Healthcare technology is more critical than ever. The current pandemic has caused many healthcare providers, organizations, and consumers to rely on health tech, particularly virtual and digital tools that diagnose and treat. A significant issue impacting healthcare today is securing sensitive and valuable personal medical information. Data security is paramount with more people accessing this information from home computers and even their cell phones, especially with hospitals and other healthcare facilities increasingly becoming the targets of cyber and ransomware attacks.
The threat is real and growing. According to the federal government, in 2021, over 40 million individual health records were compromised. With this in mind, we’ll explore some of the challenges facing healthcare organizations regarding technology security and offer recommendations specific to this industry.
Healthcare Data Is More Accessible to Consumers and Hackers
In 2016, the federal government passed the 21st Century Cures Act. The law helped accelerate medical product development and innovations for patients and consumers. On April 5, 2021, the 21st Century Cures Act Final Rule went into effect. This provision in the law mandates that consumers have the right to timely access of their electronic health information and can download that information free of charge. It also required health systems and providers to provide the information through various technologies, including online patient portals and mobile phone apps. Ultimately, this shifts more control to the consumer.
While this is good for consumers, it also raises the likelihood that data could be compromised. Poor cybersecurity judgment and practices by a patient using their cell phone, or even an unintended action by a healthcare facility staff member while logging into an office computer, could open the door to a security breach.
Access to health information helps consumers make better health decisions. It also makes it easier for hackers to steal this information potentially. While many organizations are compliant with the Health Insurance Portability and Accountability Act or HIPAA, created to protect sensitive patient data from being disclosed without a patient’s consent or knowledge, HIPAA compliance alone is not enough to prevent a potential cyberattack.
Massive Healthcare Data Breaches Will Happen Again
Medical records are valuable commodities and hackers know this. They also know that healthcare offices, hospitals, and other organizations are particularly vulnerable, mainly due to outdated security systems, lack of cybersecurity action plans, and lack of funding to improve their systems.
Recent statistics bear this out.
- Hospitals account for 30% of all large data breaches.
- Since 2009, more than 2100 healthcare data breaches were reported in the U.S.
- 18% of teaching hospitals experienced a data breach.
- 6% of pediatric hospitals reported data breaches.
- A 75.6% chance of a breach of at least five million records will likely occur next year.
- 34% of healthcare data breaches are unauthorized access or disclosure.
Though large cyberattacks, like the recent Solar Winds incident, prompted various calls and initiatives to improve cyber security across all industries, much of the healthcare industry has been slow to respond. That’s despite recent large cyberattacks here in the U.S. and other countries.
In 2015, Anthem Health reported that hackers broke into their systems and stole almost 80 million personally identifiable records from current and former policyholders. Anthem was not required by the law to encrypt their data at the time. Though Anthem admitted no wrongdoing, the company was forced to pay out over $115 million due to class action lawsuits.
In 2017, the WannaCry ransomware attack in the United Kingdom took down its National Health Service (NHS). The attack, launched in North Korea, exposed NHS hospitals and offices using computers with vulnerable Microsoft Office software that had not yet received a security patch released by Microsoft. The attack forced those offices affected to cancel surgeries and divert ambulances to other hospitals in the country not involved. The attack ultimately cost the NHS an estimated £92 million in services lost.
As the pandemic stretched hospital capacities here in the U.S., in 2020, ransomware attacks increased. That prompted the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services to issue a joint advisory warning of an imminent cybercrime threat to U.S. health organizations. While the massive attack didn’t happen as expected, the danger is still there.
Recommendations and Solutions for Improving Healthcare Cybersecurity
By expanding the number of vulnerable devices and networks, a very clear financial incentive for potential hackers, and ineffective or outdated cybersecurity practices, the current data security diagnosis within the healthcare system is not good.
Cybersecurity is unfortunately still a lower priority for many healthcare organizations, mainly due to a lack of resources and funding. A 2020 survey found that the average healthcare organization spends about 6% of its IT budget on cybersecurity while spending more money on new technologies. While adding new technologies can be beneficial for patient care, the reality is adding new medical devices, from computers, monitors, and diagnostic machines increase the chances that these could be hacked.
Increasing funding in healthcare security is undoubtedly a long-term goal to improve things, but that will take time. Especially as various healthcare systems of all sizes will have to rely on public and private partnerships, government support, and possibly raising prices on goods and services to consumers to cover some of the costs.
Updating Legacy Systems and Vintage Software: Too many healthcare systems still rely on legacy computer systems and infrastructures. As a result, these older systems, with outdated software, are more vulnerable to potential hackers. Updating to newer systems will help, but this often requires a financial investment that some organizations don’t have the funding for. One step to help assess if legacy systems need to be updated is to conduct a thorough end-to-end security assessment to see potential risks and make decisions based on that assessment. These assessments, especially done frequently, are important as HIPAA requires them
Practice Digital Hygiene: Just as doctors recommend washing one’s hands to prevent the spread of germs, all staff at any healthcare facility should practice good digital hygiene habits, whether at home or in the office. That includes changing computer and email passwords frequently (and not using easy ones to remember or guess), not clicking on suspicious links in email messages, and often using encryption and anti-virus software to clean work computers and laptops. Organizations should also implement multi-factor authorization, frequently update software, and test devices for potential vulnerabilities.
Increased Communications: Healthcare organizations should actively collaborate with federal and state government agencies to stay up-to-date on potential threats, especially those that could impact multiple cities, districts, or states. At the same time, these same organizations should advocate with their policymakers to help solidify and streamline the regulations that oversee cybersecurity for their industry. Doing so will help create an industry standard for healthcare cybersecurity that all organizations can easily understand and manage.
Healthcare impacts everyone and the industry must remain proactive in working to promote and update cybersecurity standards and secure the technology it works with every day. By making cybersecurity a top priority, all consumers will feel more at ease that their medical data is safe and secure.
Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.