In this blog, we’re going to get blatantly frank about the issues facing data security within the healthcare industry. If you read the news at all, you will notice that cyber attacks are consistently on the rise. Who are the biggest fish? The healthcare industry is one of the most lucrative targets for cyber criminals.

In fact, researchers in Israel have recently discovered malware that can add tumors to CT and MRI scans – which, can cause doctors to mis-diagnose high-priority patients. And, yet, the increasing threat has not induced an industry-wide overhaul of outdated data security services & processes, even in the digital age.

Through the Internet of Things (IoT), devices are becoming more connected and termed as “smart.” Yet, cyber security vendor Gitanjali predicts that the number of IoT attacks will increase to 300,000 in 2010 – this will comprise 30 percent of cyber attacks. According to Becker’s Hospital Review, data breaches cost the healthcare industry $5.6 billion annually.

Unfortunately, there are still so many unprotected devices connecting to healthcare IT networks – these mean more loopholes and vulnerabilities that cyber criminals can easily discover and penetrate. It’s quite clear that the healthcare industry is in dire need of a data security services makeover. In addition, healthcare IT must keep pace with the ever-evolving cyber threats moving forward.

It wasn’t too long ago when the 2017 WannaCry cyber attack threw the United Kingdom’s National Health Service into disarray. And, it was in 2017 when the US Department of Health and Human Services created a healthcare Industry Cybersecurity Task Force which labeled data security services  in healthcare as being in “critical condition.”

Furthermore, the healthcare industry has fallen way behind other sectors – such as finance – in terms of effective means for protecting their IT infrastructure. Here is the key difference: In healthcare, an infected system can lead to a misdiagnosis, injury, or even a fatality.

Let’s just look at the magnitude of effects of the WannaCry attack, which led to the cancellation of over 20,000 patient appointments. Furthermore, doctors had to transport lab results to varying hospitals by hand. Imagine the ongoing ripple effect of this breach.

Now, on to one of the biggest cyber attacks of all time, NotPetya. In June of 2017, this attack infected devices across the globe including the medical transcription service Nuance. As a result, thousands of health delivery companies were left paralyzed. One such company, Sutter Health, has over 3 million patients using its systems.

The good news is Sutter Health was already heavily invested in healthcare managed services. So, they were able to get back online within a day. Nonetheless, they did have a backlog of over a million files that needed transcription services.

Still, Sutter Health’s healthcare IT management procedures are not considered the norm in the healthcare industry.

What’s the Going Rate for Your Health Records on the Black Market?

It helps to put the rise of cyber attacks on the healthcare industry in perspective when you have a better understanding of why it can be so profitable. To illustrate, a hacked social security number might cost $.10 and a credit card number may sell for $.25. But, an electronic medical health record (EHR) can range in cost between hundreds to thousands of dollars. Now, multiply that by a 100,000 – or even a million EHRs, and you’ve got yourself a serious payout. EHRs are so attractive to cyber criminals because they offer a treasure trove of information such as:

  • Historical data on your previous addresses
  • Names and ages of your relatives
  • Financial data such as credit cards and bank routing numbers
  • Past medical history
  • Work history

If a breach is made, high net worth patients could be blackmailed for the entirety of their lives. The other problem is your EHR cannot be canceled like a credit card. It’s no longer uncommon for fake EHRs to be published as a form of embarrassment or an attack on political targets.

Another alarming statistic to note is that the majority of EHR theft comes from within – from doctors and nurses who were interested in financial gain. In 2016, 65 percent of EHR breaches came from the inside – this is where healthcare cyber security services are sorely lacking.

Technologies are inconsistent

A rampant issue in healthcare are the many variances in patient systems and devices. Depending on the facility, you could find medical devices in use that aren’t even manufactured anymore. Or, some hospitals use old software with massive vulnerabilities. Then, there are the data breaches which happen when employees make mistakes.

This isn’t to imply that hospitals aren’t trying to improve, but the focus still remains on patient privacy without much attention given to the fact that devices loaded with patient data are just as risky.

What’s more is many hospitals do not have the resources, or the initiative, to hire a full-time cyber security staff. Not to mention, many nurses and doctors already have work-heavy schedules and may not even notice when a device or system has been hacked. For instance, if a monitor has been hacked and is displaying incorrect patient information – how would they know? What can they do if they use a medical device that is unpatchable?

Currently, there isn’t a regulatory body that requires hospitals to keep their equipment up to date. There are also many rural hospitals that just don’t have the capital to improve their current systems to the necessary level needed for preventing sophisticated, and often unnoticed, attacks. But, the one silver lining is the transition that many hospitals are starting to make towards the cloud and healthcare IT vendors who understand their unique data security needs.

Lack of Employee Awareness

Another grave security threat are the employees themselves. Many surveys have already found a significant deficiency in data security education and preparedness along with a lack of comprehension around important security policies. Without proper staff training, or access to a healthcare IT specialist, security policies are prone to failure. How can hospitals standardize their security, while making it easy for employees to participate? The only logical answer is through centralized healthcare IT support.

Is Central and Automated Security the Answer?

According to a study out of the University of Central Florida’s department of health management and informatics, data breaches do increase a hospital’s 30-day mortality rate. This is often due to the problems that occur after a cyber attack where the hospital has to disrupt normal operations to train staff, upgrade software, and update hardware systems.

Let’s consider the BYOD trend. While an efficient process, around 46 percent of healthcare organizations are not taking measures to secure their mobile devices. And, many applications used by healthcare organizations are transmitted over unencrypted Internet networks.

If just one mobile device is penetrated, attackers could gain access sensitive patient data. What does help, especially for healthcare organizations with limited training and resources, is the implementation of third-party healthcare IT services.

So, how are cyber criminals using your stolen employee credentials?

These are the standard points in the exploitation lifecycle:

  • Use phishing, malware, social engineering, or a data breach to access data through emails
  • Use the data as a guide on targeted end recipients
  • Get full system access
  • Start to control the system
  • Increase privileges
  • Utilize the supply chain to control access or retrieve more data

A report published by Ponemon Institute and IBM Security disclosed that the average cost of a data breach in the United States skyrocketed to $8.19 million with the U.S. healthcare industry at the highest rate at $15 million. In fact, a healthcare data breach costs around $429 per record – this is twice the cost of every other industry.

Not to mention, cyber-criminals are focusing on executing more ransomware attacks because they know hospitals can’t afford to be offline. So, it becomes quite profitable when under-protected hospitals are left with little choice but to pay the ransomware fee.

Still, HIPPA/HITECH Act regulations mandate strict compliance with third-party vendors. On average, healthcare providers spend around $3.8 million to alleviate risks with third-party vendors. Even with this type of policy, a 2018 Ponemon study found that 56 percent of healthcare organizations experienced breaches through one or more of their third-party vendors.

Right now, it is critical for healthcare companies to leverage healthcare IT solution providers for the sole purpose of:

  • Standardizing remote support
  • Mitigating the risks of sharing credentials
  • Maintaining HIPAA/HITECH Act IT compliance
  • Managing network access for third-party vendors
  • Recording support session activity
What can you do?

Every healthcare organization should acknowledge the importance of these three categories of effective cybersecurity:

  • Ongoing security management
  • Proactive intelligence gathering
  • Immediate response and recovery

It’s imperative to do more than just observe, healthcare organizations must also have the ability to quickly respond to malware, phishing, broken firewalls, email policy violations, and more. It’s also vital to limit access to health information to those individuals on a need-to-know basis.

Of course, the rising costs of healthcare make it increasingly difficult for associated organizations to have an ample reserve of resources for hiring costly and onsite IT security personnel. Instead, healthcare companies are starting to realize the value of embracing the cloud and healthcare managed IT services which takes the guesswork out of comprehensive cybersecurity.

Final thought

To improve healthcare data security, organizations need to work with healthcare IT consulting firms who have the unique ability to manage and protect data without disrupting workflows. As cyber attacks continue to rise, the dangers are just too great to ignore.

To learn more about how SSI can help, please contact us today.