2018 was a terrible year for data breaches in the healthcare industry, and 2019 is predicted to be even worse as healthcare organizations move towards increased connectivity and cloud computing without investing in proper cybersecurity measures. In 2018, in the United States, over 15 million patient records were breached, up from 5.5 million in 2017. Over the year, The Department of Health and Human Services’ Office for Civil Rights (OCR) received 351 notifications of healthcare data breaches, each with 500 or more healthcare records being compromised.
Why are medical records so sought after? Healthcare records are a virtual data smorgasbord for cybercriminals as they contain patient health and identification data that can’t be easily altered or deleted. Patient medical records are sold on the black market for up to $363USD – far more lucrative than information records from other industries.
Patient medical records include high-value information, such as:
- Patient name
- Contact information
- Social security/Social insurance number
- Biometric data
- Diagnoses information
- Medical and X-ray images
- Facial recognition imagery and unique identification characteristics
- Named beneficiaries
- Account numbers and licensing information
While data breaches cost the United States healthcare industry approximately $6.2 billion per year, the healthcare industry on average earmarks less than six percent of its overall budget to cybersecurity. Research shows that 51 percent of cyber violations are repeat offences. This indicates that healthcare systems amass risk that compounds over time if proper reporting, education, and discipline are lacking.
Patient information is compromised through:
- Disposal mistakes
- Privileged access abuse
- Mishandling data
- Ransomware attacks
Bigger Threats Could Impact Health and Treatment
However, bigger concerns are brewing in healthcare cybersecurity beyond the theft of data. Imagine a patient is laying on an emergency room table having a stroke and requiring a CT scan. When the doctor looks at the computer screen, all she sees is a pop-up ransomware message demanding a bitcoin payment. Moments later, the doctor is told that the same ransomware demand shut down the CT scanner. She’d have to treat the patient blind, not able to see if a clot or bleeding caused the stroke. The Canadian Standing Senate Committee on Banking, Trade and Commerce reported that “Hackers have held hospitals hostage by encrypting their critical systems and demanding money to restore them.”
Connected networks and Internet of Things devices hold great promise for the healthcare industry; however, they also make it more susceptible to ransomware and malware. Ransomware in healthcare, globally, is on the rise. The healthcare industry accounts for almost half of all ransomware attacks at 45 percent. And, earlier this year, researchers in Israel publicized the creation of a computer virus able to add tumours into CT and MRI scans. This malware can trick doctors into misdiagnosing famous or influential patients reports The Washington Post.
Despite rising cyber threats, a majority of hospitals and physicians are unprepared to handle cybersecurity attacks, even though they could pose a significant problem for public health. Healthcare providers also need to be aware of the role that insiders play in breaches and plan security measures accordingly.
The Threat Posed by Healthcare Insiders
58 percent of healthcare breach incidents involved insiders. The healthcare industry is the only one in which internal actors are the biggest threat to an organization. A recent breach highlights the damages that an insider can cause. A medical assistant stole patient data for fifteen years before being caught. The assistant took the data and sold that sensitive information to others who committed federal crimes using the data. Research shows that the majority of breaches are motivated by financial gain, with healthcare professionals often using patient information to commit tax and credit fraud. In 2017, Verizon found 876 breach incidents initiated by insiders. Sixty-six percent of internal and external actors abuse privileged access credentials to access databases.
Healthcare providers need to take a zero-trust approach to protect patient records. Securing healthcare data is a little like balancing on a tightrope. You want to ensure the data is locked down, but you don’t want it so inaccessible that in an emergency, professionals can’t get to the information that they need to treat the patient in a timely fashion. Speed of access can literally be the difference between life and death.
Here are some ways to improve your healthcare organization’s cybersecurity:
Take into account all threat entry points.
A threat entry point is another name for a system vulnerability that can be easily breached by hackers. If a cyber threat actor exploits this vulnerability, they can install a virus that slows your network, or gain access to sensitive patient information, or remove defences to weaken your system, making it more susceptible to future attacks. Having a cybersecurity solutions provider, like ISA, conduct a vulnerability assessment, penetration testing and threat risk assessment is an excellent first step in making your healthcare organization safer.
Educate employees about cybersecurity.
Cybersecurity firms employ robust firewalls and other technology defences, but human error remains the weakest link in your cyber-defences. Education minimizes human error. From cyber hygiene to phishing emails, employees need to be taught what good cybersecurity behaviour is – and what practices need to be avoided. Teach employees how to spot suspicious emails, threats and risky websites so they can avoid inadvertently clicking on a malicious link. Cybersecurity training should be continual and updated as the threat landscape changes or new technologies are introduced into the network.
Create and practice an incident response plan for your organization.
An incident response plan is a proactive and necessary part of good cybersecurity. It starts with planning and preparation before a breach occurs, ensuring that your system security is up-to-date and that users know what to do when a breach occurs. Stay current on the changing threat landscape and adapt your incident response plan accordingly.
Partner with experts who understand the intricacies of healthcare cybersecurity.
These elements are all part of creating a culture of cybersecurity in your healthcare organization. Of course, identifying your weaknesses, educating your employees and preparing your incident response planning isn’t enough. You also require a battle-ready infrastructure.
Healthcare providers need to strengthen their digital security, with the same devotion they invest in restoring patients to health. In partnership with healthcare cybersecurity experts ISA, your organization can ensure a layered security approach and a strong defence. Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your healthcare organization from a cyber attack.