Healthcare cybersecurity is a pressing concern for Chief Information Officers (CIOs) across the healthcare industry. The level of concern should come as no surprise to anyone paying attention to cybersecurity news, and a new survey shows healthcare is one of the most targeted industries in operation today. Along with healthcare, the most commonly attacked industries are manufacturing, transportation, financial services, and government.
In exchange for product innovation, many healthcare companies have neglected to maintain robust and fire-tested data networks. When you add cloud technology into the mix, you have a recipe for data breaches and the chaos that those incidents can bring. The level of concern expressed by leaders of cybersecurity in healthcare is appropriate even if it’s late in coming. Given the very real threat that hackers and organized digital crime syndicates pose, the healthcare industry is long overdue in addressing this serious structural problem.
With increasing regularity, major brands are being targeted – and many times successfully compromised – in the fight for personal data. The past year’s news headlines reveal that anyone from small startups to large multinational corporations are at risk.
Personal data that’s obtained illicitly represents one of the most profitable enterprises on the dark web. Far-flung data thieves and shady purveyors of stolen data are reaping vast sums of money for virtually no work and almost no risk.
Until business leaders become ready to merge medical innovation with information architecture, the cybersecurity problems in the healthcare industry will only grow.
Cybersecurity challenges in healthcare
Cybersecurity in healthcare faces many challenges. In 2016, Protenus collaborated with DataBreaches.net to analyze data from the Health and Human Services breach reporting tool, finding an average of 37 attacks for each month of the year – well enough to account for one or more breaches each day, every day of the year. Surprisingly, insiders were responsible for more than 40 percent of the incidents.
“43% of the 2016 health data breaches (192 incidents) were a result of insiders. For the 162 incidents for which we have more detailed numbers, 2,000,262 patient records were affected. For the purpose of our analyses, we characterized insider incidents as either insider-error or insider-wrongdoing. The former included accidents and anything without malicious intent that could be categorized as “human error.” Insider-wrongdoing included employee theft of information, snooping in patient files, and other cases where employees appeared to have knowingly violated the law.
99 of these incidents were a result of an insider-error or accident, while 91 incidents were a result of wrongdoing. In two cases, there was insufficient information to determine whether the incidents should be coded as error or wrongdoing.”
There’s no shortage of obstacles to implementing best-practices in what has become a data-intensive, cloud-based industry. No system is ever 100% secure as humans are incapable of building perfect things when they themselves err in the most human of ways. Truly, the most secure system can only be as strong as the individual user, and only as strong as the most undisciplined of these users. Whether a lack of training, awareness, or education is at play, the users of a system represent the greatest threat to that system.
Common tactics of cyber criminals
It’s true that malware and ransomware represent significant threats to cybersecurity in healthcare, but this is only one aspect of security in general. Here are four of the most commonly used tactics for cybercriminals.
Perhaps one of the oldest forms of data hacking is one that requires participation by the user of a secure system. The target of a phishing message is often an end customer, a patient, or a professional. Organizations without disciplined security practices may fall prey to a seemingly official email attempting to solicit information.
2. Legacy systems
Advancing technology in healthcare is not an evenly-distributed practice. Sectors like radiology that are comprised of multiple aging imaging systems may find themselves connected to modern networks. Serving as an easy port of entry, hackers are finding legacy systems to be easy targets.
3. Unpatched/outdated medical devices
There are hundreds – if not thousands – of devices in hospitals, all responsible for performing any number of services for patients. Each of these devices has an operating system and is likely connected to other computers and the data network. With an older operating system or one that hasn’t been patched for security vulnerabilities, a gold mine awaits data thieves.
As a measure of the increase in sophistication of cybercrime, thieves are extorting their victims by demanding payments in exchange for reversing damage to information that has become compromised within their own systems. Despite promising to reverse the damage of an attack, cybercriminals may flee with the payment and disappear without delivering remediation.
Phishing schemes, cloud-based threats, weaknesses inherent in encryption protocols, and more can combine to form the perfect storm of catastrophic harm and spiraling costs from litigation.
Investment in recent decades has been primarily directed at the infusion of technology to enhance the level of care patients receive, rather than building a solid foundation of security infrastructure to handle the innovation. Smaller companies may be more inclined to purchase expensive equipment that can produce revenue over choosing to make improvements to their security operation.
Prioritizing innovative care may be a noble pursuit, but it may also have been a short-sighted one in the context of cybersecurity threats to healthcare. Without a strong culture of cybersecurity, healthcare will continue to be subject to stymied growth and rapidly-eroding profits as industry leaders fall prey to systemic vulnerabilities.
Benefits of investing in healthcare cybersecurity
In today’s technological world, the question is not if an organization will be a victim of a cyber-attack, but when. Using connected devices without adequate cybersecurity measures is the virtual equivalent of leaving the doors and windows unlocked.
In 2018, 12 State Attorneys General filed the first multistate data breach suit in history over a 2015 breach of the information of more than 3.9 million individuals. This lawsuit was the first of its kind and has put the healthcare industry on notice. The companies named in the suit have been accused of maintaining substandard protections for patient data leading to the 2015 breach.
“Intermittently between May 7, 2015, and May 26, 2015, unauthorized persons (“hackers”) infiltrated and accessed the inadequately protected computer systems of Defendants. During this time, the hackers were able to access and exfiltrate the electronic Protected Health Information (“ePHI”), as defined by 45 C.F.R. § 160.103, of 3.9 million individuals, whose PHI was contained in an electronic medical record stored in Defendants’ computer systems. Such personal information obtained by the hackers included names, telephone numbers, mailing addresses, usernames, hashed passwords, security questions and answers, spousal information (names and potentially dates of birth), email addresses, dates of birth, and Social Security Numbers. The health information obtained by the hackers included lab results, health insurance policy information, diagnosis, disability codes, doctors’ names, medical conditions, and children’s name and birth statistics.”
Companies with robust security programs may be found negligent following incidents involving theft of patient data. Even if a company’s security organizations are the best for that industry, if that industry is failing to meet modern best-practices, then the burden rests on the provider.
Without a doubt, the biggest benefit of investing in cybersecurity is insulation from liability, but that’s not all. The benefits of having implemented successful efforts in improving cybersecurity in healthcare are two-fold – benefitting the organization’s reputation in the marketplace while also securing a more favorable environment.
In a world where cybercriminals may reap profits many times that of stolen credit cards with patient data, one would be foolish to assume anything but a radical change to cybersecurity investment is warranted. Intrusion testing reduces risk and defends through knowledge. Run a full spectrum test against your external exposure to identify weak areas and vulnerabilities. Assess and report for HIPAA compliance.
How to improve healthcare cybersecurity
Knowing that a security situation must change is sometimes a simpler affair than knowing what exactly needs to be done about it. Paths to improved cybersecurity in healthcare come from technology, company culture, and the innovators themselves. Business leaders know the way to affect change is to foster it directly. Any change to a culture within an organization must come from a top-down commitment from business leaders. Failing to manage a culture change can lead to half-hearted attempts that do little more than weaken business leader’s stakes in the mind of the employee.
Successful implementation of cybersecurity changes happens in a coordinated fashion. Efforts are organization-wide, targeting all members of the company from the top leadership down to the end user. Only by instituting change from the top-down can business leaders be certain that the entire organization is benefiting. The same is true for cybersecurity threats in healthcare – when security best practices are instituted in the same way as product enhancements, the healthcare company succeeds.
By focusing on a cybersecurity strategy centered around endpoint security best practices, and by remedying outdated systems, healthcare companies and the mission-critical data operations that they depend upon will be that much safer. Positioning healthcare to innovate while also responding to emerging threats is a practice sure to enhance the industry’s ability to grow.
Cybersecurity improvements to consider
Here are four of the most pressing improvements to consider for healthcare cybersecurity.
1. Development and implementation of global data access policy
When organizations, innovators, and network administrators collaborate, implement security protocols that determine how data should be handled is of utmost importance. Policies should protect data from access across geographies and between roles in users of the system, and data access reporting must notify administrators when inappropriate access to data has occurred.
2. Create a cyber-secure culture
Many data breaches occur because an employee is improperly trained. In rare cases, employees access data to leverage the data for their own ends. Fortunately, malicious employees represent a small fraction of employee-related issues. Training and preventative measures can only help employees in the effort of becoming more secure and are as pertinent as continuously applying security patches. Access control security not only helps to prevent potential security breaches, but it also helps streamline operations, frequently segregating the need for account creation and user provisioning to the IT department.
3. Distribution of security protocols
Employing high-grade security measures within critical data centers and central processing systems makes sense. Failing to proliferate these practices down to the medical device, however, is shortsighted and leaves wide open opportunities for cybercriminals. Corporate policies form the backbone of company protocols, and these protocols lead to the formation of operational processes.
4. Focused endpoint security
Revising policies dedicated to endpoints, whether they be users or devices, is another area of critical importance. Consider employing penetration testers and security consultants whose job involves simulating real hacking scenarios. Finding a vulnerability in electrophysical implants, for example, allows manufacturers to work with regulatory agencies in coming up with a solution that preserves patient safety and investments in innovation.
Structural changes to cybersecurity in healthcare are critical, but only form a representative sample of priorities. Another area where healthcare cybersecurity must improve is in the timeline to recognizing and responding to incidents. Regulators and the public at large have limited patience when it comes to reporting data breaches. Every incident that takes place, and the longer it takes to report them, further damages the trust that consumers place in the hands of providers.
An act of cybercrime may occur in just minutes, but companies may take days, weeks, or months to determine whether a breach has taken place. In November 2018, hotel chain Marriott admitted 500 million guests were hit by a cyber-attack… from 2014. The hotel giant said the information was taken from the Starwood guest reservation database, amounting to a goldmine of data for an identity thief.
What’s more troubling is in most cases, it’s up to a third-party to inform a provider that a breach has taken place. Even worse, some companies fail to report breaches altogether, incurring the wrath of regulators, shareholders, and the public when word of the breach eventually surfaces. Consumers take the ambiguous threat of data theft seriously, and a single breach can lead to years of negative publicity and serious damage to consumer trust.
In the healthcare industry, there’s no shortage of cybersecurity threats, but by fostering change from the top of organizations and revamping every aspect of data security and company culture, a stronger and more resilient era is on the horizon.
In any industry, especially ones whose livelihoods depend on a complex network of cloud and data services like healthcare, threats from cybersecurity threats are always part of the equation. CIOs across the healthcare industry are urging swift action, both in terms of resources and developing new ways to secure data.
When a crime can be perpetrated in minutes, taking weeks or months to understand the nature of what has transpired leaves the healthcare company far from able to mount a defense. Only by improving the monitoring and secure data handling policies can the healthcare industry be able to combat and prevent breaches from occurring.
Threats to healthcare cybersecurity may not be unique to that one industry, but the intense drive to profit from stolen patient data is certainly a large part of the reason why this situation may worsen before it improves. In a world where societies depend and rely upon healthcare companies for their physical wellbeing, people are naturally disposed to wanting to trust brands with their health. While that trust may be misplaced, it’s the healthcare innovator that stands to gain from implementing new technologies that enhance care with solid systems protecting a patient’s privacy.
There may be no better time than right now for CIOs to lead industry-wide initiatives to reinforce network and data security for the next generation of healthcare innovations. Without a large-scale effort and significant investment, healthcare cybersecurity will languish, and the profitability of brands may follow similar declines.
Any significant investment in healthcare cybersecurity must come from direct resource reallocation decisions. Teams must be hired, and technology must be expanded to be robust and adaptive to threats as they emerge. The rampant rise of cybercrime and an industry’s inability to protect consumer data from theft does not spare those companies from litigation and the very real harm that results.
Source 1 Solutions understands the needs of cybersecurity in healthcare. With unique challenges and regulatory requirements, we design customized solutions to address complex safety issues and facility architecture. Patient security and safety is our priority. We’ll complete a detailed security review to engineer a perfect design for every room of the hospital or healthcare facility.