It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
Unfortunately, this is the reality that healthcare industry professionals are facing today. And while 92% of healthcare organizations are confident in their ability to respond to cyberattacks, there is a plethora of malicious activity that poses a great threat to their networks. Here are the main cybersecurity challenges faced by the industry today:
The Rise of Ransomware
You might recall the WannaCry attack of 2017, the ransomware worm that attacked hospitals as well as other industries by exploiting a weakness in Windows machines. This worm infected thousands of computers around the world and threw the United Kingdom’s National Health Service into chaos. This resulted in the Health Care Industry Cybersecurity Task Force to conclude that healthcare cybersecurity was in critical condition.
Why was the healthcare industry so impacted by this cyberattack? Many hospitals struggle to keep up when it comes to upgrading their operating systems due to the sheer volume of devices on the network. However, much of the software in a medical-specific device is often custom made, making system upgrades difficult. Additionally, manufacturers tend to avoid prematurely pushing out modifications that could potentially impact patient safety. For these reasons, medical machines continue to exist with outdated software, putting them at greater risk of cyberattacks such as ransomware.
Lack of Investment
Many organizations within the healthcare industry suffer from a lack of investment in cybersecurity solutions. Despite the number of breaches that occur, healthcare is behind other sectors when it comes to taking security measures. Only 4-7% of healthcare’s IT budget is allocated to cybersecurity, while other sectors allocate about 15% to their security practices. However, the finances associated with a cyberattack if these solutions aren’t put in place can take an even greater toll on an organization. Some hospitals and healthcare insurers see estimates of over $5 billion in costs as the result of cyberattacks on their systems. On top of the costs incurred finding a solution to fix these breaches, healthcare organizations then have to deal with fines from the Department of Health and Human Services Office of Civil Rights.
Securing Connected Devices
With the growing adoption of IoT, more and more devices are being connected and used in healthcare systems. However, as connected medical devices become more powerful and widely adopted, they become greater targets for malicious actors to exploit. According to the Cybersecurity in Healthcare report, over 16% of IT professionals can’t patch their own operating systems, leaving the network wide open for attack. Now imagine if a cybercriminal gained access to just one medical device on the exposed network. This could lead to the theft of sensitive patient data or even unauthorized access to an implanted device that could cause physical harm to the user.
More than 100 C-Suite and director level executives voted and then ranked the top 10 critical challenges, issues and opportunities they expect to face in the coming year, during this week’s HCEG Annual Forum. The HealthCare Executive Group (HCEG), a 31-year old networking and leadership organization, facilitated interactive discussions around such issues in their 2.5 day marquee event in Boston.
Executives from payer, provider and technology partner organizations were presented with a list of over 25 topics. Initially compiled from webinars, roundtables and the 2019 Industry Pulse Survey, the list was augmented by in-depth discussions during the Forum, where industry experts explored and expounded on a broad range of current priorities within their organizations. The HCEG Annual Forum concluded with HCEG Board Members announcing the results of the year-long process that determined the 2020 HCEG Top 10.
2020 HCEG Top 10 Challenges, Issues and Opportunities
Costs & Transparency — Implementing strategies and tactics to address growth of medical and pharmaceutical costs and impacts to access and quality of care.
Consumer Experience — Understanding, addressing and assuring that all consumer interactions and outcomes are easy, convenient, timely, streamlined, and cohesive so that health fits naturally into the “life flow” of every individual’s, family’s and community’s daily activities.
Delivery System Transformation — Operationalizing and scaling coordination and delivery system transformation of medical and non-medical services via partnerships and collaborations between healthcare and community-based organizations to overcome barriers including social determinants of health to effect better outcomes.
Data & Analytics — Leveraging advanced analytics and new sources of disparate, non-standard, unstructured, highly variable data (history, labs, Rx, sensors, mHealth, IoT, Socioeconomic, geographic, genomic, demographic, lifestyle behaviors) to improve health outcomes, reduce administrative burdens and support transition from volume to value and facilitate individual/provider/payer effectiveness.
Interoperability/Consumer Data Access — Integrating and improving the exchange of member, payer, patient, provider data and workflows to bring value of aggregated data and systems (EHR’s, HIE’s, financial, admin and clinical data, etc) on a near real-time and cost-effective basis to all stakeholders equitably.
Holistic Individual Health — Identifying, addressing and improving the member/patient’s overall medical, lifestyle/behavioral, socioeconomic, cultural, financial, educational, geographic and environmental well-being for a frictionless and connected healthcare experience.
Next Generation Payment Models — Developing and integrating technical and operational infrastructure and programs for a more collaborative and equitable approach to manage costs, sharing risk and enhanced quality outcomes in the transition from volume to value. (bundled payment, episodes of care, shared savings, risk-sharing, etc).
Accessible Points of Care — Telehealth, mHealth, wearables, digital devices, retail clinics, home-based care, micro-hospitals; and acceptance of these and other initiatives moving care closer to home and office.
Healthcare Policy — Dealing with repeal/replace/modification of current healthcare policy, regulations, political uncertainty/antagonism and lack of a disciplined regulatory process. Medicare-for-All, single payer, Medicare/Medicaid buy-in, block grants, surprise billing, provider directories, association health plans, and short-term policies, FHIR standards, and other mandates.
Privacy/Security — Staying ahead of cybersecurity threats on the privacy of consumer and other healthcare information to enhance consumer trust in sharing data. Staying current with changing landscape of federal and state privacy laws.
For the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector, according to the recently issued 2019 Verizon Breach Investigations Report. Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.
Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure. Every day we read about another headline breach in healthcare.
Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.
CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the Home Care field is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. Syddall said, “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data. Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.”
“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised. At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back,” continued Syddall.
Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.
It’s hard to understate how much the internet has benefited society. It distributes knowledge to the world, it allows us easy access to myriad services, and it makes it easy to communicate with people the world over, bringing us all closer than ever before. And that’s just the basic things the World Wide Web provides.
But, wonderful though it may be, the internet also holds its own perils. Cybercrime has turned into one of the greatest threats to businesses and by extension the whole of society. In 2018, a hacking attempt took place somewhere in the world about every 40 seconds. Billions of dollars in damages are attributed to cyberattacks every year. The health industry has become a favored target for hackers, mainly because of patient data which is valued more than financial information.
It’s a sad fact, then, that many businesses do not take cybersecurity, the only line of defense against this online onslaught, as seriously as they should. Around half of all businesses admit that they do not consider cybersecurity a very high priority.
That is a mistake that could cost a company everything. This infographic, brought to us by HostingTribunal, serves to warn everyone about the incredible danger that are hackers. It lists all the most devastating and notorious cyberattacks to take place in recent history. These hacks caused monumental harm to their victims, and this visual journey details the exact extent of the damage as well as how the attacks happened — and lots more. So read on if you wish to learn about the biggest hacks in recent history.
We live in a world where medical errors are the third leading cause of death behind cancer and cardiac disease, leading to more than 200,000 preventable deaths every year. We have an aging population growing at an unprecedented rate: 8.5 percent of people worldwide (617 million) are aged 65 and older, and this percentage is projected to jump to nearly 17 percent (1.6 billion) by 2050, leading to an anticipated physician shortage of more than 50,000 by 2025. On top of all of this, healthcare costs are projected to increase to over 25 percent of GDP in the United States by 2025. The convergence of these events is pushing the entire industry to begin leveraging technology more than it has in the past.
Many of these challenges can be remedied by leveraging Industrial IoT (IIoT) technology that’s been proven to solve similar challenges in other industries. Could an interoperable, connected healthcare platform that applies the principles of an IIoT connectivity architecture to share data throughout the healthcare system be the cure for our ailing healthcare system?
West Health, now the Center for Medical Interoperability, seems to think so. In 2013 they published a report showing how an interoperable, connected healthcare system could provide nearly $30 billion in industry savings while improving patient outcomes in the process. These connected healthcare platforms provide the foundation for innovation that is needed to make a meaningful data-driven change in healthcare. It’s these platforms that open the door to application developers everywhere to create modality-specific applications using artificial intelligence and machine learning.
So what exactly is a connected health platform and how does it provide a foundation for transformational change in healthcare? First, a connected health platform consists of hardware (gateways and servers) and embedded software components that are designed to take all of the data from any medical device (clinical or remote) and convert the data in a single usable format that gives providers access to a complete data set.
This connected platform will provide a variety of user interfaces, analytics and clinical applications to help users throughout the healthcare ecosystem distill value from this newly-gathered data. The applications range from the early detection of sepsis, to predicting cardiac arrest, to providing business analytics like bed and device utilization. The connected health platform will become the center of an ecosystem for further application development, similar to that of an online app store – but with built-in medical-grade safety and security. The connected health platform must ensure data security and patient privacy by aligning to guidance provided by the FDA on cybersecurity, and meeting the standards defined by HIPAA.
However, these connected health platforms are only as effective as the data they capture, which is determined by the connectivity frameworks they are built upon. Many of the currently deployed platforms are not platforms at all, but a collection of disparate systems that provide silos of individual device data.
These legacy systems have been built using internally-developed, proprietary, message-based communication technology. As the first step towards the development of a connected health platform, modern web services-based communication has been deployed on top of the legacy technology to begin integrating all of the disparate data streams via onsite data centers or the cloud. Although this is a step in the right direction, these platforms are far from complete. Because of the legacy communications infrastructure they are built upon, they are only able to aggregate a portion of the data making these systems a poor fit for true near-patient, real-time clinical decision support – the key to efficiently providing improved patient outcomes.
The Industrial Internet Consortium (IIC) recognized that the healthcare industry, along with many other “mission-critical” industries, was experiencing a similar set of connectivity and data integration challenges, and thus was not realizing the true benefit of the IIoT. In 2017, they set out to provide recommendations for the fundamental connectivity and security requirements of next generation IIoT systems. Its Industrial Internet Connectivity Framework document (IICF) recommends the Data Distribution Service (DDS) standard as the ideal framework for near patient, real-time connected health platform development. DDS provides a highly reliable, secure, real-time interoperable connectivity platform and is proven in other mission-critical environments, such as autonomous vehicles, naval ships and wind farms. These systems all rely on real-time data that allows medical device companies to design a connected health platform for today and the future without the burden of a less performant message-based architecture.
DDS provides a level of reliability, security and interoperable performance that cannot be matched with any other currently available, standards-based technology. By working with standards-based technology like DDS, healthcare developers can develop systems faster, with lower development and maintenance costs. Using an advanced connectivity software framework allows the connected healthcare platform developers to better focus their core competencies, and their customers’ requirements, clinical workflow, analytics and diagnosis.
The next 10 years will be transformational for the healthcare industry. Innovation will be moving at an unprecedented pace. Big tech, medical device vendors, payers and providers will be racing to develop or leverage new technology to better utilize data to improve patient outcomes, lower the cost of care and run more efficient operations. The connected healthcare platform is the future of the healthcare market. Those who embrace this trend and get to market first will transform the industry and establish a model for high-value, lower cost care for generations to come.
Agile companies do things faster and efficiently. In agile development, lean startup models apply agile methods to build high-quality systems that meet any industry, regulatory and other relevant standards such as HIPAA and remain “audit ready.”
Agile companies focus on quick wins, external focus, ruthless prioritization, and continuous development. Agile development relies heavily on constant testing to ensure improvement.
Agile compliance management
Lean development refers to a set of principles that are designed to eliminate waste, build-in quality, create knowledge, deliver fast results, defer commitment, respect people and optimize the whole process. At their core, both agile and lean development focus on efficiency, sustainability, speed, quality and communication.
Companies can deliver software faster when they eliminate inefficient processes. Agile development follows the following 12 principles:
Harnessing change to gain competitive advantage
Delivering working software frequently
Bringing together business and development departments
Conveying information efficiently
Measuring progress by working software
Promoting sustainable development
Focusing on technical excellence
Maximizing the amount of undone work
Using self-organizing teams to build the best designs, architectures, and requirements
Reflecting and adjusting
How Agile development applies to cybersecurity
Agile development methods align well to cybersecurity because they focus on harnessing change, readjustment and reflection. You see, malicious actors (think black hat hackers) have excelled in agile development. They continuously re-adjust their attacks to maintain superiority and remain one step ahead of defensive mechanisms employed by organizations by improving the quality of their software. To combat these threats, you need to come up with a similar agile security-first approach to protect your information and systems.
What is Agile compliance?
Agile compliance also focuses on the 12 principles of agile development; however, it focuses on threat mitigation and not product development. Furthermore, agile compliance prioritizes customer data security as well as stakeholder satisfaction as the primary product as opposed to customer satisfaction, which is the main focus of agile development.
When it comes to cybersecurity governance, risk and compliance (GRC), data integrity and availability leads to customer satisfaction and confidence. With compliance’s security-first approach, you create an iterative process that includes mitigation, monitoring, and review, which is aligned with your controls and protects your data.
In cybersecurity, an agile compliance program is a security-first strategy that is put in place to protect data. This strategy focuses on your data controls’ quality and ensures that even when industry regulations and standards lag behind threat vectors, your company maintains a secure data environment. Here are the 12 principles:
By Pratik Kirve, writer, blogger, and content writer, Allied Analytics.
Healthcare providers have been considering data confidentiality more than ever. It has become a part of patient experience as the implementation of biometric technology to safeguard patient information adds a layer of trust and confidence. As the popularity of biometric authentication increases among smartphone users, healthcare providers have been utilizing it for various processes, especially security. According to the cybersecurity survey by HIMSS, there has been a significant improvement in awareness regarding cybersecurity among healthcare organizations.
More funding has been allocated to IT departments and the advantage of an increasing number of healthcare-specific solutions have been taken. Though the survey spotted many flaws in the implementation of security measures such as usage of outdated tech in the networks, the awareness, and implementation of security shows organizations have taken patient data security seriously. The survey found that hackers have begun security breaches and organizations need to put better vigilance over the patient data and information.
Various measures have been taken by market players and tech giants to ensure the security of data. Fingerprint reading technology has been released to improve security and offer controlled access. Market players have been collaborating to enable better security through integration of iris biometric information with blockchain network. The industry for healthcare biometrics is booming. According to the research firm Allied Market Research, the global healthcare biometrics market is expected to grow at a considerable CAGR through 2023. Following are some of the activities taking place in the industry:
I hope healthcare organizations delivered lots of TUMS and Advil to their beleaguered cybersecurity teams as a holiday bonus in 2018 – and maybe even a masseuse! With an overload of alerts, attacks and system compromises, it’s safe to say that working in a security operations center (SOC) can take both a mental and physical toll:
From 2010 to 2017, nearly 2,150 breaches involving more than 176 million patient records were reported to the Office of Civil Rights at the U.S. Department of Health and Human Services, according to a study published by the Journal of the American Medical Association (JAMA). During this period, the total number of breaches increased every year (except for 2015), with 199 reported in 2010 and 344 reported in 2017.
By Brad Spannbauer, senior director of product management, eFax Corporate.
When it comes to cybersecurity, healthcare organizations are up against a constantly shifting threat landscape. New technologies and techniques, employed by increasingly advanced criminals, require organizations to be proactive in their defense efforts, or they risk being outsmarted by those who seek to expose them. But security threats don’t just come from external sources; risks are just as prevalent within organizations. In fact, the latest edition of Verizon’s Data Breach Investigations Report found that healthcare is the only industry where insiders pose the greatest threat to sensitive data, with 58 percent of incidents coming from within.
Whether malicious in intent or the result of innocent mistakes by healthcare workers doing their best in a high-stress environment, a failure to recognize these risks and apply appropriate safeguards can have grave consequences for healthcare providers. For example, an IBM & Ponemon Institute study revealed that healthcare data breaches cost organizations $408 per record on average, which is more than three times the global average across all other industries. That may not seem like a lot of money, but multiplied by the thousands of records that could be contained on a stolen and unencrypted laptop, it adds up to a significant financial penalty.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is due to hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.