Editor’s Note: Retired Gen. Keith Alexander is chief executive officer of IronNet and Adrian Mayers is chief information security officer at healthcare insurance nonprofit Premera Blue Cross.
With a trove of valuable patient information and low tolerance for downtime, the healthcare sector continues to get hit hard by cyberattackers. Healthcare suffers the highest average cost of a breach for any sector — a figure that has increased 42% since 2020. Now that’s painful.
We can — and must — do better to staunch the impact of relentless cyberattacks on the healthcare sector, especially when most organizations essentially are victims of well-funded cybercrime activity carried out by highly organized cyber criminal outlets and nation-state attackers (e.g., North Korea).
With digital transformation happening across the sector, which comprises an endless network of third-party providers and suppliers, the healthcare ecosystem is a target-rich environment for adversaries. We all know they are mostly after protected health information that can fetch about $1,000 per record on the dark web (compared to about $5 per credit card number and a $1 per social security number), according to Experian.
Despite this backdrop, investment in securing non-patient IT infrastructure typically lags behind that of other sectors even though the final impact can compromise patient care directly. Many healthcare organizations, moreover, are not adequately staffed for the security risks commensurate with their environment.
How do we tip the scale back in our favor? The answer: adopting a “whole-of-health” approach to cybersecurity to scale cyberdefense.
Days of defending alone are over
The whole healthcare ecosystem has to be stitched and tied together to enable not just better defense of any given organization but stronger collective defense for the sector at large. That means empowering healthcare providers, payers and even the employers who are invested in group health programs to collaborate in real time to defend the healthcare ecosystem at scale.
We call this strategy a “whole-of-health” approach to cybersecurity — one that is built on bi-directional trust so all stakeholders can lean in, together, to share real-time threat information as cyberthreats are forming (for example, as command and control, or C2, infrastructure is being set up — well before the attack itself happens. As a sector, we also must be open to sharing anonymized threat data with the government, when needed, to act upon critical cyber threats detected in private-sector networks.
For this approach to succeed, the healthcare sector must overcome its systemic fear of sharing threat data — a legitimate fear fueled by stringent data privacy regulations and compliance requirements.
It’s important to realize that threat sharing in cybersecurity is based on completely anonymized data. That’s the easy part handled by technology. Cyberthreats on networks can be detected using behavioral analytics — without needing any corporate or personally identifiable information. This level of security holds true for companies and organizations with on-premise, cloud-based or hybrid networking environments.
The hard part is working through long-standing trepidation that sharing information will lead to compliance penalties for the reporting organization. That is why language in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 about protecting private entities if they share cyberthreat information is so important for shining the light on what threat sharing really means for healthcare and, more importantly, for reframing the relationships between public and private entities. We must make this collective mind shift.
A “whole-of-health” approach to cybersecurity complements current efforts by the Health-ISAC, as it adds to the mix both actionable attack intelligence about new and novel threats and a real-time, radar-like picture of the cyber threat landscape.
Let’s create ‘phalanx of capabilities’
This approach creates a “phalanx of capabilities” that empowers the sector to defend at scale.
We draw this analogy from military campaigns, which depend on a convergence of specialized capabilities such as battlefield intelligence, special ops intelligence, multi-weapons operations expertise and more. In cyberspace, when you start thinking about creating a phalanx of capabilities, your ability to reach your objective and to achieve mission success increases exponentially while making it much harder for the adversary to degrade the mission objectives.
In addition to leveraging the aggregated expertise and resources of a collective defense community for healthcare, this phalanx requires layering on public-sector and government capabilities to complement private-sector insights. By drawing on this phalanx, a whole-of-health cybersecurity community helps all stakeholders understand the shared outcome: collective defense for the betterment of the sector — and of the nation.
Leaving no healthcare entity
A collective defense community that brings together payers, providers and employers changes the overall calculus of adversary versus healthcare, especially for small and medium organizations that are facing ongoing resource constraints. They are able to gain the advantage from volume by leveraging the expertise of hands-on-deck analysts from larger, better-resourced organizations. As Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council cybersecurity working group, recently said at the HIMSS Healthcare Cybersecurity Forum, “None of us individually is as smart as all of us collectively."
This whole-of-health approach creates a cyber-peloton of sorts that pulls along those who may not be as cyberstrong as the pack leaders, cutting through the headwinds so everyone can race ahead of adversaries as a collaborative group with an eye on the same goal: better defense.
Whole-of-health cybersecurity comes back to protecting patient care
Cybersecurity is not an IT issue. It is integral to a healthcare organization’s — whether a provider, payer or employee stakeholder — ability to deliver high-quality patient care while protecting and securing data. A member of the United States Health and Human Services cyber task group, CIO David Finn, has isolated this particular challenge: "Cybersecurity is still thought of as an IT and security 'problem.' While we are making progress in this area, the sector has been slow to recognize that this is a question of enterprise risk," he said, adding that, "Security doesn’t understand or suffer the impacts of an attack. Clinical care and quality of care suffers."
Acting now is imperative. Opting-in to collective defense no longer is an option for the healthcare sector. We need public and private collaboration across the provider-payer-employer ecosystem if we stand any chance at all of fighting back against cyber adversaries. Don’t put off this critical cyberhealthcare wellness check any longer.