In an age of ever-increasing cybercriminal activity, the healthcare industry continues to lag behind other industries in cybersecurity preparedness. This lack of attention to cybersecurity has hurt the industry in terms of stolen data, massive fines, and loss of consumer confidence.
The industry’s constant struggle to keep up with growing cybersecurity demands is especially concerning given that electronic protected health information (ePHI) is an attractive target for cybercriminals. Healthcare is an attractive target for a variety of reasons and financial gains for cyber criminals can cause immense damages for individuals. Patient records, for example, are of great value because the personal information cannot be easily changed; personal medical records can be sold for up to $100 each on the dark web, depending on the level of detail in the record. Reuters reports that electronic health records are far more valuable to cybercriminals than financial information.
It’s not just patient data that is at risk, but patients themselves. A recent ransomware incident forced a local hospital to divert ambulances to another facility as it dealt with the loss of its computer infrastructure. This incident is an example of how the negative outcome from cybersecurity breaches in the healthcare industry can extend beyond financial inconvenience and have unfortunate impact on patients’ health and physical safety.
The reputations of healthcare organizations are also at stake. In a TransUnion Healthcare study, a majority of patients indicated they would switch providers if their current provider became the victim of a data breach.
The healthcare industry must look to the Health Insurance Portability and Accountability (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Acts as the low bar for cybersecurity. Best practices under these Acts include:
- Restricting access to systems according to the principle of least privilege.
- Using multi-factor authentication to verify user access to sensitive systems.
- Encrypting not only data-in-flight, but also data-at-rest.
- Constantly monitoring all systems to ensure that no malicious activity is taking place.
The healthcare industry is also very behind in patch management. This is imperative for compliance, which outlines the requirement that risk analysis should be an ongoing process. Additionally, it is required that penetration tests be performed along with a whole range of other considerations, such as having an SSL certificate to protect data in transit, as well as strong encryption to protect data at rest.
These precautionary efforts are not to be taken lightly, as neglect of these measures is what is ultimately leading to the unfortunate swarm of cyberattacks on the healthcare industry. The healthcare industry has focused their time and attention on increasing the quality of their patient care, and in turn has spent only half as much on cybersecurity as other industries have.
What healthcare professionals need to understand is that by preventing cybersecurity attacks, they are in fact being proactive in regards to patient care. As a deadly example, in 2016, MedStar was victim to a cyberattack that impacted their inability to provide patients with the care they needed. As a result of the attack, some cancer patients were unable to receive the radiation treatment they required. The scary thing about cyberattacks when it comes to the healthcare industry is that any medical device connected to a network is at risk of being abused and penetrated by hackers.
With the increasing amount of successful cyberattacks and proven harm to patient care, the healthcare industry can’t afford to continue to lag behind. It’s time for healthcare providers to prioritize closing the cybersecurity gap.