Healthcare data breaches have risen nearly every year from 2010 through 2019 and the cybersecurity risks jeopardize hundreds of millions of patients records. Although physical theft used to be the data breach method of choice, now hacking has become the most prevalent method. This partly stems from more information being stored electronically and network servers becoming a more attractive hacking target.
However, much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. The migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cyber criminals taking a particular interest in the industry. Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller,partial systems. In other words, a cyber attack in one place could bring down the entire system. In May2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.
The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.
A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.
Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.
The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.
As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.
“So, What is Wrong With the Picture?”
The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:
- Leadership: Ownership of the issue
- Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
- Policies and procedures: Understanding of business continuity processes and incident response procedures
- General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:
- Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
- Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
- Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
- Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
- Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
- Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.
Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.
How are Hackers Achieving this, You Would Ask?
Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.
Once Hackers Get Access to The Data, What Do They Do with It?
In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.
What Can the Healthcare Industry Do to Mitigate Cyber Threats?
The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.
Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.
Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.
Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.
In Simple Terms: How Do We Improve Cybersecurity?
Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:
- Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
- Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
- Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
- Use a firewall: Anything connected to the internet should have a firewall.
- Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
- Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
- Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
- Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
- Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
- Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.
How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.
Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.
Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.
Security information and event management or log management tools can augment data collection efforts.
In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.
It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.
The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.
To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.
About the author
Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science