Hacks like the recent attack on Boston Children’s Hospital are putting a bigger spotlight on healthcare security than ever before. Just this past May there were over 500 data breaches, 70 of which were reported to the Department of Health and Human Services' Office for Civil Rights (OCR), which is well above last year's average of 56 data breaches per month.
Digital transformation has outpaced current security controls in healthcare, creating holes for bad actors to exploit, says Kory Daniels, Chief Information Security Officer, Trustwave. The explosive growth of interconnected internet of things (IoT) and modern medical devices designed to improve healthcare processes and patient care has also expanded attack surfaces – and cybercriminals are taking advantage.
So, how can hospitals and healthcare organisations support modern health services?
“They must balance patient health with data safety and move past outdated security practices to keep up with the innovations of today and tomorrow,” says Daniels. “The right hospital security programme will holistically measure and prepare for the likelihood of an attack across people, processes, technology, and third-party access.”
Securely offering modern healthcare services
“Telehealth services have grown exponentially in recent years – adoption skyrocketed from 11% in 2019 to 46% in 2021 and it’s only increasing from there,” continues Daniels. “Hospitals are also employing modern IoT technology such as robotic surgeries, glucose or heart rate monitors, automated insulin delivery systems, and automated medical dispensers in far greater numbers.”
But while this expands patients’ accessibility to records or important provider information and advances healthcare services, it continues to expand the attack surface for bad actors to exploit and introduces new risks.
“The Health Information Technology for Economic and Clinical Health (HITECH) Act encourages healthcare providers to adopt electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. While HITECH offers incentives for EHR and HIE adoption, it also expands a patient’s privacy rights under HIPAA. This can create a new burden for providers to maintain compliance while facing data security risks, as there are potentially new opportunities for cybercriminals to gain access to data.
“Hospitals must adopt more proactive, predictive, enterprise-wide risk assessment and management techniques tailored to their environments. A cybersecurity program capable of securing the entire IT perimeter can reduce duplicated cybersecurity measures, mitigate critical risks, and alert teams to security threats from within and outside of the organization – including from insurers and suppliers.”
Balancing patient health access with the safety and security of data
“Strong healthcare security programmes must be capable of balancing the security of patient data with providing the highest quality patient care, complying with HIPAA standards to only let authorised persons access patient information,” Daniels says. “In practice, healthcare security must be treated more like a team sport and less like a series of compliance boxes to tick. Each healthcare organisation should work to understand their specific risks given the technologies they use to support their daily operations and their patients’ wellbeing. This should be communicated not only internally with IT teams and staff, but with affiliates and vendors in the network, too, to ensure there are no gaps in security and that risks are properly mitigated.”
Today, the primary avenue to gain access to networks across industries is email. Fortunately, strong email security solutions can detect and block malicious emails as they come into an organisation's system. “Healthcare staff and patients alike should be aware of their part in protecting critical data, with workers specifically trained to be on the lookout for unusual email requests,” Daniels advises. “Predictive risk management that can identify weaknesses in a hospital's network of people and technologies will help to unify that hospital's cyber strategy and provide visibility across the environment. Still, the human element remains one of the biggest threats to an organisation’s security. The behavior of individual employees is crucial – using access controls like multi-factor authentication or biometrics can be a simple defense against human error, saving time, money, and even lives.”
To help minimise the risk of the human element, healthcare organisations should also create strong cybersecurity trainings for all employees so they can add to or improve their skillset by adding cybersecurity certifications and management training.
“It is not enough to leave cybersecurity up to internal IT departments or an outside vendor,” Daniels says. “Cyber awareness training should reach all employees. This will result in a more resilient team that can help reduce risks, including insider threats resulting from employee error.”
A path forward for medical data security
As most hospital data is in the process of transitioning to the cloud, healthcare providers are grappling with how to incorporate state-of-the-art technologies into their practices without violating HIPAA or putting patients at risk. A security-first mindset is a necessity for protecting organizations’ entire IT environment.
“A zero-trust approach for healthcare security can help decrease an organisation’s attack surface, build on the context for accurate response automation, and prevent the compromise of its entire network from the point of attack,” said Daniels. “With zero-trust security, users are authenticated, authorised, and validated each time they request access to information, regardless of where they are located in the network.”
Once access policies are in place, organisations must be prepared to handle an active threat through penetration testing – both virtual and in-person to ensure bad actors cannot enter a facility and obtain information for future cyberattacks.
“A security team can conduct basic hygiene checks to test staff responses to threats, as well as system and network scanning capable of providing actionable insight for any remaining areas of weakness,” Daniels concludes. “In some ways, these advanced tech and security considerations are good problems to have – the challenges facing healthcare security are a direct result of organizations’ heightened capacity to care for patients in sophisticated and effective ways. The future of healthcare security will depend closely on organizations’ ability to align patient privacy and compliance standards with the ever-expanding accessibility of modern patient services and life-saving technologies. With so much change underway, it’s crucial to implement cybersecurity best practices and strong data management protocol to keep patient information safe and handy, but out of the hands of cyber criminals.”
- Philip Morris International (PMI) in agreement with KT&GMedical Devices & Pharma
- Healthcare news roundup: AI design, pharma & gene therapyMedical Devices & Pharma
- How poor data governance holds healthcare organisations backHospitals
- Bringing healthcare home to empower patients and cliniciansTechnology & AI