How to better prepare for inevitable cyber attacks
Any healthcare company or provider knows the obvious—hackers are working hard to get into their networks.
The industry has long been in the top 10 for the number of records compromised in data breaches, and now has moved to first place, with more than 100 million records compromised, according to the 2016 IBM X-Force Cyber Security Intelligence Index.
Part of the reason—and perhaps the major driver—is economics. Experts believe that a stolen medical record is worth more than 10 times a stolen credit card.
Preventing incursions has proven consistently difficult because threats evolve to take advantage of discovered vulnerabilities. As the technology and strategies of hackers constantly evolve, the industry has proven to be an easy target because, historically, it has spent less on cybersecurity than other regulated industries.
That must change. Forward-thinking companies will put in place proactive steps to explore risk, map out specific strategies to respond swiftly and effectively to any threats, and will also invest what they can in preventative systems and diagnostics.
To manage cyber threats, healthcare organizations must fully grasp the scope of the challenge before them. Here are a few current cyber risks facing the healthcare industry.
Malware. Malware is software intended to damage or disable computers and computer systems. The debilitating consequences of malware could be dangerous for, for example, a hospital treating patients in real time while relying on electronic health records. The challenge of malware is that it can infiltrate any number of electronic systems through several channels. For example, phishing attacks, through which targeted emails are sent to employee emails with malware embedded in links, are on the rise and getting increasingly sophisticated. They can only be guarded against by careful training for all individual employees and advanced computer security software.
Ransomware. Ransomware is a type of malware in which the attacker negatively impacts an electronic system unless the user pays a ransom. Healthcare providers are an increasingly popular target, based on their need for up-to-date information for patient care, which can make them more willing to pay a ransom. The industry is also facing increased concern about the potential dangers if medical devices are hacked. For example, the FDA previously issued a safety notice about an infusion pump primarily potentially having cybersecurity vulnerabilities, which sparked further regulatory guidance about the issue and fueled public speculation about the consequences of a serious vulnerability for any device.
Increased migration of data. As healthcare records increasingly are digitized, healthcare organizations have been able to enhance patient care by more efficiently sharing records with business partners. For example, organizations can more easily transfer patient data with third-party laboratories, vendors handling billing or claims processing, equipment manufacturers, and even other associated healthcare providers, such as an Accountable Care Organization (ACO). However, increased sharing creates more vulnerability points for that data. Organizations should thoroughly vet the security measures that are in place for any third parties with which they share data, and ensure that the methods of transferring that information are fully encrypted.
Use of Cloud Computing. One way healthcare organizations are sharing information, and otherwise hosting information, is through the use of cloud computing. But cloud computing has its own risks. Some cloud services have been found to have cybersecurity vulnerabilities. Larger services may offer greater security, but they also may be a larger target for hackers, based on the amount of data they may have stored. The organization also loses an element of control, not only over the services and cost that it might be offered by the vendor, but also how that vendor may respond to inquiries for that data, such as from the government. Any cloud vendor should be carefully evaluated before engagement, and all contracts governing its services should include appropriate provisions to protect the organization. Healthcare entities can also refer to new Guidance on HIPAA and Cloud Computing that the Department of Health and Human Services recently released, detailing the agency’s position on the obligations of covered entities and business associates that use cloud services providers to manage their electronic protected health information.
Healthcare companies and providers shoulder a large burden in protecting their data, equipment, and computer systems from cyber threats, particularly as any breaches have costly and potentially dangerous consequences. Companies should keep their systems and software as up-to-date as possible, train users about the risk, conduct routine security assessments to review vulnerabilities, and stay abreast of industry trends in cyber issues.