Healthcare organizations are still a top target for hackers
Security concerns will only grow in 2017, as cyber attacks become more focused and sophisticated. Healthcare organizations will continue to struggle to protect their networks and keep patients’ protected health information out of the wrong hands. Health Data Management sought predictions for the New Year from some of the nation’s top security experts.
They included Mac McMillan, co-founder and CEO of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry; David Finn, health information technology officer for Symantec; Tim Erlin, senior director of IT security and risk strategy for Tripwire; Brian Evans, senior managing consultant for IBM Security; and Lance Hayden, chief privacy and security officer for ePatientFinder.
Ransomware threat will continue to grow
Extorting payment for encrypted health data had a breakout year in 2016, and the threat will only grow in 2017, the security experts agree. Extortion attacks—whether its ransomware or some other attack—causes havoc and has proven to be effective “at eliciting the pay-up response,” McMillan says. “As long as it works, cybercriminals will use it.” Finn expects the threat of ransomware will grow throughout most of the year. Reducing the risk of these incidents will mean organizations need to improve strategies for backing up data, Hayden predicts.
Content Continues Below
Medical device vulnerabilities will demand action
The number of medical devices being used by healthcare organizations is growing, and many represent security risks for organizations. Some connect wirelessly to hospitals’ networks, and older models that run on older operating systems are particularly at risk for hacking. If they’re compromised, they may be used as an entry point to access hospital data. Others fear that infusion pumps or pacemakers could be hacked to provide dangerous medical care to patients.
Reimbursement uncertainty may reduce spending on security
With the changes expected from a new Trump administration in Washington, it’s difficult to know how reimbursements to providers will be affected. Finn of Symantec believes that uncertainties surrounding reimbursement will affect overall spending by healthcare organizations. “The lack of direction in the business of healthcare will adversely impact spending on health information technology and on security,” he predicts.
Too much technology could actually make security worse
More technology is emerging to protect networks and the information that flows over them—but relying on technology alone could rise as a major miscalculation by healthcare organizations, the experts contend. “Organizations that try to improve security by adding all manner of systems, technology and people with limited understanding of security or healthcare will make security worse—yes, it’s possible,” Finn says.
Security can be compromised at a non-technology level—because of the human element or because organizations don’t have a security strategy that’s right for the organization’s size and resources, Hayden says. Finn agrees: “Organizations that address security with a holistic approach using sound systems, security engineering techniques, and security design principles will make their systems less vulnerable; reduce damage caused by disruptions, hazards and threats; and improve resilience against attacks so they can continue to support critical missions and business functions after being compromised.”
Content Continues Below
Finding security workers will remain a challenge
Hiring qualified personnel with security experience is difficult nationwide, with shortages of workers reported in all industries. As a result, healthcare organizations are fighting to hire trained staff, and often are at a competitive disadvantage in paying for key staff. Experts expect 2017 to be just as challenging for healthcare organizations that want to hire information security professionals.
IoT and mobile devices will challenge provider security
The number of devices connected to the Internet—the so-called Internet of Things—continues to soar, expected to reach 20 billion by the end of the decade. They pose a variety of risks to healthcare organizations. McMillan notes that some of these devices are medical devices that connect to hospital networks over the Internet. “An overwhelming number of these are insecure,” he notes. Also, recent distributed denial of service attacks have shown that IoT devices can be co-opted to overwhelm web servers with requests, and that will raise the ante on protecting healthcare IoT devices.
As providers share more data, they’ll face increased risks
Recent final rules from agencies and legislation passed by Congress will increase requirements to share healthcare information to improve patient care. That’s great, but it also will increase the likelihood that information can be intercepted, the experts believe. “Sharing health data for treatment, payment and operations will expand—creating more opportunity for data loss and theft,” Finn predicts. That’s particularly true as data goes to vendors who have third-party supply chain relationships with providers, McMillan adds. “A growing number of breaches are involving third parties, and they have the potential to be huge incidents.”
Content Continues Below
Insiders will pose a growing risk for security
Most hackers need a hand in accessing data networks, and many times, that comes from insiders who, either accidentally or purposely, distribute network credentials. “Insiders will continue to be a problem in the security chain because healthcare will continue to ignore them as both a weakness and a strength,” Finn says. Hayden agrees, noting that healthcare organizations in 2017 need to create a culture of security that include management support and involvement, a strong training and awareness program. “Organizations need to engage users, through gamification, champion programs, and more,” Hayden adds.
Protecting data in the cloud will pose new challenges
Providers will put more healthcare data in the cloud in 2017, and that will raise the stakes on protecting patient information that’s offsite, McMillan says. “At some point, the threat will find a way to attack the cloud successfully, and when that happens, the only question is whether it will be all data or some, in terms of loss,” he says. “Innovation such as using the cloud is the proverbial double-edged sword. It’s an absolute necessity for advancement, but security continues to lag further behind, which ultimately risks the advancement.”
Providers will need to increase sophistication in detecting attacks
Providers will need to increase their sophistication in using analytics to detect unusual network activity, but that will be a struggle unless healthcare organizations have the acumen to use these tools, the experts contend. “Bad actors continue to be at the center of many incidents,” McMillan says. “Organizations must move to behavioral-based analytics if they hope to stop bad behaviors and fraud.”