Hospitals and health systems are increasingly being targeted by cyberattackers looking to gain valuable identification information.
The massive cyberattack on Franklin, Tenn.-based Community Health Systems in August 2014 that breached the data of 4.5 million patients helped bring the issue of cybersecurity and protecting organizations against malware and hackers to the forefront of the collective industry's mind.
Here are five current trends in healthcare cybersecurity.
1. The U.S. Federal Bureau of Investigation has repeatedly warned the healthcare industry of the threat hackers and other malicious actors pose. In April 2014, the FBI said healthcare cybersecurity systems lag behind the cybersecurity systems of other industries. Reuters obtained a private notice the FBI was distributing to healthcare providers which said, "The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is more likely."
Again in August last year, the FBI distributed a "flash" alert to healthcare providers indicating the agency "observed malicious actors targeting healthcare related systems." This notice came several days after reports of the CHS cyberattack first surfaced, though the alert did not allude to a specific provider.
2. Despite the imminent threat to hospitals, nearly three-quarters of C-suiters do not believe chief information security officers should be part of an organization's leadership team, survey by ThreatTrack Security, a cybersecurity solutions developer, found. The survey gathered responses from 203 C-level executives about the CISO's role. Even more incongruent, 55 percent of respondents said the CISO should assume responsibility for data breaches, but just 46 percent said they should be responsible for cybersecurity purchasing decisions.
3. Healthcare organizations are also being targeted by cyberattackers because the information they can gather from such invasions (personal, identifiable information) is more valuable than information they could collect from other source (financial information). Experts suggest medical information is up to 10 times more valuable than financial information like a credit card number on the black market. Hackers can essentially sell identities using personal data on the black market, create fake identifications to buy medical equipment or drugs and file fraudulent claims with payers. Additionally, medical identity theft isn't always immediately apparent, so hackers have more time to use stolen credentials for fraudulent purposes, unlike credit cards which can be instantly cancelled upon fraud detection.
4. It isn't just hospitals and health systems that are being attacked. Medical device companies, and their very devices, are also at risk for malicious activity. The National Institute of Standards and Technology recently suggested infusion pumps pose a cybersecurity threat to hospitals, offering hackers an "in" to the rest of the hospital network. In October 2014, the U.S. Food and Drug Administration released cybersecurity guidance for medical device makers, encouraging manufacturers to consider and implement cybersecurity measures during the device design process and to find ways to make devices safer without impeding on functionality.
In April last year, researchers presented the results of a study indicating medical devices can "leak" data to the Internet, often as a result of a poorly configured network. What's more, since hospital and health system networks are generally connected to other networks — such as pharmacies, laboratories or other providers — an attack on one hospital's system through such a data leak can have far-reaching ramifications.
5. Hospitals already take measures to protect their assets, and many are starting to purchase cybersecurity insurance to cover costs and/or losses associated with breaches, malware and other cyberattack events. According to market research conducted by Marsh, the number of Marsh healthcare clients purchasing cyber insurance rose 11 percent from 2012 to 2013. Given the renewed focus on healthcare cybersecurity, this number can be expected to continue to grow.
More articles on cybersecurity:
CHIME chairman: We need 'blended' information security approach
President Obama calls for improved cybersecurity legislation
Who should be held responsible for device cybersecurity?