Amid the latest security breaches at well-known companies like Facebook and Marriott, cybersecurity has never been at the forefront of conversation more than it is today. No other industry knows the dangers of information vulnerability better than the healthcare sector, where confidential patient data is stored and shared across often obsolete systems on a regular basis. Although advancements in technology are allowing hospitals and clinics to digitally transform their networks, maintaining a high degree of security continues to be a challenge, which is why it’s important for organizations to carefully evaluate their current processes and decide which networking models to implement for the future.
Why legacy-oriented architectures can’t defend against cyberattacks
Today, many medical providers have networks built on legacy-oriented architectures that run a broad range of enterprise applications. While legacy EHR systems have performed positively in protecting patient records, legacy networks have not historically protected patient information flowing across a variety of applications used by staff and providers.
Legacy networks, which primarily offer only border protection, do not adequately protect the enterprise applications and data existing outside of a medical records system. This type of environment is vulnerable to cyber hacks. Think back to the numerous cyberattacks on credit card information in the last few years, including Equifax’s data loss. As internal applications are not protected to the same extent as EMRs, networks built on legacy technologies are not designed to defend against users on cloud applications or internal vendors, patients and customers/business partners that may occasionally gain access.
The rise in zero-trust, session-based networking
In today’s digital landscape, modern healthcare networks must utilize zero-trust models to truly secure sensitive data. Session-based networking models are designed to use an exclusive two-way exchange of information between two specific endpoints. This type of model is context-aware and scalable across network boundaries, making the design more secure than overlay networks of the past. In addition, zero-trust networks are rooted in the principle of “never trust, always verify,” and work to treat internal and external access the same. They are designed to address lateral threat movement within the network by managing access enforcement based on user, data and location. But even as modern healthcare networks adopt these new models for enhanced security, challenges still remain.
Challenge #1: Packet-level authentication
A common challenge for legacy-oriented architectures is ensuring that all data within the network is automatically encrypted. Zero-trust models, on the other hand, require authentication for every packet in a provider’s network. These models have a unique ability to thwart malicious intents directly from the network layer. This next-generation feature secures networking while simultaneously increasing performance by using standard compute utility infrastructure (no different than servers) to replace proprietary and legacy networking devices.
Challenge #2: Maintenance and updates
Updating modern networks requires continuous work, and the healthcare industry is struggling to maintain network access rights. As IoT-connected devices continue to permeate the industry, it is becoming necessary to secure these new access points on a daily basis. In fact, by 2020, 40 percent of IoT technology will be health-related, making up a $117 billion market. As modern waiting rooms are flooded with patients opting to kill time on their mobile devices rather than flipping through magazines, sensitive information is increasingly at risk of being accessed on these networks.
Challenge #3: The cultural mindset within organizations
The implementation of a modern network model impacts the entire healthcare organization. Since deploying network security can involve team members from all levels within the organization, it is crucial that all members are educated and aware of security and policy advancements. Unfortunately, according to an AT&T Cyber Security Insights report, roughly 78 percent of all employees fail to comply with their organization’s security policies and procedures. Creating a sense of personal responsibility and motivation to adhere to security policies within an organization can make all the difference in the fight to protect confidential data. Moreover, since zero-trust networks require cloud-based infrastructures, selecting the right partnership with a secure vendor can prove difficult.
While cutting-edge technology presents an array of opportunity for the healthcare industry, which has infamously been slow to adopt system changes, it also poses unique challenges for network security that healthcare organizations will need to work to surpass in the coming years.
Summarizing the outcomes of 2018, the experts noted an increase in the share of targeted attacks that grew throughout the year reaching 62 percent in Q4. By and large, targeted attacks became the favorite method of attackers (55 percent) in 2018, unlike the previous year.
The number of attacks aimed at data theft keeps growing. A statistical analysis of 2018 showed that attacker interest was mainly focused on personal data (30 percent), credentials (24 percent), and payment card information (14 percent).
In 2018, healthcare institutions in the U.S. and Europe were at the center of attention from hackers, receiving more attacks than even banks and finance. In addition to stealing medical information, hackers also demanded ransom for restoring the operability of computer systems. Hospitals were ready to pay hackers, patient lives being at stake. According to experts, attackers got hold of personal data and medical information of more than 6 million people.
DDoS attacks became more powerful. Thus, 2018 was marked by the two biggest DDoS attacks in history, reaching 1.35 and 1.7 terabits per second. IT companies were the second-most common target of DDoS attacks, after government institutions. Hackers disrupted the operations of internet service providers and game companies, which are particularly sensitive to downtime and equipment disruption.
In 2018, malware was used in 56 percent of attacks. Such popularity is caused by the fact that malicious software is becoming more and more available each year, which reduces the barrier to entry for cybercriminals. Attackers mostly used spyware and remote administration malware to collect sensitive information or gain a foothold on systems during targeted attacks.
Most likely, in one of the few lucid moments you have in your hectic, even chaotic schedule you contemplate healthcare’s greatest problems, its most pressing questions in need of solving, obstacles and the most important hurdles that must be overcome. And how solving these problems might alleviate many of your woes. That’s likely an overstatement. The problems are many, some of the obstacles overwhelming.
There are opportunities, of course. But opportunities often come from problems that must be solved. And, as the saying goes: For everyone you ask, you’re likely to receive a different answer. What must first be addressed? In this series (see part 2 and part 3), we ask. We also examine some of healthcare’s most pressing challenges, according to some of the sector’s most knowledgeable voices.
So, without further delay, the following are some of the problems in need of solutions. Or, in other words, some of healthcare’s greatest opportunities — healthcare’s most pressing questions, problems, hurdles, obstacles, things to overcome? How can they be best addressed?
Nick Knowlton, VP of strategic initiatives, Brightree
Throughout the healthcare ecosystem, patient-centric interoperability has historically been a huge challenge, specifically throughout post-acute care. This problem results in poor outcomes, unnecessary hospital re-admits, patients not getting the treatment they deserve, excessive cost burden and poor clinician satisfaction. This challenge can be solved through creating better standards, adapting existing interoperability approaches to meet the needs of post-acute care, implementing more scalable interoperable technologies, and involvement with national organizations, such as CommonWell Health Alliance and DirectTrust, amongst others.
Cybersecurity is one of the most pressing hurdles in the healthcare industry. The life and death nature of healthcare and the shift to electronic health records (EHR) creates an environment where hackers that successfully deploy ransomware and other cyberattacks can extort large sums of money from healthcare entities and steal highly sensitive data. To address this challenge, healthcare entities need to continue to increase their investment in cybersecurity and focus on improving their overall security posture by implementing tools and processes that will monitor all devices and assess their compliance with security policies; stop phishing attacks; keep all servers patched and current; ensure third party vendors comply with policies; and train employees on proper security hygiene.
Cyberattacks continue to expose the security vulnerabilities of healthcare institutions, keeping many industry stakeholders awake at night. This is why every organization handling protected health information (PHI) needs to build security frameworks and risk sharing into their infrastructure by implementing risk-mitigation strategies, preparedness planning, as well as meet industry standards for adhering to HIPAA requirements. Hospitals and healthcare systems must keep their focus on strategies and tactics that ensure business continuity in the event of an attack as it’s clearly not a matter of if a breach can happen but when.
The core problem for healthcare isn’t science, technology or caregiving intervention. It’s making sure that the systems of delivery and communications are thought through and actually respond to the way patients need and expect healthcare to be delivered. This means it doesn’t matter how advanced and perfected your health system may be — unless it conforms to culture — the way people think and behave — it will do nothing but confuse and frustrate patient needs, which are psychological and social, as well as physical and mental.
There’s no question that the forward march of medical technology has improved personal and public health, creating lasting positive change for humanity. New technology, however, sometimes comes with risks. While those risks rarely outweigh the potential advantages, fully exploring and preparing for them is an important responsibility.
New Solutions Pose New Dangers
One demonstration of this relationship occurred as we were developing medical devices meant to be used inside the human body. Using medical devices internally presents the problem of contamination from external sources, and we learned that killing bacteria isn’t enough — specifically, we discovered that the endotoxins produced by dead bacteria can also be harmful.
That particular issue, we’ve already solved. It is, however, an excellent example of how new benefits can present dangers that we hadn’t contended with before: our ability to kill bacteria presented a new problem as our technology continued to improve, and we started putting medical devices inside the body. We realized that some types of dead bacteria are still dangerous, and that our sterilization standards had to improve.
This relationship between new advancements and new risks continues today, although it takes different forms. The hot-button issue these days has more to do with data and privacy, which while not directly health related, has significant risks when breached.
Healthcare Data Innovations and Breakthroughs
Our ability to collect, process, and draw conclusions from ever larger amounts of data has been a huge boon to the medical industry.
Asset tracking is the process of using fluid, regularly updated databases to keep track of physical assets and tools at a facility. However, it’s useful in many more ways than inventory management. Scanning and mobile device technology allows an asset to be kept track of at every point in its journey, from storage to use.
This method of tracking and categorizing physical assets, as well as patients, can be very useful in preventing serious accidents caused by miscommunication. Even life-threatening mistakes, such as wrong-site surgery, can be prevented by good data management. Timing, types, and amounts of medication can also be streamlined with this process, which could for example automatically sweep a database for potential adverse reactions or conflicts before a drug is prescribed to a patient.
Giving doctors access to a digital database that covers a patient’s entire history is another advantage that advanced data technology can provide. These databases can be populated with information from several different sources, including family doctors, specialists, and even self-reported data. A doctor can have access to the notes of their peers in the medical community quickly and easily, vastly improving the care that a patient receives.
From a management point of view, new data technologies allow administrators to streamline the operations of their offices and hospitals. Understanding how to best utilize staff for a balance of efficiency quality has a direct impact on the health of patients.
Predictive analytics are another area which can be hugely beneficial to the healthcare field. Basically, it’s an automated process that does much of the work a doctor does already: look at a patient’s history, compare it with current medical knowledge, and use it to make predictions about that patient’s future needs. The difference is the scale at which it can be performed when automated and the sheer volume of up-to-date data that can be included. Doctors can’t be expected to keep up to date with every new study, but a database can be populated with that information to compare against.
On both a wide and individual scale, the applications of our improving data technology are saving lives and improving the quality of life of patients.
All this integration, however, comes with those pesky risks. Not nearly enough to warrant halting progress but enough to need heavy consideration.
Cybersecurity in Healthcare
The problem with health data is it’s often some of the most private and consequential data about human beings. That, unfortunately, makes it some of the most profitable to identity thieves, and even advertisers with few scruples. Healthcare data can be held to ransom, used for identity theft, or even insurance fraud. As DeVry University notes: “Your name, address, date of birth and Social Security number are all in one convenient location — ripe for stealing. Cybercriminals can take your private health information (PHI) and sell it for high prices. In fact, stolen medical records sell for 10 to 20 times more than stolen credit card numbers.”
Guest post by David Thompson, senior director, product management, LightCyber.
Healthcare organizations are stuck between being an ever increasing target of a data breach and generally having less security resources than a comparable enterprise. It’s a classic situation of needing more with less, with all of the urgency of a full-scale crisis.
Now it’s not uncommon to see the same organization suffer its second or third data breach, and patience (patients too) are wearing thin. At the same time, we know that many organizations have intruders that are lingering and have stayed hidden for a year or more. It’s possible the cybercriminals are using an undiscovered foothold in one organization to get to another within the same health or provider network.
Almost without exception, healthcare organizations of all sizes seem helpless to be able to stop a data breach. Stopping a breach means different things to different people, and that is part of the problem. A good portion of the industry is still focused on completely keeping an intruder from getting into their network. This is a fool’s errand and simply not achievable. Motivated attackers will find a way into any given network. Some professional vulnerability contractors will guarantee that they can break in to your network within two days. There are far too many ways for an attacker to get in, particularly through an employee account or computer.
So, you can’t keep a network intruder out, but you can try to detect their presence as quickly as possible. Almost all healthcare organizations currently lack this capability, but some newer solutions and procedures are showing great promise in making the speedy detection of a network attacker a reality. The good news is that these approaches might only require an hour or two of personnel time each day—and sometimes quite a bit less than that—so it is well within the means of a small healthcare IT group that wears multiple hats and is always pulled thin.
Guest post by Stephen Cobb, senior security researcher, ESET.
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Guest post by Daniel Piekarz, vice president of life sciences business development at DataArt.
The life sciences industry will be defined in 2014 by the growing market demand to apply newly developed technology, including big data analysis, to healthcare and medical device practices. While many of the amazing technological advances in the space are driven by a desire to aid humanity, the industry is also caught between increased economic and regulatory pressure that is forcing many to electronically collect heaps of data while looking for custom technology solutions that will allow them to leverage this valuable data and adhere to new industry standards.
Over the next year, trends that reflect newly available technology will start to develop. The adoption of healthcare big data technology will become a major theme in the sector this year, just as it has in several other industries. Many new technology offerings have been created to tie together data from multiple sources that can be accessed by researchers and physicians to allow them to easily exchange information. This also aids in research and development practices by offering another valuable tool to gather and analyze data.
Tied to the big data trend is the emergence of personal healthcare data aided by physicians’ adoption of EHR technology. By allowing patients to own and access their healthcare data on a healthcare information dashboard, patients can more easily understand risks and preventable care options. Pooling anonymized patient data together can also lead to better analysis, and physicians are already starting to work with vendors to develop big data diagnostic tools. These new technology advancements have started to create a generation of patients more committed to their own healthy future than ever before. Through an intelligent system database, patients and physicians can better understand patterns and symptoms that affect their healthy lifestyles. While this type of big data solution is gaining a foothold, there is still resistance from some doctors due to their concern over critical review of their procedures.
Guest post by: Jared Rhoads, Senior Research Specialist in CSC Healthcare.
There is no gentle way to put it—cyber criminals from around the world are out to steal your personal health and financial information. And, if recent studies are an accurate reflection of the state of security in the healthcare industry then criminals have ample opportunity to do harm.
The past five years has seen rapid growth in the digitization of healthcare records and the online sharing and transmission of personal and financial data. Healthcare organizations have taken many of their information capabilities online, and they have embraced new technologies like portable media and mobile computing. However, they have not always been able to keep up with leading edge security practices.
Experts warn that the healthcare industry lags in addressing known problems and implementing basic remedies. Many hospitals and practices, for example, have been slow to encrypt their data sources properly and to deploy basic network monitoring. An investigative report by The Washington Post found cases of medical staff at hospitals using unsecured computers to connect both to internal networks and the public Internet. A 2012 government review of industry security cautioned that the way in which some organizations offer remote connectivity to physicians could introduce additional security risks.
Inadequate security practices have enabled cyber crime activity to thrive. According to the federal government, an unprecedented 21 million Americans have had information from their medical records lost or stolen since 2009. Nearly three-quarters of healthcare organizations report having experienced some kind of data breach or security incident in the past 12 months, and 94 percent of report at least one data breach in the past two years.
While not every data breach is necessarily a case of cyber crime, the incentives attracting cyber criminals to the scene are high. According to the World Privacy Forum, a stolen medical record now has a street value of roughly $50, compared to $14-18 for a credit card number or $1 for a Social Security number. Thieves use the rich medical and financial information to commit various forms of identity theft, including receiving free care, filing false patient claims to payers, and forging prescriptions.
Fortunately, medical-related cyber crime is receiving increased attention and awareness is on the rise. Healthcare organizations are beginning to move beyond simple risk assessments and venture into implementing more sophisticated anti-cyber crime solutions.
To address vulnerabilities and combat cyber crime, organizations need to take aggressive action and augment their security strategy using a variety of new approaches and technologies. Here are six ideas that all healthcare organizations can consider in 2013:
Implement automated network monitoring tools. Use automated tools to assess network vulnerabilities and monitor for breaches and unauthorized activity. Monitor key egress points to see what is being sent outside the walls of the organization, where and when it is being sent, and to whom it is being sent.
Deploy adaptive multi-factor authentication. Biometric patient identification systems based on fingerprints, palm vein patterns and other physical attributes can help guard against certain types of medical identity theft and insurance card fraud. User authentication requirements should also change dynamically based on where users are logging in from and what they are trying to access.
Consider outsourcing some or part of your security needs. Researchers at the Ponemon Institute have found that roughly a third of health organizations admit that they do not have the technology, budget or trained personnel necessary to handle today’s security challenges. Managed security service providers (MSSPs) offer a cost-effective way to have 24-hour network monitoring, incident tracking and immediate incident response.
Offer training, guidance, and approved versions of mobile apps for employees. Role-based employee training on mobile device security and guidance is critical to maintaining good security practices. Additionally, hospitals can offer enterprise versions of mobile apps and provide safely partitioned areas of the network for the apps to run upon.
Patch, secure, and monitor medical devices. Medical devices such as IV pumps, pacemakers, and bedside equipment are a new target of choice for cybercriminals seeking to wreak non-financial havoc. To combat this threat, ensure that devices are virus-free prior to installation, and encourage biomedical engineering teams to communicate freely with IT support teams.
Consider cyber insurance. New insurance products are coming to market that are designed specifically with healthcare organizations and HIPAA-covered entities in mind. Policies can defray breach-related costs, such as legal defense, privacy notification and even federal fines and penalties.
Cyber crime is a serious threat to health IT security, and it is unfortunately not going away anytime soon. However, by moving beyond the simple risk assessment and adopting a multi-faceted security strategy, prudent healthcare organizations can take significant steps to protecting their patients’ information and mitigating risk.
Jared Rhoads is a Senior Research Specialist in CSC’s Healthcare group. He consults, researches, and writes on a broad array of topics relating to healthcare technology, trends, and legislation.