Securing the future: Enhancing data protection practices in 2024
Cyberattacks on data sharing mechanisms highlight how healthcare organizations need to be vigilant in blunting emerging hacking initiatives.
In a year dominated by artificial intelligence and AI-driven tools like ChatGPT, there was a significant event in early 2023 that will have implications for an often-overlooked technology in 2024 – managed file transfer, or MFT.
In February 2023, news broke of an attack on the managed file transfer platform GoAnywhere. In June, an attack on another managed file transfer product called MOVEit was discovered. By the end of the year, it was clear that threat actors were targeting MFT products after attacks on Aspera, Titan and ShareFile.
Why does that matter for hospitals and other healthcare organizations? MFT is a popular technology in those environments. It simplifies the movement of data to and from a hospital and its many partners. Depending on the size of the organization, that can mean thousands of daily transfers to hundreds of other organizations like banks, insurance companies, government agencies, medical support services, other hospitals and medical offices.
Managed file transfer software has been around for a long time, and healthcare organizations have had their MFT systems in place for a long time, so it isn’t a technology that is top of mind. It’s been a steady, reliable performer that few think about, until they have to. And because of the events of 2023, they have to. And that will lead to a re-thinking of how healthcare organizations send and receive data, and also how they manage their digital supply chains.
Revisiting digital supply chains
When criminal hackers and ransomware gangs targeted managed file transfer platforms, it had a devastating effect on the organizations victimized by the attacks.
As of December 18, KonBriefing Research, which has been tracking the MOVEit attack, says 2,610 different organizations were breached, and nearly 90 million individuals have had their personal information compromised since June. The Ponemon Institute’s 2023 Cost of a Data Breach Report found that the average cost of a data breach for healthcare organizations is $10.93 million. For many hospitals, that can be a crippling financial blow.
Because of the vulnerabilities that have been exposed through these incidents and the unrelenting attacks targeting healthcare organizations, 2024 will see a lot of organizations taking a second look at their digital supply chains and the systems they have in place for managing them, looking to identify and mitigate any vulnerabilities they find.
Organizations are double-checking their MFT deployments to ensure administrative dashboards are behind the firewall; that no sensitive data is stored or left unencrypted exposed to the public Internet; that vital functions like PGP encryption and public key management are automated; and that the transfer of data itself is automated to minimize the risk of human error.
New standards and regulations
What’s more, organizations are beginning to establish new standards for their digital supply chain partners that would require standardization with the secure file transfer protocol (SFTP) to ensure that first-level connections are secure. This is important because supply chain attacks can imperil organizations downstream from a compromised organization as files shared with those partners are at risk of exposure.
It's expected that some hospitals will abandon their “home grown” file transfer systems in favor of commercial products that are secure-by-design and supported with regular updates and patched as necessary. This will be especially prevalent in New York state if Gov. Kathy Hochul’s proposed cybersecurity regulations are adopted.
Among the changes in the draft would be a requirement that hospitals using systems developed in-house to manage data regulated under the Health Insurance Portability and Accountability Act (HIPAA) be certified as secure or be subject to penalties in the event of a breach.
Seeing the light amid code dark
Gov. Hochul’s proposed regulation followed a series of ransomware attacks affecting hospitals in her state that forced affected organizations to shut down their emergency departments, re-direct ambulances to other facilities and move patients who were at risk because of the systems that were taken offline.
“Code Dark” responses to cyberattacks are a blunt instrument for limiting the damage inflicted by ransomware gangs, but they can contribute to an increase in negative patient outcomes. In fact, the Ponemon Institute found a 20 percent increase in mortality for patients in hospitals that suffered a cyberattack. This is because vital patient data may not be readily available, medical equipment may not be operating properly if at all, and procedures may be delayed.
To end on a high note, many are optimistic that there will be improvements in these areas. Cyber criminals are as clever as they are heartless and greedy, but they will find that as the healthcare industry makes changes based on the hard lessons learned in the last few years, they will cease to be an easy target for hackers’ schemes. Instead of code dark, the healthcare industry will see the light. Data management tools and processes will be fortified, and digital supply chains will be strengthened.