Healthcare cybersecurity is in a state of transformation. As medical care becomes more networked and interconnected via computers and devices, the digital landscape of health administrators, hospitals, and patients, has become increasingly vulnerable.
The cybersecurity healthcare landscape has many facets. These include the information security networks of medical facilities and hospitals, medical equipment and devices, and protection of the privacy of patients. Technologies, processes and people are the cornerstones of the healthcare cybersecurity transformation.
The 2016 Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data presented by Ponemon Institute, May 2016, revealed that a large number of healthcare organizations have experienced multiple data breaches resulting from evolving cyber threats. Hackers have already exploited medical facilities and hospitals - and the problem is escalating.
Earlier this year, Hollywood Presbyterian Medical Center was victimized by ransomware. For ten days the computer systems were unavailable because of the hackers and Hollywood Presbyterian ended up paying the hackers in cryptocurrencies to recover control of their systems. Another US hospital, Boston Children’s Hospital was the target of a series of breaches including distributed denial of service attacks. Medical institutions in Europe and Canada have also been subjected to intrusions.
The reality is that hospitals are a logical hacker target for several reasons. They are susceptible to phishing attacks and insider threats because of the large data flows throughout various systems. They are many points of vulnerability for malware/ransomware extortion because their systems are networked with multiple stations and devices. In addition, most workers in medical facilities are not trained in basic cybersecurity hygiene.
For hackers, healthcare facilities are viewed as achievable targets where they can reap quick monetary gains. Hackers can steal medical records that are commodities with a resale value on the Dark Web. And, the likelihood is pretty strong that hospital administrators will pay ransoms to gain back operational control over facilities to reduce liabilities and putting patients at risk. Hospitals and healthcare facilities also want to protect their reputations and prevent cybersecurity incidents from going public.
The increasing reliance on medical devices also pose problems for healthcare cybersecurity, including ransomware. Medical devices can include devices such as ventilators, monitors, pumps, electrocardiographs, lasers, medical apps, and diagnostic imaging systems. Many of the devices are wireless (including medical infusion pumps or IVs) and send communications and update software over open airwaves. This opens up threat vectors that could be exploited remotely. The Department of Homeland Security (ICS-CERT) and the Food and Drug Administration (FDA) have issued warnings on the potential of device vulnerabilities. As connectivity and proliferation of devices such as telemedicine, smart beds, wearables, and portal medical technologies encompassing the Internet of Things (IoT) expands into healthcare, so does the digital risk.
One path forward to mitigate cyber gaps is enhanced collaboration between manufacturers and medical providers to ensure production of upgraded hardened devices with software packages with cybersecurity features to counter newer and more sophisticated hacker threats. Also, access management of these devices need to be strengthened and enforced through new protocols and processes. Clearly, industry, government, and the entire healthcare community have a stake in the outcome of safe medical care put at risk by cyber threats.
Protecting patient privacy is a paramount priority of healthcare stakeholders. HIPAA compliance and other regulatory security protocols are regularly being evaluated by federal agencies and legislators. The privacy and security measures for Electronic Health Records (HER) are guided by the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information via physical and technical safeguards.
Electronic records are a prime target of hackers. Last year, the health insurance company Anthem experienced a cybersecurity breach that resulted in the exposure of 80 million records. Data breaches among other insurance carriers have also occurred. Emerging authentication ID technologies and secure data sharing software are some hopeful developments that will help address challenges of the digital healthcare era.
There are solutions to threats and vulnerabilities. Healthcare is a critical infrastructure that needs to be protected with industrial safeguards and standards. Hospitals and medical facilities should have planning for continuity, backup, and recovery in cases of breach or cyber attacks. They should also have real-time monitoring of their networked systems, multiple firewalls and layered security. And perhaps encryption of medical devices to reduce security risks is required.
Healthcare cybersecurity really comes down to managing risk, not just with technologies but with leadership at the CIO and CISO levels backed by a trained and technically-current information security team. Security gaps will always remain, but the threat risk to the healthcare landscape can be significantly reduced via preparation and collaboration. It has become a safety imperative.
About the Author
Charles (Chuck) Brooks serves as the Vice President for Government Relations & Marketing for Sutherland Global Services. Chuck is also is the Chairman of CompTIA’s New and Emerging Technology Committee and serves as a Christian Science Monitor “Passcode Influencer” He was named “2016 Cybersecurity Marketer of the Year” at The Cybersecurity Excellence Awards. In government, Chuck served at the Department of Homeland Security as the first Director of Legislative Affairs for the Science & Technology Directorate. He also spent six years on Capitol Hill as a Senior Advisor to the late Senator Arlen Specter where he covered foreign affairs, business, and technology issues. In academia, Chuck was an Adjunct Faculty Member at Johns Hopkins University. He has an MA in International relations from the University of Chicago, and a BA in Political Science from DePauw University. Chuck is widely published in leading publications on the subjects of innovation, public/private partnerships, emerging technologies, and issues of homeland security and cybersecurity. Please follow him on Twitter @ChuckDBrooks and on LinkedIn.
