Six Takeaways from the HIMSS 2022 Healthcare Cybersecurity Forum

Hundreds of top cybersecurity leaders in the healthcare ecosystem learned to adapt to new threats, safeguard patients, defend against attackers and deliver business value at the HIMSS 2022 Healthcare Cybersecurity Forum. 

The forum, which took place Dec. 5-6 in Boston, explored how the industry is protecting itself today and how it must evolve for the future. Healthcare cybersecurity professionals are invited to continue the conversation and contribute to meaningful industry analysis by completing the 2022 HIMSS Cybersecurity Survey. 

Lee Kim, HIMSS senior principal, cybersecurity and privacy, offered top highlights from the forum. 

Insider threats pose a sneaky risk 

Phishing attacks and ransomware are typically the most significant security incidents among healthcare organizations, according to the 2021 HIMSS Healthcare Cybersecurity Survey Report, but the 2017 and 2018 HIMSS Cybersecurity Surveys indicated that only some organizations are addressing insider threats. Both negligent and malicious insider threats remain significant concerns for all organizations. 

“Even though we might like to not think about it, there is always some risk of insider threat,” Kim said. “Inside our healthcare organizations, leadership must put formal policies and procedures into place to detect and mitigate insider threat activity, and the workforce needs to be trained on the telltale signs of insider threats.” 

The 2021 survey reported that breach or data leakage accounted for 5% of significant security incidents in the previous 12 months, and negligent insider activity also accounted for 5%. 

Privacy and cybersecurity are equally important 

Healthcare organizations are aware of the importance of cybersecurity, but less often talked about is the need for data privacy and identity management.  

“Organizations, while meeting their business objectives, also need to have chief privacy and cybersecurity officers at the executive level to enable effective privacy and cybersecurity programs,” Kim said. 

Identity is the new perimeter of cybersecurity. Without adequate identity proofing and authentication, the individual or entity that is accessing the systems and networks may not be who or what they claim to be. In other words, inadequate identity proofing and authentication practices may provide an open door to unauthorized individuals and entities. 

Social engineering is here to stay 

Email phishing is a common attack today. Sometimes, email phishing is combined with SMS (text) phishing (smishing), vishing (voice phishing by telephone) and social media phishing.  

Because phishing is so prevalent, workforce members of all levels and all kinds – including administrators, clinicians and technical staff – should participate in regular security awareness training. 

“A new type of phishing that has just begun to be reported by healthcare organizations is deepfake phishing,” Kim said. The 2021 HIMSS Healthcare Cybersecurity Survey found a few organizations had experienced deepfake phishing. 

A deepfake can be a video, photo or audio recording that essentially mimics an individual’s likeness, such as voice, facial gestures and body language. Pre-existing media can be manipulated to create deepfake content. 

“As a society, our interactions are heavily virtual now,” Kim said. “People may be hesitant to pick up the phone and make a call to a superior to confirm if an unusual instruction is genuine, which increases the likelihood that deepfake attacks could be possible or even successful. 

“This may not yet be an issue, but we could see more of these attacks in the next three to five years. We know social engineering is an easy way for attackers to get in.” 

Quantum computing – the next frontier 

In the near future, cybersecurity professionals need to look out for quantum computing, which poses both an opportunity and a threat. Quantum computing has the potential to solve the toughest problems in mathematics, physics, cryptography and other fields. A quantum computer can exploit quantum mechanics to find solutions to the most complex problems. While quantum computers are not up to their full potential yet, they will be able to break state-of-the-art encryption sooner than one might think. 

“Information that is secured with robust encryption can be decrypted with a key,” Kim said. “Another possibility, though, is that the state-of-the-art encryption could be computationally broken. Current computers do not have the computational power to do so, but quantum computers may have this ability in the future. We need to start thinking about how we can protect our infrastructure and assets against these future threats.” 

Cyberattacks of 2022 

The healthcare sector experienced a barrage of ransomware attacks in 2022. Ransomware variants that have targeted the healthcare and public health sector include Blackcat and Royal, with healthcare organizations of all types and sizes targeted. 

“Healthcare organizations can benefit from an independent, third-party security risk assessment, which covers assets and infrastructure end to end,” Kim said. “While the assessments are important, so is taking action in light of the assessor’s report. 

“Penetration tests can also be helpful, but so is adopting the penetration tester’s recommendations, at least where it is reasonable and feasible. A retest may be a good idea to see whether the mitigations put in place are effective.” 

Preparation and practice

Healthcare cybersecurity professionals and organization leaders must be prepared for the threats and risks of today as well as those on the horizon, understanding what is required to keep information secure under both normal and abnormal situations.  

Whether a threat is tied to an extreme weather event, a cyber-attack, insider threat activity or any other event, having a playbook is essential.  

“Be sure to rehearse what you would do under various conditions with other key stakeholders across the organization,” Kim said. “Tabletop exercises are a great way to talk through how you would deal with different scenarios. But make sure plans are fully developed in writing to provide step-by-step guidance about what each person should do. Technology can fail under the most unexpected circumstances. So be sure to have the backups in place, including for people, processes and technology.”