Cyber-attacks are a serious threat for the healthcare industry, but there are ways to be protected
Unfortunately, the healthcare industry is no longer a stranger to issues with cybersecurity. These problems used to mean dealing with the consequences of lost laptops or cellphones, but now the threat is far more severe. A 2015 study performed by the Ponemon Institute found that criminal attacks in healthcare were up 125% since 2010 and had become the leading cause of data breaches.1 Moreover, in February 2016, Ponemon found that healthcare organizations had experienced approximately one cyber-attack per month in the past year, and 48% of participating organizations had experienced an incident involving the loss or exposure of patient information during that same time period.2
Previously, the healthcare industry might not have seemed a likely target for these attacks. However, hackers have found thatk, by attacking healthcare organizations, they have a lot to gain and not much to lose—as they can make large sums of money using relatively simple methods.3
When hackers successfully attack healthcare organizations, they gain access to mass quantities of valuable data. They can acquire the names of patients and staff members, social security numbers and payment information to commit traditional financial fraud, but the threat goes beyond that.
They also gain access to health insurance information, which can be sold on online black markets for incredibly large amounts of money. Stolen health insurance information can enable hackers to obtain free medical care or purchase expensive medical equipment—crimes that aren’t noticed as easily as stealing bank account information, but perhaps are even more detrimental.4
“With a patient’s insurance information, a criminal may continuously bill the insurance carrier for fraudulent charges, which may go unnoticed for months,” explained John Mertz, CIO, South Nassau Communities Hospital. “Because of this, health information has become as much as 50 times more valuable than financial information.”
There is little room to deny that the healthcare industry is under attack, but that doesn’t mean it is powerless against these cyber threats. ADVANCE offers some tips here for readers to keep their patients—and themselves—prepared and secure.
Understand the Risk
Before healthcare providers can begin to combat threats against their cybersecurity, they must have a full understanding of what these attackers are doing—and what’s at stake. “The types of data that are collected by a typical healthcare company are a treasure-trove of information,” said Dan Logan, director of enterprise and security architecture at Tata Consultancy Services. “Healthcare professionals usually get a lot of training regarding privacy control, but they definitely need more user education around cybersecurity threats and how to handle digital data.”
“Most organizations have done what is needed to meet meaningful use and HIPAA privacy and security regulations, but these regulations don’t necessarily fully address cybersecurity,” agreed Mertz. “They need to train employees and build a culture of cybersecurity so breaches can be prevented by avoiding risky behavior, following good security practices and increasing user awareness of potentially malicious links, emails, websites and files.”
Unfortunately, many healthcare professionals don’t realize that they can be direct targets of these hackers. Although there are cases in which a healthcare professional knowingly causes a breach, in most cases an employee inadvertently clicks a link or opens an application that gives the hacker access to the network.
“Within a large enterprise like a hospital, it’s critical that the employees understand their obligations,” said Tony Consoli, president of the mid-Atlantic region and national healthcare practice leader at CBIZ Insurance Services Inc. “Employees need to be informed about the methods that these hackers will use.”
Secure your System
It’s easy for healthcare providers to sit back and say, “We haven’t been targeted before. Why should we suddenly make huge changes to our systems?” If they wait until a hacker has decided to attack their institution, though, it’s too late—at least some of their data will have already been breached.5 In order to prevent these breaches, security measures must be taken as soon as possible. “When implementing new systems, focus on security first—don’t let it be an afterthought,” said Mertz.
In addition to creating a system that is secure, healthcare organizations need to hire specialized security staff to ensure that all security measures are up-to-date and as strong as possible. “Security operations investment is necessary,” said Logan. “Companies really need a good team that knows what they’re doing because every cyber-attack is different. There’s no ‘one-size-fits-all.’”
However, hiring a specialized security team isn’t necessarily a simple task for many healthcare organizations. “IT directors at hospitals have limited budgets,” said Consoli, “and the budget being allocated to security is often inadequate.” It may be difficult for an organization to choose to spend a portion of an already minimal budget on precautionary measures—but if it means defending itself against a cyber-attack that could shut down its entire organization, the cost is worth it.
Hackers won’t send a warning before they attack, so healthcare professionals need to be prepared well in advance. How? In this case, the old adage rings true: practice makes perfect. “A lot of organizations run ‘red team/blue team’ exercises, where the blue team is their security team and the red team is the hacker,” said Logan. “Companies can actually hire hackers to try out different techniques so that the security team can test out their procedures.”
Have a Backup Plan
No matter how much time, effort and money a healthcare organization puts into its defense plan, there is no guarantee that it will always work. If a hacker gains access to an organization’s network, what can its security team do? “In the event that they’re seeing something unusual happening in their network, they need to shut down all affected servers to stop further penetration and immediately enact downtime procedures to prevent further impact on their overall business operations,” said Consoli. “All healthcare organizations should have a detailed IT business continuity plan in place and should test the plan periodically to ensure that employees, vendors and attending physicians know what to do in the event of a breach.
With healthcare organizations growing increasingly dependent on automated systems to store and organize data, it can be difficult to determine how to keep an organization functional when system access is lost. Whether a backup plan involves having open case files saved locally or keeping paper copies of important patient information while the patients are in the organization’s care (or even another method entirely) depends on the organization’s needs and preferences — but having a backup plan is crucial.
Technology changes rapidly. “These hackers are using new techniques seemingly every day,” said Consoli. When hacking techniques change, so must defense methods. Just because an organization’s preventative techniques work today doesn’t mean that they will tomorrow. It’s crucial to stay up-to-date about these attacks to understand what the current threat is and how healthcare providers can best protect their patients, colleagues and themselves.
- Ponemon Institute. Criminal attacks are now leading cause of data breach in healthcare, according to new Ponemon study. Ponemon Institute. 2015.
- Ponemon Institute. The state of cybersecurity in healthcare organizations in 2016. Ponemon Institute Research Report. 2016.
- Sullivan, T. Healthcare enters new cybersecurity era as hacktivists, organized crime, foreign nationals take aim. Healthcare IT News. 2016.
- Peterson, A. Why hackers are going after health-care providers. The Washington Post. 2016.
- Hagland, M., et al. Time to face the ransomware crisis in U.S. healthcare: industry experts speak out. Healthcare Informatics. 2016.