It is no secret that the healthcare industry is a top target for cybercriminals. According to Becker’s Hospital Review, the health care industry loses $5.6 billion every year to data breaches. Additionally, they found that there was at least one health data breach per day in 2016 which affected more than 27 million patient records.
While cyberattacks grow more threatening daily, the healthcare industry grows more reliant on technology. Healthcare providers everywhere seek to implement pieces of software and hardware to improve patient care and administration. However, this modernization has led to a rampant growth of cybersecurity challenges and threats that continue to evolve as well.
There are numerous challenges facing healthcare providers when it comes to cybersecurity. Ransomware attacks are increasing, patient data has become harder to protect, and providers now must secure more connected medical devices than ever before. A lot of issues stem from healthcare manufacturer’s slow response to these threats which has caused them to lag behind other industries in the cybersecurity arena. However, there are three main areas to look at for concern.
The Ransomware Threat
Ransomware, no matter where you look is a pervasive threat to businesses and organizations of all types and sizes. Healthcare is not a stranger to this type of malware and is routinely one of the top targets for malicious actors in ransomware attacks.
For those of you unfamiliar with this popular threat, ransomware is a type of malware used by malicious actors to encrypt files while seeking to extort money from the victim of the attack by demanding ransom to decrypt their files. According to recent research from Phishme, ransomware attacks have increased by over 97% in the past 2 years. This means that a new business will fall victim to ransomware every 14 seconds.
What do these statistics mean to the heathcare industry? Well as mentioned earlier, the healthcare industry has become increasingly reliant on technology. This has made it easier to perform patient care, manage records more efficiently, and administer clinical support at far superior rates. However, just like any with organization using internet-connected devices, it has made them more vulnerable to malware and other threats.
It is particularly concerning for healthcare as patient records and care systems could be encrypted by ransomware and/or stolen. Doctors could lose access to computer systems and the machines that perform critical functions (i.e. CT scan) in the middle of an ER visit. This would slow down vital courses of treatment diagnoses such as a one needed for stroke victims.
Additionally, patient records are a treasure trove of personal information vital to doctors and malicious actors seeking to profit off the sale of those records. There is a high demand for this type of data within the black market. Patient records have become increasingly hosted on cloud systems and/or internal servers, practically eliminating the need for paper backups. If a healthcare system’s servers were to become encrypted this could spell disaster for both patients and providers alike.
There have been no shortage of ransomware attacks on healthcare in recent years and it appears that there will be no slowing down. It is now more important than ever to implement the appropriate cybersecurity measures. It also makes excellent sense to regularly backup all records/systems and implement a disaster recovery plan.
Healthcare companies are encouraging many physicians, nurses, and other medical staff to begin bringing their own devices like tablets, smartphones, and laptops to work. One survey demonstrated that 81% of healthcare providers are now allowing their doctors and medical staff members to use their own iPads and other mobile devices at work. These policies are commonly known as “Bring Your Own Device” or BYOD.
While this is an effective cost-cutting measure, many cybersecurity experts believe that BYOD policies can put organizations at risk. This is due to the fact 46% of those healthcare organizations indicated that they are not doing anything to secure those mobile devices. Additionally, 54% say that they have no confidence at all that they employee-owned mobile devices used at work are secure at all.
There are numerous issues with BYOD policies when personal devices aren’t secured. They often put healthcare organizations at increased risk to data breaches. Most applications used by healthcare send personally identifying information over the internet and around a quarter of it is unencrypted. A possibly infected mobile device could give attackers a foothold into a network while also providing access to ever-lucrative patient information.
Healthcare organizations should become stricter if they seek to enact BYOD policies. They should bar employees from sharing personal health information through file-sharing platforms to minimize risks of identity theft. They should also install third-party cybersecurity solutions on devices and be able to locate/wipe the data from a device if it were stolen.
Backup and Data Recovery
As mentioned before, patient records are becoming increasingly digitized. Healthcare organizations have become reliant on their systems to administer and track patient care. If a provider were to have their systems encrypted by ransomware, they could potentially be shut down for days and not be able to expedite the care they need to provide in an effective manner.
It makes sense that healthcare services would treat disaster recovery the same as businesses. A great example of backup and disaster recovery in the face of a ransomware attack is Norsk Hydro.
They were commended by cybersecurity experts for their response to being virtually crippled by the LockerGoga strain of ransomware. They had firm plans set if this event ever took place. They were able to move quickly to manual operations and start restoring the lost encrypted data with backup systems they had prepared.
This is an indication that the internal planning and obvious partnership between business process owners and those in charge of information technology and information security is at a very high maturity level. What was especially great about this process is that since Norsk Hydro makes a real, physical product, you can see that the process works since there was no interruption in meeting the needs of their clients.
Hospitals and healthcare organizations should take note that backup and data recovery planning must be critical to any IT operations. There must be clear steps to take in the event of a cybersecurity event and how you plan to keep up normal operations if forced to switch to manual operations.
It makes sense to regularly backup all patient records and ensure that there are manual functions and processes in all departments. There also is a compliance component (i.e. HIPAA) that those in the healthcare industry must be cognizant of. It may limit the scope of solutions and methodologies used.
The Future of Healthcare Cybersecurity
Its no secret that connected medical devices (i.e. IoT) are the future, but cybersecurity will never go away. Healthcare providers everywhere are starting to make cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively look for dedicated device security solutions.
While manufacturers have not progressed alongside hospitals, there are more conversations about healthcare cybersecurity taking place. It is essential that it be the leading question when implementing and creating new technologies that will handle patient data or critical operations of those providers. Awareness is only half the battle in cybersecurity, action must be taken quickly so healthcare can prevent major losses.