Cybersecurity continues to be a dominant issue in 2017. In early May, President Donald Trump issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
Less than a day later, a massive ransomware attack – aptly named “Wannacry“ – temporarily crippled the National Health Service hospitals and facilities in the United Kingdom.
In June, the U. S. Department of Health & Human Services (HHS) released a long-awaited Health Care Industry Cybersecurity Task Force report which found that Health Care Organizations (HCOs) are severely flawed when it comes to cybersecurity and that healthcare lags behind other sectors in safeguarding systems and sensitive information.
This was all within the first half of the year, but it’s hardly a new trend as the healthcare industry has experienced a staggering increase in data breaches over the past few years – an increase that shows no signs of slowing.
According to the Ponemon Institute, 89 percent of HCOs studied over the past two years have experienced a data breach involving patient data being stolen or lost. The HHS Office of Civil Rights breach portal shows that in 2016, more than 16 million individuals were affected by 329 breaches, with each breach estimated to cost around $7 million.
The question remains: why is healthcare data being targeted more than ever before, and how can HCOs transform security to meet tomorrow’s needs?
Bulls-eye on Target-Rich Healthcare Data
For starters, unlike other forms of identification, medical records contain extremely sensitive and target-rich personal data. The exploitable Protected Heath Information (PHI) found in an electronic health record (EHR) has a hefty price tag on the black market. The FBI estimates each partial EHR can go for $50, compared to $1 for a stolen social security number or credit card number.
Successful attacks are also more prevalent because older IT systems are often missing needed controls and protection, making them even more susceptible to attack.
Additionally, with the push toward more integrated care, medical data is now being shared across a dispersed and diverse spectrum of care providers and entities. The rapid adoption of EHRs and the widespread use of mobile devices among care providers has amplified security risks, as hackers now have easier, more direct access to valuable – and vulnerable – organizational assets.
Preparing for the Inevitable
The digitalization of healthcare has and will continue to make HCOs a premium target for cybercriminals moving forward. Cybersecurity experts agree that it's not a matter of if or when your data will be compromised, but rather how extensive and damaging the attacks will be.
There are, however, proactive steps HCOs can take to shore up their cyber hygiene and mitigate the impacts of cyberattacks:
• Have a plan. IT staff should conduct a risk analysis to identify vulnerabilities before problems arise and create targeted strategies to reduce the likelihood of an attack. More importantly, your plan needs to include how you are going to mitigate the identified vulnerabilities. Communications staff should be ready and armed with messaging to notify appropriate stakeholders when a breach takes place.
• Call in reinforcements. IT staff should ensure their current IT provider is taking a multi-layered approach to mitigating data breaches that combines perimeter and network-based security. This type of approach will significantly lesson the repercussions of a security breach.
• Regularly backup data. Of the malware attacks on the healthcare industry in 2016, notably 72 percent were caused by ransomware, a type of malicious software that threatens to publish victims’ data – or perpetually block access to it – unless a ransom is paid. All facilities should maintain updated, tested, secure backup solutions in the case that they should they fall victim to such an attack. Many vendors today offer multiple IT solutions that achieves this automatically without disrupting a provider’s normal workflow.
• Embrace the cloud. Many HCOs are shifting from storing data in on-premise IT infrastructure to a variety of cloud architectures, including hybrid systems of public and private cloud. This shift has a variety of benefits for HCOs, including increased agility, capacity, and resilience, as well as improved privacy and security of data. HCOs should determine which type of cloud arrangement best supports their organizational missions.
With the push toward more integrated care and widespread adoption of new technologies, now more than ever, HCOs must embrace comprehensive cybersecurity solutions. There is no single solution to this challenge, and it will continue to take diligent focus and effort to move the needle. HCOs must ensure they have the people, process and tools they need to face new and emerging cybersecurity threats.
As we continue our work with HCOs to shore up cybersecurity hygiene, it’s important to remember that in a world of digitization, compliance is not security, and security does not guarantee compliance. Both must work in harmony to meet the needs of HCOs and preserve sensitive and valuable data.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.