Seventy percent of healthcare organizations report that they have been breached at some point in their history. This is the highest breach reporting of any vertical in the United States. And a majority of hospital breaches expose patients’ demographic or financial information that can be leveraged for identity theft.
These statistics should come as no surprise. Healthcare data is a high value, conspicuous mark for criminals for a variety of reasons. Almost without exception, everyone visits a medical provider from time to time. The data that we give our healthcare providers contains many years of health history as well as personal information (like birthdate, social security number, and address), often with a credit card number attached.
PII (personally identifiable information) may be sold and used to drain bank accounts, open credit cards, or forge government documents. PII with medical and insurance information attached may be used for the health benefit of the thief or their customer.
Unfortunately, the healthcare industry has a history of falling behind the information technology adoption curve due to both complexity and regulation requirements. Healthcare organizations also often lack the necessary staff and talent to keep pace with a growing body of threats.
Let’s examine the top cybersecurity risks and threats of operating in the healthcare space.
Staff, vendors, and patients all represent potential points of risk in any healthcare information security scenario. Every good governance plan must include education policies for staff; vendor review policies; and patient disclosures and information access guidelines.
Staff must be taught how to avoid phishing attempts and other malware attacks through their work email and devices. Are doctors able to review labs on their personal cell phone if the device is not password protected? Could a nurse download malicious code sent in an email on a medical center computer?
Vendor access to devices and data must be carefully considered. Does the janitorial vendor have access to unsecured computers? Is the learning management system provider HIPAA compliant?
Patients who want to access their medical records through patient portals should be held to high password standards. They must also be educated on the risks of the internet connected devices that improve their health.
Risk: Cloud Computing
Healthcare organizations are in line with other businesses in that large pools of their proprietary data are being moved into the cloud. The greatest risk with cloud computing is data breach. Hackers may be interested in targeting patient data. Or the feedback provided by all the onsite connected devices. Or even the valuable research results that a university medical center may be storing. All that data takes a much bigger effort for IT departments to defend in the cloud than it does for hackers to attack.
Risk: Bring Your Own Device (BYOD)
The majority of hospitals allow clinicians to bring their own cell phone or tablet to work for use on the job. (And many providers use them even if their employer does not expressly allow it.) Doctors and nurses are using their phones to check email, review lab results, communicate through patient portals, and much more.
Healthcare organizations must thoughtfully consider their stance on BYOD. Encryption standards and password guidelines should be put in place, as well as plans for what to do in the instance of a lost device. The results of a data breach via an unsecured phone or tablet can be devastating for the patients affected and costly for the healthcare organization. (Children’s Medical Center of Dallas paid $3.2 million in fines due in part to an unsecured Blackberry that exposed 3,800 patients’ data in 2010.)
Risk: Internet of Medical Things (IoMT)
The internet of medical things has already begun to revolutionize healthcare. Implanted, internet-connected continuous glucose monitors alert diabetic individuals of changes in their blood sugar levels. Family members can keep tabs on the location and activities of elders with wearable devices that contain accelerometers and GPS trackers. Connected medical devices within a hospital can send reports about their maintenance needs and trends in their usage.
The huge (and growing) volume of these connected devices increases the potential attack surface for hackers. Unfortunately, many IoMT devices do not support endpoint security agents and as such cannot block attacks. The risk factors of a hacked medical device range from exposed patient data to serious medical complications or death.
Risk: Electronic Health Records (EHRs) & Patient Portals
The paradox of EHRs and patient portals is that while they increase the quality of care for patients by un-siloing data and allowing for greater communication between patients and providers, they also increase the risk of information breach. The EHR that a primary care doctor shares with a specialist in the process of making a referral is a rich target for a bad actor. It contains all the PII that a hacker could ever want. The same data often populates patient portals, a high value healthcare management tool that many patients have come to expect from their providers.
Technology alone can’t solve these problems. Healthcare organizations must educate, establish procedures, and require consistent software and hardware updates throughout their systems. A culture of security must be created from patients to staff to vendors.