Electronic Health Reporter

By Dena Bauckman, vice president of product management, Zix.

When you go to the hospital, you want to be under the care of the best personnel and state-of-the-art technology. It’s easy to assume that’s the case when you’re surrounded by astronomically expensive devices like MRI machines, CT scanners, and surgical robots.

Behind the scenes, however, systems might not be on the cutting edge. According to a report from the Institute of Global Health Innovation at the Imperial College of London, the National Health Service is plagued by inadequate cyber defenses that could put the service system’s patients at risk. The picture isn’t any rosier on this side of the Atlantic Ocean. In September 2019 alone, just shy of 2 million records were breached in American healthcare hacks.

Antiquated computers, insufficient funding, and a lack of necessary expertise in cybersecurity are all combining to create a dangerous situation in healthcare. Sensitive as patient data may be, its theft isn’t even the biggest risk. “A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details — such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care,” one of the aforementioned report’s authors wrote. “It can also prevent life-saving medical equipment or devices from working properly.”

A Typical Diagnosis

Despite the plethora of healthcare cybersecurity breaches in the headlines, most organizations still aren’t prepared to defend themselves against the latest generation of cyber threats. That’s no surprise because the number of threats they must contend with is increasing each day. In order to provide the best care possible, healthcare organizations must also collect some of the most valuable data available to enterprising cybercriminals.

Birthdays, Social Security numbers, payment information, and health records all add up to an identity theft gold mine. Once they have the information, hackers can steal even more with targeted phishing campaigns (a practice called spearphishing) that are almost impossible for the average user to detect. If all else fails, the granular detail associated with healthcare information means that the data can fetch a large sum on the dark web — especially when records are stolen by the millions.

As healthcare organizations adopt exciting new technologies, the problem only becomes worse. Those new technologies come with new vulnerabilities, some of which won’t be discovered until they’ve caused a breach. With so many digital devices (including those owned by employees) being used to access, store, and transmit sensitive data, it’s no wonder hackers are having an easy time finding an entry point.

Progress, Not Perfection

Verizon’s 2019 Data Breach Report found that healthcare organizations made up 15% of all data breach victims, and an August 2019 study by the Harvard School of Public Health indicated that 31% of Americans are “very concerned” their healthcare information is at risk of being stolen. That’s not to say organizations aren’t trying. Most of them have improved their security posture and implemented smart practices in order to protect themselves and their patients. The issue is that security is not a one-and-done process.

Sophisticated hackers are willing to spend the time and money necessary to strike pay dirt, which means healthcare providers must constantly strive to address the latest threats. These are the three places organizations should focus on in their efforts:

1. Adopt a multi-layered security approach

Don’t look for the cybersecurity silver bullet; it doesn’t exist. Instead, use a layered security approach that provides protection from several critical attack vectors such as email, endpoint, and network. Put processes in place such as regularly updating software to the latest versions available and backing up systems frequently.

2. Train employees thoroughly

Cybercriminals are a constant threat, but about 71% of healthcare breaches are inadvertently caused by employees. Onboarding cybersecurity experts is a costly proposition, but a few rigorous training sessions can create immediate and lasting improvements to your defenses. Remember that knowledge has a shelf life and that employees will need periodic refreshers to shake off rust and learn about the latest threats.

3. Evaluate the security of new technologies

Advancements in technology can revolutionize patient care, but that shouldn’t demand a sacrifice in patient security. All too often, technologies are adopted and security becomes an afterthought. Before new tools and devices are brought into a healthcare organization, security of the technology and associated data should be reviewed.

Dollar signs tend to dominate the headlines, but cybersecurity attacks aren’t just about the costs involved. A breach in security is a breach in patient trust under the best circumstances — under the worst, it can prove to be a massive obstacle that prevents healthcare organizations from providing the necessary care. Healthcare organizations owe it to their patients to make every effort possible to protect their sensitive data, and the above three security measures are a sensible place to start.