Crime on the internet began as SPAM and gradually became more complicated with designed viruses and malware. Today ransomware attacks, cybercriminals, and data breaches are not just buzzwords in the information technology industry, but in news headlines almost daily. The Affordable Care Act and the Health Information Technology for Economic and Clinical Health Act (HITECH) have encouraged healthcare organizations and providers to integrate networks when providing services. Since healthcare data contains personal, sensitive, and financial information, it remains a lucrative target for cybercriminals. In this blog, we explore healthcare cybersecurity and what practices and hospitals need to do now to remain ahead of a potential breach.
Adopting healthcare technology is a complicated process that involves planning, implementation, and regular system updates. To address healthcare data breaches and security, the Health Insurance and Portability Act (HIPPA) introduced several technical and physical safeguards to protect sensitive healthcare information. The physical safeguards include workstation use, security controls in media and devices, and facility access controls. Technical safeguards include unique user identification numbers, emergency access procedures, automatic logoffs, encryption, and decryption. Despite all these measures, cybercriminals are finding novel ways to breach medical data.
Healthcare Cyber Attacks
Ransomware attacks can seriously affect, if not cripple, a healthcare organization. After one such recent healthcare data breach, a hospital had no option but to pay $17,000 in ransom to obtain a decryption key to regain access to their files. Also, the hospital lost 10 days of revenue due to its systems being inaccessible, not to mention the damage to the hospital’s reputation. In the past few years, 90% of healthcare providers have faced data breaches. Since 2010, cyber-attacks have increased by 125% and are a leading cause of healthcare data breaches.
According to a paper written by James Scott, a Senior fellow at the Institute for Critical Infrastructure Technology (ICIT), more than 113 million EHRs have been exfiltrated since 2015, and a majority of hospitals have experienced a data breach in the past two years. Healthcare faces evolving cyber risks due to insider threats, poorly secured web portals, improper data handling, and under-regulated medical data mining. Per Scott, healthcare data is more valuable than financial data as it can be easily hacked from vulnerable web portals.
Once server message blocks (SMBs) are compromised by ransomware, IoT botnets, or malware, patients can be exploited. Healthcare data can also be stolen from unencrypted devices like laptops and smartphones. Cybercriminals can use patient data to falsify claims once they have access to the individual’s information. Data aggregators and brokers are another group posing a significant and least-suspected threat to healthcare data breaches. Per Scott, aggregators and brokers have more incidents than hospitals due to their lack of data security efforts. Despite HIPPA, medical data brokers sell segmented and categorized patient lists.
Healthcare Industry Cybersecurity Task Force
As part of the Cybersecurity Act of 2015, Congress required the establishment of a Healthcare industry cybersecurity Task Force to review and analyze issues faced by the healthcare industry and ensure patient privacy. This eventually led to the foundation of the Healthcare Cybersecurity and Communications Integration Center (HCCIC), which over one year outlined six imperatives. In 2017, the United States Health and Human Services (HHS) department announced plans to create the National Cybersecurity and Communications Integration Center (NCCIC) to improve healthcare cybersecurity.
Healthcare organizations themselves are preparing for potential data breaches by upgrading security software, clearly defining cybersecurity duties for employees, using virtual local area networks (VLAN), protecting from deauthentication, adopting cloud computing, and training and retraining employees regularly about cybersecurity. It is expected that healthcare cybersecurity spending in the next five years will exceed $65 billion.
Rapid technological advances and evolving federal policy are the two primary drivers exposing healthcare to cyber threats. Healthcare IT infrastructure is struggling to catch up with rapid technological advances. Security companies and the government are making progress in preventing cyberattacks, but the healthcare industry is still lagging behind other sectors regarding protecting its data. It is important for healthcare organizations to invest funds in maintaining and ensuring the ongoing security of healthcare data and patient confidentiality and protect it from cybercriminals.