Threat Modeling for Healthcare Organizations

When it comes to securing healthcare organizations, two things have become abundantly clear: Data breaches aren’t going to stop anytime soon and there’s more to protect than just data.

The number of data breaches in the healthcare industry is shocking. The U.S. Department of Health and Human Services (HHS) is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. There have been 875 since December of 2020. That’s more than one per day.

It’s more than just health records at risk though. Anything connected to a network, from surveillance cameras to medical devices, the so-called internet-of-things (IoT), are also at risk of attack.

It’s gotten so serious, that effective March 30, 2023, “the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submissions for cybersecurity reasons.” If you can’t prove your medical device is secure, it’s not getting to market.

The Cost of a Breach

Whenever any company experiences a data breach, there are a whole bunch of direct and indirect costs to recovering from the breach. Everything from incident response costs to lost sales are the natural byproduct of such a breach. But in the healthcare industry, it’s worse.

Invariably, a data breach in the healthcare industry is also a HIPAA violation. There are different tiers of HIPAA violations, depending on how culpable the offending party is. According to the 2022 HIPAA penalty structure, the penalty for a violation can approach $2 million.

Additionally, healthcare data breaches can bring fees and fines from HHS, the Federal Trade Commission and state Attorneys General.

There’s also the possibility of harm caused by medical device hijacking. We know that’s the case because “Of the 40 executives from some of the largest medical device vendors and provider organizations, two from healthcare delivery organizations said 100-1,000 patients were harmed during an unreported adverse event associated with a medical device cybersecurity vulnerability.” A lawsuit is pending no doubt.

The bottom line? Almost any amount of money a healthcare organization spends, if it prevents a data breach or protects a device, it’s probably worth it.

A Strategy to Protect Devices and Prevent Breaches

To protect medical devices, the FDA introduced guidance to manufacturers for protecting devices, which includes the following six principles:

1. Cybersecurity is an integral part of device safety and the QSR
2. Security by design
3. Transparency
4. Security risk management
5. Security architecture
6. Testing/objective evidence

Along those same lines, HIPAA has developed The Security Rule to establish national standards to protect individuals’ electronic personal health information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Security by design, security risk management, appropriate physical and technical safeguards. These are all the byproducts of implementing a threat modeling program. And implementing a threat modeling program is one very effective strategy for protecting medical devices and data breaches. And the threat model itself can be used by device manufacturers to provide the proof the FDA demands to know that devices are secure.

If you think threat modeling can help improve your healthcare security and aren’t sure where to begin, we encourage you to check out ThreatModeler. ThreatModeler is already being used by other healthcare providers to keep them out of trouble.

For questions or to learn more about ThreatModeler™ please contact us.

FAQs About Threat Modeling for Healthcare Organizations