Healthcare cybersecurity is a growing concern. In the last few years, IT security incidents and hacking are increasing steadily, and many healthcare organizations have struggled to defend their network perimeter and keep cybercriminals at bay. 2015 was a record year for healthcare industry data breaches, and data in many healthcare institutions are being compromised every day. More patient and health plan member records were stolen in 2015 than in the previous six years combined. More than 113 million records were compromised in 2015 alone, 78.8 million of which were stolen in a single cyber attack. 2016 saw more healthcare data breaches reported than any other year, and 2017 will likely be another record breaker.
Healthcare providers now need to secure more associated medical devices than ever before, partially due to the introduction of IoT devices in the industry. The healthcare industry is facing a large group of cybersecurity issues, which could potentially affect the finances and reputations of hospitals and other healthcare institutions. Cybercriminals are developing newer, more complex tools and methods to attack healthcare organizations, frequently with the aim of capturing and holding information and networks for ransom. The healthcare industry as a whole has been slow to react and has fallen behind other industries in developing cyber defenses. Moreover, 95% of healthcare organizations don’t utilize any software at all for security governance or risk management.
How can healthcare address this critical issue? The following areas are priorities:
1. Constrained spending on cybersecurity
One reason why the healthcare industry is prone to cyber attack is the lack of investment in cybersecurity by the industry. Healthcare organizations have historically underinvested in cybersecurity programs. By comparison, the federal government spends 16 percent of its IT budget on cyber. Other industries also spend more for cybersecurity, including banking and finance, which allocate 12 to 15 percent of their IT budget on cybersecurity programs. Current estimates are that cybersecurity investment will reach only $10 billion worldwide by 2020, which is under 10 percent of the aggregate investment in security. Meanwhile, four out of five healthcare officials in the US admitted that their IT has been compromised by hackers. 53 percent of surveyed healthcare providers confessed to not being prepared for future attacks.
2. The interest for medical records on the black market is high
The desire for patient medical records on the black market is spurring cyber attacks that have hurt the finances and reputation of healthcare organizations. Electronic health records (EHR) are considered much more valuable than financial information. Individual EHRs can fetch up to $50 on the black market, compared to around $1 for a stolen credit card number or social security number. EHRs incorporate names of patients, their birth dates, policy numbers, diagnosis codes, and billing information. This abundance of information can be utilized by fraudsters in various ways, for example, creating fake IDs to purchase medical equipment or medications that can be exchanged. Some cybercriminals combine a patient number with a false provider and file fraudulent claims with medical insurers.
Stolen EHRs are considered a difficult problem because they are so hard to detect. EHR theft takes twice as long as normal identity theft to be resolved. Unlike stolen credit cards, which can be re-coded, and false charges which can be disputed, medical identity theft is difficult to resolve. Cybercriminals have more options to ‘drain’ the information captured from EHRs, and they can greatly profit by targeting healthcare organizations rather than banks and other financing firms. In fact, the percentage of healthcare organizations that have been attacked by cyber criminals increased from just 20 percent in 2009 to 40 percent in 2013.
Ransomware is another cybersecurity risk that has plagued hospitals and other healthcare organizations in recent years. Cybercriminals don’t need to take information from the computers in hospitals to easily profit. Through various means, cybercriminals infect on a healthcare organization’s IT system with ransomware, preventing the organization from accessing files, directories, etc. Usually, these resources are encrypted so that users can no longer access them. The attackers will then deliver a message containing directions for sending payment or ransom in exchange for restored access to the affected system. The cybercriminals typically demand that payment is made through bitcoins since unlike credit cards, bitcoin payments are difficult to trace. One reason why cybercriminals use ransomware to force these companies to pay the ransom is due to the nature of healthcare operations. Hospital and healthcare providers need speedy access to patient data as well as a functional communications system. Thus, these institutions are more likely to pay out a ransom rather than let their operations be affected by this type of cyber-attack.
Ransomware attacks are on the rise, unfortunately. Symantec reports that during the first quarter of 2016 alone, there was an average of more than 4,000 ransomware attacks per day. This represents a 300 percent increase over the same period in 2015. Some of the companies which have admitted to paying a ransom to cybercriminals include Hollywood Presbyterian Medical Center, which paid $17,000 to hackers in February this year, and Med Star Health in Columbia, Maryland, which paid $19,000. Unplanned downtime at healthcare organizations may cost the company around $8,000 a minute per incident.
4. Employee carelessness
Despite the fact that cyber-attacks remain the main source of information theft in healthcare organizations, other security issues have been caused by the employee carelessness. For example, an employee can open an email that contains malware and unintentionally allow access to the data on their computer or network. Healthcare organizations can limit this kind of danger by training the staff to prevent the most common the cyber attacks. This basic cybersecurity preparation can reduce the danger of cyber attack from 70% to 45%.
Doctors, faculties, and other employees are increasingly being trained to handle and safeguard private data, especially patient information. Some healthcare companies are also working with security organizations to build up the capacity of their facility to differentiate between different types of cyber-attacks. If a hospital, clinic, or healthcare provider is able to deal with these risks, then it can significantly reduce its chances of being hit with a cyber-attack.
5. Bring your own device (BYOD) policies
Healthcare organizations are allowing and sometimes encouraging doctors and other staff in health facilities to bring their devices like cell phones, tablets, and laptops to work. 81% of such organizations currently permit their staff to use their own devices at work. However, 46% have admitted that these devices are not properly secured. In addition, 54% report that personal cell phones at work are not secure by any means. Many cybersecurity experts believe that the use of personal devices in the workplace further increases the risk of cyber-attack.
Many devices like cell phones and laptops can be easily stolen from healthcare facilities, potentially exposing patient information. 66% of the personal data stored in healthcare systems do not utilize encryption, while 20% do not have any privacy strategy. Healthcare organizations should be stricter with regards to BYOD strategies. For example, they could prevent personnel from sharing their personal information through records, in order to limit possible attacks. Another option would be to introduce technology that can erase all the information on the on a device should it be stolen.