Threat modeling for healthcare organizations involves systematically identifying, assessing, and addressing potential security risks associated with the storage and transmission of sensitive patient data. This proactive approach helps to protect digital health resources from cyber threats, ensuring the confidentiality, integrity, and availability of healthcare information systems.
When it comes to securing healthcare organizations, two things have become abundantly clear: Data breaches aren’t going to stop anytime soon and there’s more to protect than just data.
The number of data breaches in the healthcare industry is shocking. The U.S. Department of Health and Human Services (HHS) is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. There have been 875 since December of 2020. That’s more than one per day.
It’s more than just health records at risk though. Anything connected to a network, from surveillance cameras to medical devices, the so-called internet-of-things (IoT), are also at risk of attack.
It’s gotten so serious, that effective March 30, 2023, “the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.” If you can’t prove your medical device is secure, it’s not getting to market.
The Cost of a Breach
Whenever any company experiences a data breach, there are a whole bunch of direct and indirect costs to recovering from the breach. Everything from incident response costs to lost sales are the natural byproduct of such a breach. But in the healthcare industry, it’s worse.
Invariably, a data breach in the healthcare industry is also a HIPAA violation. There are different tiers of HIPAA violations, depending on how culpable the offending party is. According to the 2022 HIPAA penalty structure, the penalty for a violation can approach $2 million.
Additionally, healthcare data breaches can bring fees and fines from HHS, the Federal Trade Commission and state Attorneys General.
There’s also the possibility of harm caused by medical device hijacking. We know that’s the case because “Of the 40 executives from some of the largest medical device vendors and provider organizations, two from healthcare delivery organizations said 100-1,000 patients were harmed during an unreported adverse event associated with a medical device cybersecurity vulnerability.” A lawsuit is pending no doubt.
The bottom line? Almost any amount of money a healthcare organization spends, if it prevents a data breach or protects a device, it’s probably worth it.
A Strategy to Protect Devices and Prevent Breaches
To protect medical devices, the FDA introduced guidance to manufacturers for protecting devices, which includes the following six principles:
- Cybersecurity is an integral part of device safety and the QSR
- Security by design
- Transparency
- Security risk management
- Security architecture
- Testing/objective evidence
Along those same lines, HIPAA has developed The Security Rule to establish national standards to protect individuals’ electronic personal health information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Security by design, security risk management, appropriate physical and technical safeguards. These are all the byproducts of implementing a threat modeling program. And implementing a threat modeling program is one very effective strategy for protecting medical devices and data breaches. And the threat model itself can be used by device manufacturers to provide the proof the FDA demands to know that devices are secure.
If you think threat modeling can help improve your healthcare security and aren’t sure where to begin, we encourage you to check out ThreatModeler. ThreatModeler is already being used by other healthcare providers to keep them out of trouble.
For questions or to learn more about ThreatModeler™ please contact us.
FAQs About Threat Modeling for Healthcare Organizations
What are the main reasons for the increase in data breaches in the healthcare industry?
The main reasons include the growing amount of sensitive data stored by healthcare organizations, increased use of network-connected devices (IoT), and the complexity of securing these systems.
What is the FDA's new requirement for medical device manufacturers, effective from March 30, 2023?
The FDA will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Starting October 1, the FDA can refuse submissions for cybersecurity reasons if the device’s security is not proven.
What are the potential costs of a data breach in the healthcare industry?
Costs include direct and indirect expenses, such as incident response costs, lost sales, HIPAA violation penalties, fines from HHS, the Federal Trade Commission, and state Attorneys General, and potential harm caused by medical device hijacking.
What are the six principles introduced by the FDA to protect medical devices?
The six principles are:
- Cybersecurity as an integral part of device safety and the QSR
- Security by design
- Transparency
- Security risk management
- Security architecture
- Testing/objective evidence
How does the HIPAA Security Rule contribute to protecting electronic personal health information?
The HIPAA Security Rule establishes national standards for protecting electronic personal health information, requiring appropriate administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security of the information.
How does implementing a threat modeling program help medical device manufacturers meet FDA requirements?
A threat modeling program helps manufacturers identify and address potential security risks in their devices, ensuring a secure design and providing the necessary evidence of security measures, as required by the FDA.