Thousands of small and rural hospitals in the U.S. are exposed to cyber and data breach attacks. This is a case study of how one small hospital organization improved its defense against data breach activity.
Unique challenges for small hospitals include financial solvency and survival, as industry estimates predict that 700 or more hospitals could close over the next six years. Staffing of doctors and nurses is another challenge. On top of that is the growing number of cybersecurity and data breach attacks.
Monthly Data Breaches in Healthcare Sector 2023- 2024
Source: HHS Office of Civil Rights
Cybersecurity and data breach threats present a variety of issues, but the central issue is the regulatory requirement to protect patent information (PHI and ePHI). The challenges associated with ePHI protection include:
- Healthcare IT complexity, which continues to grow;
- The challenge of protecting legacy systems;
- IT and cybersecurity staffing;
- Threat actors that specifically target vulnerable hospitals;
- And future concerns about using AI to create advanced attacks by advanced and novice threat actors.
A core technical challenge for hospitals is implementing effective prevention measures such as:
- MFA (multi-factor authentication)
- Data encryption
- Patch management
- Employee awareness training to fight phishing attacks
All these prevention measures are essential yet insufficient because creative threat actors can increasingly bypass these prevention mechanisms. Given that, what can a small hospital do to improve the safety and security of patient information safety?
After Prevention – The Importance of Detection
There are a range of estimates of the average time needed to detect data breach activity. These estimates can be as long as 200 days or more. Other opinions and examples center around data breach “smash and grab” attacks, which may be perpetrated in as little as one to three days.
Case Study Example
Our case study focuses on a small hospital system with multiple locations and a total five firewalls that used Celerium’s Compromise Defender ® solution to improve data breach defense. We are using fictious locations to maintain anonymity.
Below, you can see five different locations in the northeast United States.
Viable Implementation
One of the first challenges a small hospital faces when it comes to improving cybersecurity is the implementation complexity. For many hospitals, it’s important to avoid installing complex hardware and software. Hospitals may also want to avoid installing intrusive agents on endpoints. The hospital in our case study avoided these issues by configuring Compromise Defender to work with its public-facing firewalls. They wanted to ensure that the solution could not access ePHI data. For that reason, the solution limited its access to metadata (i.e., syslog data), which has no customer or PHI data.
Need for Fast and Easy Insights
Our case study organization faces many IT security challenges and, like many, can get overloaded with alert fatigue. For that reason, it was essential that they were able to see possible data breach activity succinctly. The example below shows a summary dashboard of the organization’s five locations, with one experiencing suspicious activity possibly related to a data breach.
The hospital knew that threat actors could circumvent many different detection solutions, so it wanted to have a layered defense. Implementing the Compromise Defender solution did indeed provide information and insights about possible data breach activity, which the hospital did not receive from their other tools.
The hospital’s IT team setup notifications regarding possible breaches, and they leveraged reports to analyze further the threats using a variety of cyber threat intelligence (CTI) sources that are integrated into the Compromise Defender solution.
After Detection – The Need for Response
After data breaches are detected, organizations need to work on response. Large hospitals may have incident response (IR) plans, while smaller hospitals may not. But either way, if a data breach occurs, the first action needed is at the front end of the IR lifecycle – called tactical response or containment.
Containment is essential to stop the bleeding of ePHI data on breached systems and to stop the spread of the bleeding by securing systems that have not yet been breached.
The industry often uses isolation-based containment to disconnect breached hospital systems from the network. Isolation can disrupt patient care and safety and the safety of partners, employees, and overall hospital clinical operations.
A supplemental approach to containment is surgical containment, which involves blocking traffic going to malicious locations (e.g., to threat actors) and avoids shutting down hospital systems.
The example below shows the customer blocking malicious communications associated with its Milford location.
Within 15 minutes of activation, malicious activity (theft of ePHI information) in the Milford facility was blocked.
The Need to Stop the Spread of ePHI Bleeding in Other Locations
After the hospital activated surgical containment (blocking), stopping the spread of the threat to the other four locations was implemented within the same 15 minutes.
Although the hospital organization was able to manually activate surgical containment measures, the solution offers an option to enable automated containment.
Conclusion
Speed is essential when small hospitals with overloaded and limited IT staff encounter data breach activity. The case study focused on the speed of detection of possible data breach activity as well as the speed of tactical response, or containment, to stop the ePHI bleeding and to stop the spread of the bleeding.
Learn More – Data Breach Defense Programs
Celerium provides cybersecurity solutions to the U.S. Department of Defense to better protect the defense industrial base from cyber threats. U.S. hospitals can leverage Celerium’s data breach defense solutions, including a no-cost program. Learn more about Celerium’s Data Breach Defense Program for U.S. Hospitals here.