105, would require covered entities to implement hundreds of pages of new requirements, including comprehensive inventories, network segmentation, compliance audits, and notification protocols. Jocks stresses that successfully completing these complex tasks within six months is practically impossible.
Specifically, Jocks highlights network segmentation as an example of a requirement that typically takes far longer than 180 days to implement fully. While organizations might initiate the process, achieving complete implementation within such a tight deadline is unrealistic. The sheer volume and complexity of the proposed changes would place an unprecedented burden on healthcare organizations, potentially leading to widespread non-compliance and continued vulnerability.
"The onus on organizations to do that would be astronomical in my opinion. The effort and energy to undertake and do that is astonishing."
Despite Timeline Objections, Core HIPAA Recommendations Are Sound Security Practices
While many healthcare organizations have expressed significant objections to the proposed HIPAA rule's implementation timeline, the underlying security recommendations themselves are sound best practices, according to Samantha Jocks. These recommendations include maintaining a comprehensive inventory of devices, implementing network segmentation, and deploying multi-factor authentication (MFA). Jocks notes that the negative feedback in the Federal Register primarily targets the impractical timeline for compliance, not the value of the security measures.
Jocks advises healthcare entities to proactively adopt these recommendations, regardless of the rule's finalization. A crucial first step is to establish a thorough inventory of all network devices and understand data flow and network architecture. Following this, implementing multi-factor authentication and then network segmentation are highly recommended to enhance patient data protection and strengthen overall cybersecurity posture, even if it means moving forward independently of a finalized federal mandate.
"A lot of the recommendations in here are not bad recommendations. I think the way that they were written and the timeline for the implementation is really what health organizations are objecting to."
Proposed HIPAA Expansion Targets Enhanced Data Governance and Encryption
Proposed expansions to HIPAA regulations represent a significant increase in data governance requirements for healthcare organizations, according to Steven Goodro. These changes emphasize maintaining a comprehensive inventory of all network devices, meticulously mapping the flow of Protected Health Information (PHI) across systems, and implementing continuous compliance reporting. A key mandate also calls for the encryption of all network traffic.
Goodro highlights particular challenges in managing medical IoT devices, which often have less mature backend security. While these new mandates aim to strengthen cybersecurity, healthcare facilities, which prioritize system uptime and resiliency, will need to integrate security more deeply into their architectural planning. The objective is to make security an inherent part of the system rather than an add-on, especially given the sensitive nature of PHI.
"One of the things that really stood out to me was simply having an inventory of all of your devices in your organization on the network and the second one is mapping PHI data flows."
Bite-Sized Security Implementations Advised for Healthcare Organizations
Steven Goodro recommends a phased, "bite-sized" approach to implementing security changes within healthcare organizations, rather than attempting broad, simultaneous overhauls. This strategy involves focusing on specific sets of devices or data within the organization. By isolating a particular area, teams can thoroughly understand its data flow, device interactions, and who has access, before implementing targeted security rules.
The benefit of this granular approach is achieving demonstrable security outcomes in smaller, manageable segments. Once successful, these strategies can then be expanded outwards to encompass other devices and data sets. Goodro advises against starting with a broad geographical area due to the complexity of managing diverse data flows and devices simultaneously, suggesting that a focused, iterative process will yield more effective and sustainable security improvements.
"Make it bite-size, and I would probably not focus on a geographical area. I would probably focus on a particular set of devices or data within your organization that you want to start with."
Network Segmentation Key to Healthcare Cybersecurity, Poses Challenge for Smaller Hospitals
Network segmentation, a crucial cybersecurity best practice, is explicitly highlighted in new regulations as essential for preventing sensitive data types from intermingling, according to Samantha Jocks. This practice ensures that, for instance, Payment Card Industry (PCI) data does not cross paths with Protected Health Information (PHI). While larger hospitals are often already in the process or have completed segmentation projects, smaller hospitals may face significant challenges due to the time and cost involved.
Jocks emphasizes that segmenting a network can be an extensive and expensive undertaking. Despite these difficulties, it remains a fundamental security measure to create isolated zones for different data types, thereby limiting the scope of potential breaches. The explicit inclusion of network segmentation in the regulations underscores its importance in enhancing data protection, even as it presents a hurdle for organizations with limited resources.
"I think smaller hospitals though may struggle with segmentation projects because those can be very time-consuming and very costly."
Also mentioned in this video
- The proposed HIPAA changes, highlighting a burdensome requirement for… (0:52)
- Healthcare entities and business associates will face if the proposed HIPAA… (7:32)
- Steven Goodro agrees that a 180-day implementation is technologically… (10:09)
- While federal cyber regulations are important, most hospitals are currently… (13:28)
- The dilemma in healthcare where immediate survival and operational demands… (14:10)
Summarised from GigamonTV · 15:50. All credit belongs to the original creators. Streamed.News summarises publicly available video content.
