Paubox blog: HIPAA compliant email made easy

Why zero trust matters to leadership in healthcare

Written by Anne-Marie Sullivan | May 05, 2022

The risks are too high for healthcare leaders not to understand zero trust

Cybersecurity crime is disrupting healthcare organizations. Your data, reputation, and patient care are on the line. The federal government is sounding the alarm regarding the grave concerns while news about data breaches hit the headlines.

Paubox, the leading HIPAA compliant email solution company, leadership recently gave a webinar with Becker’s Healthcare. Hoala Greevey, founder and CEO, and Alayna Parker outlined why zero trust matters to leadership in healthcare.

The takeaway is that healthcare leadership must understand the peril of not implementing a zero trust model for email, one of healthcare’s most vulnerable attack vectors.

As long as healthcare leadership implements best practices, there is hope and a solution for today’s cyberattack barrage. To understand why zero trust matters to leaders in healthcare, let’s take a quick look at today’s cyber landscape.

 

What is zero trust?

Zero trust is a framework or approach to cybersecurity. It assumes everyone is a threat until proven otherwise through various verification methods. Think of this as the opposite of innocent until proven guilty; nothing and no one is trusted until proven otherwise.

 

Why zero trust matters to leadership in healthcare

Did you know healthcare is one of the most highly targeted industries by cybercriminals? Here are two sobering facts that reveal the reality healthcare is facing. 

  1. Hospitals alone make up 30% of the victims of significant cyber attacks. 
  2. The healthcare industry faced a 755% increase in ransomware attacks in 2021, according to the 2022 Cyber Threat Report.

Cyberattacks are devastating to patients, and they increase healthcare costs. The destructive impact of an attack is not worth the risk of hoping your cybersecurity is comprehensive enough. You need to know it is.

Healthcare organizations must take every precaution possible to avoid getting hacked. Ransomware attacks occur every 14 seconds or 4 per minute, so you can estimate roughly twenty-four ransomware attacks by the time you finish this blog.

It’s important to note that most ransomware attacks begin with email as the entry point. However, bad actors (hackers) are incredibly smart and use social engineering strategies to gain the trust of potential victims. As a result, it’s increasingly challenging to detect email attacks, and hackers bypass standard email checks.

 

Taking chances with cyber security is more risky and costly than malpractice

Criminals know the steep price U.S. healthcare organizations pay if there is a data breach, so they bank on you paying ransoms. That is the “why” behind the target on healthcare’s back. 

 

Five eye-opening facts about the cost of data breaches in healthcare

  1. The average cost of a healthcare organization data breach is $7.91 million.   
  2. In addition to fines and ransoms paid, repairing your reputation is costly.  The American Journal of Managed Care reports that hospitals spend 64% more annually on advertising after a data breach. This increase is due to the cost of repairing the hospital’s image and minimizing patient loss to competitors.
  3. Hospital data breaches impacted 45 million individuals in 2021.
  4. This is up   from 34 million in 2020. That number has tripled in just three years, growing from 14 million in 2018, according to data reported to the U.S. Department of Health and Human Services (H.H.S.).
  5. Depending on whom the attackers and the victims are, the psychological effects of cyberattacks may even rival those of traditional terrorism according to Dr. Maria Bada, research associate at the Cambridge Cybercrime Centre at the University of Cambridge.

The bottom line is that zero trust must matter to healthcare leadership. 

Concerns for healthcare cybersecurity from the White House

Our government is highly concerned about healthcare cybersecurity, but especially now with the recent conflicts in eastern Europe. These threats and headlines aren’t just for clickbait.  President Biden is the first U.S. president to discuss ransomware attacks while addressing the nation. 

  • President Biden stated, “The more Putin’s back is against the wall, the greater the severity of the tactics he may employ … one of the tools he’s most likely to use in my view, in our view, is cyberattacks.”
  • Warnings keep coming from the White House, C.I.S.A., F.B.I., and the Secret Service about possible cyberattacks.
  • Among these warnings, healthcare is specifically called out to be on alert for ransomware attacks. 
  • Industry leaders are putting protocols in place in the event of cyberattacks related to the Russian threat.

 

Email threats to healthcare are evolving and dangerous

Attacks are getting more frequent, targeted, and sophisticated. About a year ago, Paubox began reporting an increase in phishing attacks. We looked at examples sent in and, upon closer inspection, noticed new phishing campaigns had one thing in common: The bad actors used American tech companies to send malicious emails.

Most cybersecurity checks look for attacks originating from countries like China and Russia. But what happens if the emails originate from the U.S.? The bad actors are using American tech companies to send email phishing campaigns. Major American companies ensure their email systems comply with industry standards so the emails look legitimate to your email platform. 

Hackers are exploiting a gaping vulnerability: They launch their malicious emails inside the United States — on servers run by Amazon, GoDaddy, and smaller domestic providers. This puts them out of reach of the early warning system run by the National Security Agency.

In addition, these bad actors identified America’s blind spot: If hackers can assemble an attack from inside America’s borders, the U.S. government can be blindsided.

 

Three factors why zero trust matters to healthcare leadership

Three factors contribute to the need for more robust, stricter security measures like zero trust.

  1. With the increase in cyber attacks, the standard security we have in place now is not enough.
  2. Healthcare is a target (an extremely lucrative target), and we’ve seen that bad actors are increasing their attacks.
  3. We’re seeing an increase in remote and hybrid work and a rise in cloud-based applications for telemedicine, advanced E.H.R. systems, etc. These are all new vulnerabilities to cyberattacks due to the pandemic.

Unfortunately, healthcare security can’t operate as it has been. These factors introduce dangerous security risks that organizations haven’t dealt with before. Attackers are more sophisticated and have increased their activity. Healthcare needs to combat this with new security measures. That’s where zero trust comes in.

 

Five core tenets of zero trust for healthcare

    1. Nothing is automatically trusted
    2. Least-privilege access
      1. Employees should only have access to information they need and nothing more
    3. Micro-segmentation.
      1. This security technique separates the network into small zones and maintains separate access to every part of the network. If someone hacks into the system, they will only be able to access one small zone.
    4. Multi-factor authentication (MFA)
    5. Strict controls on device access.
      1. Inventory and monitor devices with access to your network.

Six steps for healthcare leaders to implement zero trust

  1. Change your mindset to how you approach your security strategy. It’s a big task to change your security’s core approach. 
  2. Assess your data access points.
    1. Identify the different users and applications that have access to sensitive data.
    2. There will likely be many applications with access and numerous user roles that access data.
  3. Map this out to identify vulnerability points and help prioritize what to tackle first.
  4. Implement zero trust security measures for each of the access points, such as: 
    1. Multi-factor authentication: Implement MFA to ensure only verified users have access.
  5. Access limitations: Establish user roles and give the least amount of access needed for each user.
  6. Monitor: Continually monitor to keep track of cyber defenses.

The zero trust model for healthcare email security

Email is one of your most significant vulnerability points, and in the last three years email was the root cause for 35% of all healthcare data breaches reported to H.H.S. Attackers have to find just one weak link to access extremely sensitive data. They often exploit a weak link (i.e., human error) through email attacks. Therefore, keep in mind the importance of safeguarding this huge vulnerability with a zero trust email model as you are building a zero trust methodology into your security framework for your healthcare organization. 

 

Zero trust’s ground zero

Zero trust is not a new term; it was coined in 2004 by a Forrester analyst, John Kindervag. The concept came up in his research that emphasized that all network traffic is untrusted and that any request to access any resource must be done securely. 

Since then, zero trust has become even more relevant, mainly because of the reasons we mentioned earlier. In addition, we’re seeing interest in zero trust across the board, including by our government. This year, the White House released the federal zero trust strategy and recommended ways businesses can implement zero trust.

 

Want to learn more about zero trust security for your healthcare organization? 

Paubox’s solutions are HITRUST CSF certified, patented, and are the most advanced HIPAA compliant email software available. And although are solutions are advanced, they are designed to be effortlessly easy to implement and use. In fact, our software has a 4.9/5 rating by current customers in G2.

Whether you are a large healthcare hospital or a standalone clinic, Paubox has the right email product to keep your data, organization, and patients safe.

Paubox is the leading HIPAA compliant email solution provider. We are the experts when it comes to zero trust and email security for healthcare.