Healthcare's cybersecurity wake-up call: A 5-step resilience plan

In recent weeks, two significant cyberattacks have rocked the healthcare sector, underscoring the ever-present and evolving threat landscape facing healthcare providers. Providers often lag in cyber and operational resiliency due to underfunded and under-resourced cybersecurity programs, making them easy prey for cybercriminals.  

Lurie Children’s Hospital: Lurie’s was forced to take its systems offline due to a ransomware attack by the Rhysida group, affecting its operations and patient care. This attack disrupted appointments and elective surgeries, with the attackers demanding a ransom of 60 bitcoins (~$3.4M), highlighting the financial impact behind such e-crimes.  

Change Healthcare: The second attack targeted Change Healthcare, a part of UnitedHealth's network, with a “suspected nation-state-associated” threat actor breaching its IT network. This breach disrupted payment and revenue cycle management operations across pharmacies and health systems nationwide, although swift actions were taken in an attempt to mitigate the impact on provider cash flows.

What Healthcare Providers Can Do

Our take? These incidents reveal a concerning trend of opportunistic attacks by financially motivated actors and potentially more sophisticated nation-state actors, exposing a critical lack of preparedness within the healthcare sector to prevent, respond to, and recover from such cyber threats. The attack on Change Healthcare, suspected to be the work of a nation-state actor, suggests a high level of capability and funding behind the attackers, raising alarms about the sector's vulnerability to threat actors.  

The recent policy change by Blackcat, a ransomware-as-a-service provider, to allow attacks on healthcare and critical infrastructure, signals a likely increase in such cyber events. This context sets the stage for our discussion on the imperative steps healthcare provider executives must take to bolster their cyber resiliency and response plans, ensuring their organizations are not the next victims of these increasingly impactful cyber-attacks. 

In an era where cyber threats loom large over the healthcare sector, the recent high-profile cyber incidents serve as a stark reminder of the vulnerabilities that healthcare organizations face. For healthcare provider executives, the urgency to fortify their organizations against such threats has never been more critical.

1. Establish a Comprehensive Cybersecurity Program

There are three elements to a comprehensive cybersecurity program: 

• Strong Identity and Access Management: With 80% of cyberattacks exploiting identity-based vulnerabilities, the adoption of strong identity and access management practices such implementing multi-factor authentication (“MFA”) across all critical systems is non-negotiable. Despite high adoption rates in surveyed hospitals, inconsistencies remain, particularly in VPNs and email systems, underscoring the need for a more uniform application of MFA to mitigate risks effectively. 
• Vulnerability Lifecycle Management: Regular vulnerability assessments are crucial, yet only 53% of hospitals have a plan to address identified vulnerabilities. This gap highlights the importance of not just identifying but also systematically addressing vulnerabilities.
• Training & Outreach: The variability in cybersecurity training and the challenge of hiring skilled cybersecurity talent underscore the need for comprehensive training programs and strategic hiring plans to keep pace with evolving cyber threats.

>> How West Monroe Can Help: West Monroe offers expertise in design and implementation of access management programs including the implementation of MFA, enhancing cybersecurity workforce capabilities and the implementation of full lifecycle vulnerability management programs.

2. Enhance Cloud Resiliency

With 82% of breaches involving cloud environments, and healthcare data breach costs soaring, the focus on cloud security is paramount. Basic protections are no longer sufficient against sophisticated social engineering and phishing attacks. Cloud controls are instrumental to enhance and automate cloud security organization-wide to increase efficiency, especially in multi-cloud environments, with less oversight from IT teams.  

>> How West Monroe Can Help: As a Gold-accredited Microsoft partner, West Monroe's teams excel in comprehensive cloud security assessments, deployment of modern management infrastructure, cloud policy deployment, and proactive threat mitigation across diverse cloud environments.

3. Adopt HICP and NIST Frameworks

Adoption of the HICP and NIST frameworks is directly correlated with improved cyber outcomes, reduced risk, and lower technology costs. These frameworks facilitate transparent communication with stakeholders and regulators. 

>> How West Monroe Can Help: With extensive experience in implementing HICP and NIST frameworks, West Monroe provides strategic guidance, from planning to reporting, to ensure compliance and enhance cybersecurity posture.

4. Identify and Remediate Technical Debt

With 96% of hospitals using end-of-life systems with known vulnerabilities, securing these systems is imperative to prevent cyberattacks. Network-connected EOL systems in particular are prime targets for attackers. Hospitals should be focused on key initiatives to accomplish this, such as cloud migration strategy, application rationalization, and application modernization.  

>> How West Monroe Can Help: West Monroe's technical expertise supports digital transformation efforts, such as focusing on assessing and remediating vulnerabilities in EOL systems, migrating systems securely to the cloud, and application modernization efforts to safeguard against potential cyber threats.

5. Prepare for the Incident

Despite the significant benefits of identifying crucial gaps in response plans, only 20% of hospitals participate in response plan testing. This includes activities like tabletop exercises for incident response, crisis management, and disaster recovery and business continuity. Proper planning and testing for potential incidents can significantly reduce the effects of a real event, making it an essential part of preparing for the inevitable cyber incident.  

>> How West Monroe Can Help: West Monroe can enhance hospitals' cybersecurity by helping to develop comprehensive incident response plans, conduct tabletop exercises, assess backup capabilities, formulate risk mitigation strategies, and provide ongoing support and review to ensure preparedness against cyber threats. 

Taking proactive steps toward cyber resilience

Enhancing cyber resilience in the healthcare sector requires a multifaceted approach, encompassing everything from strengthening cybersecurity programs to adopting recognized frameworks and addressing system vulnerabilities. While the challenges are significant, the support of experienced partners like West Monroe can provide healthcare organizations with the expertise and resources needed to navigate these complexities effectively. By taking proactive steps now, healthcare organizations can significantly improve their resilience against the ever-evolving landscape of cyber threats.