Electronic Health Reporter

Guest post by Santosh Varughese, president of Cognetyx

Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.

1. C-level healthcare executives still aren’t taking data security seriously.

Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.

2. Frontline employees aren’t taking it seriously, either.

A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:

• Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
• Allowing other staff members to use their login credentials out of “professional courtesy.”
• Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.

Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.

3. Too many facilities think that HIPAA compliance is sufficient to secure their data.

Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.

4. Many facilities run severely outdated software and hardware.

The typical American hospital is a bizarre hodgepodge of state-of-the-art technology and antiquated legacy systems – all running on the same network. Cash-strapped facilities, under pressure from the C-suite to cut costs, take a “keep riding it until the wheels fall off” approach to computers and software. Some facilities are still running JBoss servers, very old versions of Windows, and other hardware and software that are so old, the manufacturers no longer support them or have even gone out of business. These antiquated systems have multiple security vulnerabilities that have never and will never be patched – and that are well-known among hackers.

5. Many healthcare organizations are reactive rather than proactive about their data security.

Like most other industries, rather than trying to prevent hacks before they happen, healthcare facilities scramble to clean up the mess once a breach has happened. But breaches can take a long time to detect – according to Microsoft, the median amount of time that hackers stay within a network undetected is over 200 days – and a massive amount of damage can be done in that time. In the notorious Anthem breach, hackers were in the system for “only” a few weeks before being detected – but in that time, they managed to compromise the records of 80 million current and former members and employees, including the company’s CEO.

What Can Healthcare Organizations Do to Turn the Tide in Their Favor?

Cybersecurity experts stress the importance of C-level executives shifting their mindset regarding data security, not depending on HIPAA to secure systems, allocating sufficient monetary and human resources to cybersecurity, and providing comprehensive, ongoing training for frontline employees.

However, as the Dartmouth ethnographic study demonstrated, addressing the human factor only goes so far. No matter how many times employees are told not to share their passwords or log in to the system on an unsecured connection, inevitably, an employee will either make a mistake, purposefully break the rules to “save time,” or become disgruntled and decide to strike back at the organization.

Minimize human error with strong policy and continual security education, and mitigate risks by keeping up to date on all cybersecurity software. Additionally, healthcare organizations can consider adding another layer of protection utilizing newer advanced artificial intelligence and machine learning technology. These new category of tools, recently brought to market as costs for data storage and processing continue to drop, monitor the system in the background and continually monitor for suspicious system activity even when they come from legitimate login credentials. This can help address the underlying problem of most data breaches – the misuse of stolen login credentials. That way, even when employees lose, disclose, or misplace passwords, the system is inoculated again malicious attacks. Only by combining rigorous training of employees with the latest technology to detect malicious insider activity can the war against hackers be won.