In this 24×7 exclusive, Paul Laudanski, director of security research at Onapsis, discusses proactive steps healthcare organizations can take to combat cyberattacks, highlighting The Joint Commission’s new cybersecurity guidelines. Laudanski also emphasizes the future need for continuous adaptation to evolving threats, regulatory compliance, and fostering a culture of cybersecurity awareness within the industry.

24×7 Magazine: As cyberattacks on healthcare organizations increase, what challenges do hospitals face in securing their critical systems, and how is the threat landscape changing?

Paul Laudanski: Cybercriminals are employing advanced tactics such as ransomware, data breaches, and targeted phishing campaigns, putting sensitive patient data and critical healthcare systems at risk. Hospitals and medical centers face specific challenges, including limited cybersecurity resources and the interconnectedness of healthcare systems, which amplifies the impact of cyberattacks on patient care and financial stability.

Additionally, stringent industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., place added responsibility on healthcare organizations to safeguard patient information, further emphasizing the critical importance of robust cybersecurity measures.

24×7: The Joint Commission’s new cybersecurity guidelines require hospitals to prepare for extended cyberattacks that could disrupt vital systems. Can you shed light on these guidelines and their importance in healthcare?

Laudanski: The Joint Commission’s guidelines emphasize the need for proactive cybersecurity measures to ensure the continuity of essential healthcare services even during cyber incidents. By focusing on preparedness, they encourage healthcare organizations to invest in advanced cybersecurity solutions, comprehensive backup and recovery plans, regular system updates, robust incident response plans, and employee training. This proactive approach is essential in safeguarding patient data and maintaining the integrity of healthcare systems, especially in the face of increasing cyberattack threats.

24×7: Recent cyberattacks on healthcare have exposed millions of individuals’ sensitive medical data. What are the consequences, and how can organizations enhance patient information protection?

Laudanski: Unfortunately, the consequences of these attacks extend beyond compromising patient privacy. Such data breaches can disrupt patient care by leading to delayed treatments and canceled surgeries, and there can be significant financial repercussions for healthcare organizations. In today’s landscape, where cybercriminals like ALPHV are using regulation and legislation to extort companies, healthcare organizations must be vigilant. It’s clear that these criminals will exploit any avenue possible.

To better safeguard patient data, institutions must give top priority to cybersecurity practices as detailed in The Joint Commission’s recommendations. These practices encompass cybersecurity systems, thorough backup strategies, consistent system updates, and well-defined protocols for addressing security incidents. By adhering to these measures and staying ahead of evolving threats, organizations can effectively reduce the repercussions of data breaches and bolster patient confidence in the healthcare system.

24×7: Considering the evolving threat landscape, how can healthcare organizations enhance their cybersecurity posture and effectively manage downtime during cyber incidents?

Laudanski: To ensure comprehensive cybersecurity readiness, healthcare organizations should invest in advanced cybersecurity solutions to detect and mitigate threats in real time. Additionally, they should conduct a thorough vendor analysis if there are data centers or suppliers being used. This analysis is crucial to ensure that these vendors have proper procedures, training, and staff in place to support cybersecurity efforts and to ensure quick recovery time in case of an incident.

Furthermore, healthcare organizations should develop robust data backup and recovery plans to minimize downtime and data loss, establish rigorous patch management protocols to address vulnerabilities, and implement well-defined incident response plans to quickly mitigate the impact of cyberattacks. 

Additionally, investing in employee training and awareness programs is essential to reduce the risk of human error in cyber incidents. These comprehensive strategies are essential for healthcare organizations to proactively defend against cyber threats and ensure the uninterrupted delivery of critical healthcare services.

24×7: Prospect Medical Holdings, a private-equity firm operating hospitals and medical centers, recently fell victim to a cyberattack. Could you share insights into the specific challenges faced by large healthcare entities like Prospect Medical Holdings in safeguarding their critical systems and patient data?

Laudanski: These challenges include the relentless nature of cybercriminals who target vulnerabilities, regardless of an organization’s size or reputation; the sophistication of cyberattacks, such as ransomware, data breaches, and phishing campaigns; and resource constraints that limit the implementation of comprehensive cybersecurity measures. Moreover, the interconnectedness of healthcare systems means that any disruption caused by a cyberattack can have far-reaching consequences, including delayed treatments and substantial financial repercussions.

24×7: What do you foresee as the future of healthcare cybersecurity? How can the industry enhance its defense against cyber threats while meeting regulatory guidelines, such as those from The Joint Commission?

Laudanski: The future of medical cybersecurity is likely to involve an ongoing battle against increasingly sophisticated cyber threats. Healthcare organizations will need to continuously adapt their cybersecurity measures to stay ahead of evolving threats. However, these regulations can also be used against impacted organizations to extort them. Not only could they suffer fines, but they could also suffer more damage to their identity and trust.

Regulatory guidelines, like those from The Joint Commission, will play a crucial role in shaping the industry’s cybersecurity standards. To better prepare for defending against cyber threats while complying with these guidelines, healthcare organizations should foster a culture of cybersecurity awareness, invest in innovative technologies and cybersecurity solutions, and collaborate with experts in the field.

Additionally, information-sharing and threat intelligence within the healthcare sector will be vital for effectively identifying and mitigating emerging cyberthreats.