Industries across the board are becoming more technology-driven as businesses embrace the digital era, and in many ways, healthcare is leading the way. Hospitals and clinics are transitioning away from paper medical histories in favor of electronic health records (EHR). This is largely thanks to the Medicare and Medicaid EHR Incentive programs, which reward healthcare providers who make the switch to qualifying EHR systems.
The digitization of medical records comes with plenty of benefits, but there’s an element of risk involved as well. Questions about healthcare cyber security were thrust into the national spotlight when hackers caused a data breach at a Los Angeles hospital in February 2016. This wasn’t an isolated incident. There was an average of at least one healthcare data breach per day in 2016.
These cyberattacks have patients worried that the healthcare industry might not be doing enough to protect their medical information. What are the possible consequences of these data breaches, and what can the healthcare industry do to increase their cyber security? We spoke with the experts to get the facts about this complicated situation.
The need to protect sensitive medical information
No one wants their information in the hands of malicious hackers, and this is particularly true when it comes to the highly-sensitive information found in medical records. First there’s the obvious concern: Your private medical history. This includes not only your basic health information, but also details about substance abuse, sexual history and mental health concerns. Those records also contain identifying information, including your social security number, which hackers could use to steal your identity.
The ramifications from a data breach can be catastrophic for both patients and providers. Patients could become victims of identity theft or have their sensitive medical information released to the public. Healthcare practices that are breached may be subject to legal action and regulatory fines, negative PR and even having to close their doors for good, according to Dustin McEarchern of ProTechnical Performance IT Solutions.
Worse yet, data breaches can put patient safety on the line.
“Unsecured medical devices that are connected to or embedded within a patient may present risks that could put patient safety at risk,” says Mike Nelson, VP of Healthcare Solutions at DigiCert. “The ramifications of a patient being harmed by a device that malfunctions due to a cyber security breach are catastrophic.”
Cracks in the system
The healthcare industry’s increased reliance on technology calls for an increase in cybersecurity. Many healthcare providers and insurance companies have recognized that need and are already taking action to protect patient information.
“The good news is that healthcare providers take this extremely seriously,” says Ron Winward, Cyber Security Evangelist at Radware. “Healthcare providers understand that patient information and Personally Identifiable Information (PII) are of their most important assets. There are also strict regulations to enforce them, such as HIPAA and HITECH.”
But protecting patient data is easier said than done. These are just a few of the cracks in the healthcare industry’s cyber security armor that our experts have identified.
Lack of resources
“Where we see non-compliance are in small- and medium-size practices due to lack of knowledge and resources,” says Jacob Ackerman, Chief Technology Officer at SkyLink Data Centers. Changing regulations and compliance requirements coupled with the expense of keeping pace with updated technology puts smaller healthcare facilities at a disadvantage.
Larger practices aren’t immune to the problem, either. They, too, may struggle with protecting patient data with not enough resources to do the job.
“Larger healthcare providers, while typically better resourced and protected, have a much larger attack surface for hackers to try to chip away at,” McEarchern says.
You may imagine that unsecured technology is the biggest weakness in healthcare cyber security, but that line of thinking fails to take human error into account. “Much attention is paid to sophisticated technology solutions to protect data. Unfortunately none of that addresses the largest problem—people,” Ackerman says.
Hackers can still gain access to sensitive information the old-fashioned way. Printed medical documents that weren’t properly disposed of, passwords left out in the open for anyone to see, a faxed prescription that falls into the wrong hands or an unencrypted email platform can all lead to data breaches, according to Ackerman.
“We often think about breaches and exfiltration from an outside-in perspective, like an outsider coming in from the internet,” Winward says. But that assumption isn’t always correct. Another tactic hackers may use is to “breach the local office and work [their] way into the healthcare provider network that way, as trusted traffic from trusted IPs.”
How could a hacker manage this without healthcare employees noticing? Winward points out that nearly every exam room in every healthcare facility, from dentist offices to hospitals, has a computer. Patients—and possibly hackers—are often left alone with these computers while they wait to see their doctor.
“Nobody would ever notice a USB plugged into the back of one of those PCs,” Winward says.
The future of healthcare cyber security
The healthcare industry has some shaping up to do if they want to keep pace with changing technology and protect their patients from data breaches. But it’s not all doom and gloom.
“The past several years have offered terrific advancements in protection,” Winward says.
Continuously improving technology and increasing the awareness of healthcare workers is key to protecting patient information.
“Firewall and security software manufacturers are constantly evolving their products with the healthcare industry in mind. Staff cyber security training resources are now widely available and affordable,” McEarchern says.
Beefing up healthcare cyber security is good news for those working in the cyber security field. The Bureau of Labor Statistics (BLS) predicts that cyber security jobs will increase by 18 percent from 2014 to 2024, and it’s all thanks to the need to protect sensitive information from cyber-attacks. The BLS adds, “as the healthcare industry expands its use of electronic medical records, ensuring patients’ privacy and protecting personal data are becoming more important. More cyber security professionals are likely to be needed to create the safeguards that will satisfy patients’ concerns.”
Healthcare providers may have their work cut out for them, but the goal is for cyber security to eventually be an everyday practice in every facility.
“Cyber security needs to become part of the healthcare culture,” Nelson says. “As we continually practice good cyber security, it will become much more natural and a part of how things are done in the industry.”
Could you be a healthcare cybersecurity hero?
The healthcare industry has come a long way toward increasing cybersecurity, but it still has a ways to go. Healthcare providers need innovative information security analysts to help them keep patient information safe from the hands of malicious hackers.
If you’re ready to be the next healthcare cyber security hero, learn how to get started in our article, “How to Become an Information Security Analyst and Fill the Gap in the Tech Field”.