Plus, you're going to be in for a world of hurt when new regulations - which will very likely mirror these voluntary practices - take effect, according to Taylor Lehmann, a director in Google Cloud's Office of the Chief Information Security Officer.
Lehmann, a former CISO of Athenahealth and Tufts Medicine, said the proof is in previous federal agency rulemaking processes.
In early January, as a record-breaking 46 health networks with a total of 141 hospitals between them were still reeling from ransomware infections and data theft in 2023, rumors started swirling that the White House would soon require US hospitals to meet basic cybersecurity standards before receiving federal funding.
During all of this, the criminals behind the intrusions were using their own increasingly dangerous extorion methods to force hospitals to pay ransom demands.
When asked about the hospital rules, the Centers for Medicare and Medicaid Services directed The Register to a concept paper published in December that outlines the Department of Health and Human Services' cybersecurity strategy.
Later in January, HHS released the voluntary, healthcare-specific CPGs. Essential doesn't mean easy.
These goals are divided into two categories, essential and enhanced, and each has ten specific things that organizations can do to better protect themselves from cyberattacks.
The essential goals sound like base-level security - the kind of things one would hope that hospitals and clinics already have in place.
According to Lehmann, they are all based on real-world exploits and compromises.
They include mitigating known vulnerabilities, using multi-factor authentication, implementing email security, training employees in secure behaviors, encrypting sensitive data, and revoking credentials for employees, contractors, and volunteers when they leave the organization.
Basic incident response planning, using unique credentials, separating user and privileged accounts, and assessing vendor and supplier risks round out the essential goals.
Healthcare networks, especially those with clinics and hospitals in smaller, rural communities, aren't running modern technology stacks.
Some of their equipment is decades old, and they can't afford to upgrade it or hire enough employees to support their security goals.
He's referring to an Illinois hospital that said it would shut down in part because of a ransomware infection.
This isn't to say large hospitals are immune from ransomware or other cyberattacks.
Case in point: CommonSpirit Health, America's second-largest nonprofit healthcare org, diverted ambulances and shut down electronic record systems at its facilities and hospitals across 21 states.
Still, implementing even the essential goals like multi-factor authentication, for example, can present difficulties.
Another of the essential goals - revoking credentials when people leave the organization - isn't as easy as it sounds either.
For too long, data confidentiality, and protecting patient's PII and health information, has been seen as the only goal in securing healthcare because failing to protect confidential information is what gets hospitals in trouble with government agencies.
This Cyber News was published on go.theregister.com. Publication date: Mon, 05 Feb 2024 20:13:05 +0000