Cybersecurity is a constant concern for healthcare organizations, and the previous 12 months have done little to quell anxieties. In 2017, the Department of Health and Human Services’ Office for Civil Rights (OCR) reported 359 data breaches of 500 or more records, resulting in the exposure of more than 5 million healthcare records in total. In 2018, the number of breaches was comparable at around 350 breaches, however, the number of healthcare records exposed almost tripled, totaling around 13 million. That means bigger breaches are exposing more individuals to identity theft and more.
While “mega breaches” affecting big brand names tend to grab the most headlines, there’s plenty of other incidents that go under the radar but cause just as much damage to the individuals affected.
Unfortunately for healthcare organizations, there is no silver bullet in the fight against cybercrime. Combatting existing and future threats – large or small – requires a strategy that embraces a combination of suitable technologies, watertight policies, and flexible working practices.
Evolving threats require evolving defenses
As cybercriminals become increasingly advanced and deceptive in their methods, the onus is on healthcare organizations to adapt and improve their defenses accordingly. One of the biggest cyber threats facing healthcare organizations today is ransomware. According to Verizon’s 2018 Data Breach Investigations Report, ransomware was detected in 39% of all malware-related data breaches and, what’s more, instances doubled year-on-year.
The healthcare industry is especially vulnerable to this malicious attack because patient health may be at direct risk when electronic medical records cannot be accessed or updated in a timely manner, or when treatment may need to be postponed.
The process of email phishing – the typical delivery mechanism for ransomware and other malware attacks – is becoming more advanced, with criminals going to great lengths to trick unsuspecting employees into clicking malicious links, opening attachments, or handing over login details or other sensitive information.
In order to mitigate against the risks presented by phishing, health IT organizations must not only invest in secure workflow tools, but also train staff regularly on how to recognize potential threats before they become problems (even going so far as to send out fake phishing messages to see who can be tricked). Additionally, they must roll out policies and procedures that ensure any threats are dealt with promptly.
The right tools for the job
The vulnerability of the healthcare industry from a cybersecurity point of view makes investing in the right tools particularly critical. As well as fulfilling a number of workflow and productivity requirements, any tools or applications used for processing, sharing, or storing patients’ protected health information (PHI) must adhere to strict HIPAA (Health Insurance Portability and Accountability Act) rules.
Email, for example, is not HIPAA-secure due to the lack of consistent access controls and enforced encryption. Mobile apps designed for consumer communication such as WhatsApp or popular cloud storage solutions such as Dropbox are not suitable for healthcare for similar reasons. While these apps and others like them may be low-cost, convenient, and familiar, they’re inherently risky and present an easy access point for attackers, not to mention a greater potential for human error. In fact, these apps themselves may be secretly accessing user data for their own purposes. To decrease these risks, HIPAA-covered entities must invest in suitable tools designed specifically for the rigors of healthcare.
Looking closer to home
When most people think of cybersecurity breaches, they think of criminal activity initiated by external parties, but it’s often the people closest to the source that pose the greatest risk. According to Verizon’s 2018 Data Breach Investigations Report, healthcare is the only industry where cybersecurity threats from insiders are more prevalent than those from the outside.
Most commonly, these insider threats are caused by human error (35 percent) or system misuse (24 percent), both of which are preventable with training and education. Organizations that fail to recognize and respond to these internal risks are essentially their own worst enemies.
The growing adoption of BYOD (Bring Your Own Device), flexible work locations and a blurring of lines between professional and personal online activity have not helped with the rise of internal cybersecurity risks. The potential for devices being lost or stolen, for non-secure communication and for lapses in device security (e.g., sharing devices with other people) is increased outside of the practices’ walls.
Organizations must think carefully before allowing such working practices, and those that do must implement stringent policies and procedures to mitigate any potential security and privacy weaknesses, (e.g., ensure that any portable device encrypts all data and implements strong password policies).
But it is not just internal staff that IT organizations need to keep tabs on; business associates and vendors can also present risks and possible back doors to hackers. Among the breaches reported to OCR in 2018, a quarter involved business associates, affecting almost six million individuals. While third-party business associates provide vital services to healthcare organizations, the relative lack of regulatory compliance and privacy requirements for many business associates can make them an easy access point for bad actors.
It is the responsibility of the healthcare organization employing these third parties to ensure that all business associates adhere to required security standards and data protection rules, and that written agreements in the form of Business Associate Agreements (BAA) exist between the parties to specify such requirements and expectations. This is already a requirement by law, but the absence of a BAA is still an all-too-common factor in healthcare compliance violations.
The good news is that despite the rise in data breaches and continuing lapses in cybersecurity controls, risk awareness is increasing throughout the healthcare industry. Recognizing the risks is the first step to combatting them, so going into 2019, the onus is on healthcare organization leaders to educate their teams and provide the tools they need to carry out their jobs effectively and securely.