Posted March 13, 2019
As patient care and health records become digitalized, protecting the healthcare industry is more vital than ever. Not only is loss of revenue and reputation, or exposure of personally identifiable information (PII) at stake, a cyber attack on a healthcare facility could cause significant harm to patients should life-saving technology be compromised. As cybersecurity analysts research trends for 2019, they have begun to identify impending cyber threats in the healthcare space.
Healthcare data contains patients’ most vital information and PII — Social Security Numbers, medical identification numbers, and employment information – all of which can cause serious damage if exposed in a breach. Because of the nature of the data that healthcare systems contain, the penalties for HIPAA (Health Insurance Portability and Accountability) violations are severe. Depending on the degree of neglect by the provider, fines can range from $100-$50,000 per record compromised. To put that into perspective, the number of records exposed in healthcare data breaches is between 24,615 and 31,465 per breach, averaging a cost of $3.62 million.
In the largest healthcare data breach ever recorded, an advanced persistent threat (APT) attack compromised Anthem’s IT infrastructure and exposed the data of 79 million individuals. An investigation reported that Anthem neglected to put basic security measures in place, ultimately costing Anthem $131 million– $16 million of which went towards HIPAA fines. The lack of resources the healthcare industry puts towards cybersecurity makes for an easy target.
Electronic Health Records
99% of American hospitals use Electronic Health Records (EHR) systems according to a 2016 survey by the American Society of Hospital Pharmacists. As of 2009, only 12.2% of hospitals had even a basic EHR, according to a 2015 data brief from the American Heart Association (AHA), but the number of hospitals utilizing EHR systems has been on the rise in the last 10 years due to a federal incentive program.
EHR systems provide a multitude of benefits to healthcare providers and their patients, including ease of use and accessibility between healthcare providers and increased accuracy in treatment. EHR can alert clinicians to possible drug conflicts and new allergies, and is a quicker solution than a paper health record system. Though EHRs have been an incredible tool for clinicians and patients, they can pose serious risk to patients if these systems are compromised. Patient information can be used not only for financial gain, but for malicious reasons such as altering medical history, possibly effecting drug dosage or potential blackmail.
Insider Risk a Serious Threat to Hospitals
Insider threat is also a serious cause for concern in 2019. Because of the nearly ubiquitous EHR systems, all types of healthcare employees have access to care facility networks. Unfortunately, the combination of minimal cyber safety training and the lowest rates of data encryption make the healthcare industry even more vulnerable to cyber threats—healthcare data breaches are being reported at one breach per day, equating to more than 59% of the US population with exposed healthcare data. Hospital records have been exposed on ransomware forums for high dollar amounts, exposing ultrasensitive personal data to the black market.
In a curated list from the ECRI Institute, the #1 health technology hazard for 2019 is the exploitation of medical devices and their remote access systems. Hackers can access medical information through medical devices connected through the same networks as charting systems. Remote access systems pose a serious threat, though they are created for clinicians to access outside of the workplace, they provide another avenue for hackers to access the systems. Hacking into these devices can also help the infiltrators to use computing resources for other purposes, like mining cryptocurrency.
Healthcare Behind the Curve
According to industry research, healthcare organizations are among the slowest to adopt data security solutions. Hospitals invest as little as one tenth the amount spent by other industries on data security. In 2017, it was found that some healthcare organizations still used Windows XP and Windows Server 2003, which are no longer supported by Microsoft. This left many healthcare facilities vulnerable to the WannaCry and NotPetya ransomware attacks. Though medical technology advances at a rapid pace, cybersecurity in the industry is lightyears behind other verticals.
With increasing amounts of connected devices in the medical industry, healthcare providers need to ensure that their employees follow safe cyber hygiene. Cyber hygiene is the first line of defense in protecting patients against cyber-attack. A few simple ways to safeguard these medical devices is to create strong and unique passwords, updating and patching systems, and logging system access. For more tips on cyber hygiene, see our Cybersecurity ABCs blog.