Healthcare has rapidly evolved from a traditionally paper-based industry to one that has embraced digital in almost every way. The growth of technology and patient care has subsequently thrust the industry into the spotlight when it comes to protecting sensitive information. Healthcare cybersecurity and data security in 2019 is one of the top issues facing the healthcare industry.
The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.
To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.
The need for better endpoint visibility and control has never been greater.
While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.
By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.
The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.
The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.
According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.
Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.
The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.
We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.
Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.
This one may not seem as obvious, but the threat is real.
So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data.
As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.
Due to the severity of risks involved, IoT security mustn’t be overlooked.
You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.
A supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.
Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”
Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.
When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.
The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.
Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.
Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.
According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.
Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.
We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.