Developments in technology have had a profound impact on nearly every aspect of our lives. We can hardly get through an hour without tech having an effect on what we’re doing, let alone a full day. From the morning alarm on our smartphones, to the Bluetooth sound system in our cars, to the social media accounts we share everything on, technology surrounds us.
Perhaps one of the aspects that many of us think the least about is how it has utterly transformed the way we manage our healthcare data. The development of electronic health records and, even more importantly, the cloud, have brought about all sorts of changes. Many have the potential to impact our lives in both positive and negative ways depending upon how they are managed.
When it comes to our health data, there is an added urgency in making sure everything is safe and secure no matter where it is ultimately stored. Well managed data can mean a more efficient and effective healthcare service, while mismanaged data can lead to the loss of personal information and an unraveling of the privacy most of us have come to expect in a professional healthcare setting.
Medical Records, HIPAA and the Cloud
In 1996, the United States government passed HIPAA, a landmark healthcare act that helped to create and enforce privacy and data security requirements associated with medical information. The act has since been expanded in an effort to keep up with modern technologies, and nearly everyone involved in the healthcare system is expected to follow the rules. Because of this legislation, one can expect that their medical records will be kept private unless they choose to release them, no matter where they are stored.
Cloud-based data storage and technology provides numerous benefits to the healthcare system including things such as better dataset analysis, improved efficiencies in individual patient care, and a much lower cost. However, it can also lead to a number of concerns, especially when it comes to HIPAA compliance. HIPAA rules not only apply to the medical facilities that are using cloud technology, but also to the tech vendors as well.
Unfortunately, just because cloud technology providers are not exempt from HIPAA rules, does not mean that they necessarily follow them. There is no real certification process and the government doesn’t exactly clear companies to work with healthcare organizations. It is completely up to the healthcare entity and the tech provider to make sure their services are meeting the necessary HIPAA standards.
Loopholes in the System
It may come as somewhat of a surprise to both patients and healthcare providers to learn that there are popular new aspects of medicine and technology that aren’t necessarily covered by HIPAA regulations. For instance, HIPAA does not cover anonymized data such as the data that is collected during genetic testing. Essentially, this allows for a patient’s anonymous information to be shared at will.
Only a few industries require resilient cybersecurity measures like healthcare. Yet, healthcare has a colossal cybersecurity problem. Data breaches continue to plague patients’ private medical records, in spite of their life-threatening conditions, spending large amounts of money, and entrusting financial information.
Healthcare remains a big target for cybercriminals, sitting firmly in their cross-hairs. Just for 2015, IBM reported more than 100 million breaches of medical records. Some organizations commit to privacy no matter what, but healthcare organizations are not keeping pace in adopting and promoting cybersecurity. But why do most healthcare organizations not have the latest cybersecurity tooling? Some of these reasons, we review in this article.
Why Hospitals and Care Facilities Lack of Robust Cybersecurity
The key reason why cybersecurity is not a conspicuous feature in may healthcare set-ups include:
#1 Limited cybersecurity awareness
Most hospitals concentrate on upgrading their medical technology and employing the best medical personnel and peripheral staff. They ensure they save lives more quickly and offer better overall care. While this is a reasonable practice, they soon relegate cybersecurity to the back-burner. The truth is, cybersecurity is a vital complement to these core values and priorities. Most of the time, hospitals can justify their need for an entire IT team, or at worst, a cybersecurity lead. However, directors may not have the necessary information to decide so.
#2 Lucrative healthcare targets
Hospitals are not always to blame, though. There’s an avalanche of attacks on hospitals. It is worth all of an attacker’s time to target a healthcare organization. As highly lucrative targets, these organizations can reveal data on a cast number of people at once. That is why standards are high to keep these organizations from the reach of attackers. But, what do you do when the attacker never quits chasing?
#3 Size of the specific organization
Many healthcare organizations are massive operations. It makes them increasingly vulnerable. Because more people are involved in the system, there are inevitable, more possible points an attacker can exploit. Imagine just one healthcare staff among several thousand falling for a phishing scam. It can compromise the whole system.
#4 Inconsistency with process
It often appears almost impossible to create and enforce consistent security standards and procedures. The reason is that the size of health organizations and hospitals means they may need to operate out of several buildings. Employees may then adhere to varying best practices, and in some cases, use different systems. Thus, it is hard to have a decent cybersecurity posture.
#5 Shared networks in healthcare organizations
Infosec revealed that one primary reason hospitals continue to appeal to cybercriminals is that most hospitals depend on shared wireless networks. Multiple devices on one network mean that one single point of vulnerability is all a hacker needs to access the whole system. It is a ticking time bomb.
Possible Solutions to Healthcare’s Cybersecurity Issues
What then can healthcare institutions and hospitals do to be on par with the latest cybersecurity practices? It turns out there’s so much they have control over:
Most hospitals can begin by adopting more advanced current technologies to protect patient information and keep their systems secure. Advanced software, monitoring systems, and futuristic tech such as biometrics are examples.
A cybersecurity budget is small fry for most healthcare organizations. It is merely a question of how much premium is on it like the infographic at the end shows across several industries. Prioritizing technological security features will add a decent layer of security around hospital operations. While hospitals may commit their entire budgets to cybersecurity, a hire, who knows their onions can promote substantial improvement.
We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning:
By Steeve Huin, vice president of strategic partnerships, business development and marketing, Irdeto.
The Internet of Things (IoT) market is booming, with IHS Markit forecasting there will be 73 billion connected devices in use around the world by 2025. IoT technology has moved beyond speakers and smart fridges and is increasingly being utilized for critical applications across the healthcare industry, such as pacemakers, insulin and infusion pumps and medical imaging systems.
This Internet of Medical Things (IoMT) is subsequently opening up a new world of possibilities to improve upon patient care, while also improving operational productivity and effectiveness. However, as the proliferation of connected and complex medical devices grows, healthcare providers are more susceptible to cyberattacks.
The key challenge is that cyber criminals often operate as businesses themselves and will focus on targets that will provide the greatest return on their hacking investment. Therefore, as the healthcare sector becomes increasingly connected, we could see an extremely costly impact of IoT-focused cyberattacks, if security is not prioritized. Insecure devices, and potentially companion apps, present a variety of risks to safety and privacy in a critical industry such as healthcare.
The IoMT Threat Landscape
Unfortunately, cyberattacks are already an all too common reality for many organizations in the healthcare space. A recent survey by Irdeto of security decision makers in the healthcare, transport and manufacturing sectors, found that 82% of healthcare organizations have experienced an IoT-focused cyberattack in the past year, with 30% of attacks resulting in compromised end-user safety.
IoT devices are often targeted by cybercriminals as they are much easier to compromise than businesses’ more sophisticated perimeter cyber defenses. The problem is that growth in the use of IoT has far outstripped the increase in trained professionals emerging. As a result, healthcare organizations often don’t have the expertise internally to ensure the connected devices they are using within their organizations are secure.
The research also emphasized this point, revealing that only 6% of healthcare organizations have everything they need to tackle IoT cybersecurity challenges, with an urgent requirement for increased skills and more budget for security identified. In addition, the research found that 98% of respondents in healthcare organizations believe the cybersecurity of IoT devices could be improved and one in four manufacturers of IoT devices for healthcare only update the security of devices they manufacture while they are in warranty.
These alarming findings, combined with reported cyber incidents to critical connected devices in the last few years, make for worrying reading. For example, in the last two years we have seen pacemakers recalled to install a critical patch to update firmware against cybersecurity issues, as well as cybersecurity warnings for insulin pumps from the FDA and Health Canada.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
As we become more and more reliant on electronic medical records, the susceptibility of a hospital suffering a cyberattack or struggling because of a network failure is continuing to increase. To reduce the risk of this happening, all hospitals will need to have an extremely complex network security system that is resistant to hackers. They also need to make sure they have back-up files in case they have to deal with network failure.
Telemedicine is the practice of remote patient care, so the patient and the provider won’t be physically present with each other. This modern technology has been developed to enable consultations with patients over easy and robust telemedicine software. Although this is convenient, it may create challenges when trying to ensure the quality of care. If things go wrong, then a lawsuit could be filed for medical negligence. In these cases, a Miami medical malpractice attorney should be contacted.
Recently, there has been a huge development in medical device technology and there is a wide range of medical devices on the market. These wearable sensors are constantly transmitting a vast amount of health information to doctors. This has already been proven to increase the expectations of patients because they believe doctors are constantly monitoring and will act upon this.
The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.
CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven. They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.
Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.
Overlooking Second Most Prevalent Asset Type — Printers
But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.
Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department. Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.
Little Known Facts about Print Fleets
Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:
Printers are mission critical to patient care and part of providers’ tier one applications.
Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
Printers have built-in security settings, but they are not being set or maintained.
HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).
Why Act Now to Secure Printers?
The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
Unfortunately, this is the reality that healthcare industry professionals are facing today. And while 92% of healthcare organizations are confident in their ability to respond to cyberattacks, there is a plethora of malicious activity that poses a great threat to their networks. Here are the main cybersecurity challenges faced by the industry today:
The Rise of Ransomware
You might recall the WannaCry attack of 2017, the ransomware worm that attacked hospitals as well as other industries by exploiting a weakness in Windows machines. This worm infected thousands of computers around the world and threw the United Kingdom’s National Health Service into chaos. This resulted in the Health Care Industry Cybersecurity Task Force to conclude that healthcare cybersecurity was in critical condition.
Why was the healthcare industry so impacted by this cyberattack? Many hospitals struggle to keep up when it comes to upgrading their operating systems due to the sheer volume of devices on the network. However, much of the software in a medical-specific device is often custom made, making system upgrades difficult. Additionally, manufacturers tend to avoid prematurely pushing out modifications that could potentially impact patient safety. For these reasons, medical machines continue to exist with outdated software, putting them at greater risk of cyberattacks such as ransomware.
Lack of Investment
Many organizations within the healthcare industry suffer from a lack of investment in cybersecurity solutions. Despite the number of breaches that occur, healthcare is behind other sectors when it comes to taking security measures. Only 4-7% of healthcare’s IT budget is allocated to cybersecurity, while other sectors allocate about 15% to their security practices. However, the finances associated with a cyberattack if these solutions aren’t put in place can take an even greater toll on an organization. Some hospitals and healthcare insurers see estimates of over $5 billion in costs as the result of cyberattacks on their systems. On top of the costs incurred finding a solution to fix these breaches, healthcare organizations then have to deal with fines from the Department of Health and Human Services Office of Civil Rights.
Securing Connected Devices
With the growing adoption of IoT, more and more devices are being connected and used in healthcare systems. However, as connected medical devices become more powerful and widely adopted, they become greater targets for malicious actors to exploit. According to the Cybersecurity in Healthcare report, over 16% of IT professionals can’t patch their own operating systems, leaving the network wide open for attack. Now imagine if a cybercriminal gained access to just one medical device on the exposed network. This could lead to the theft of sensitive patient data or even unauthorized access to an implanted device that could cause physical harm to the user.
More than 100 C-Suite and director level executives voted and then ranked the top 10 critical challenges, issues and opportunities they expect to face in the coming year, during this week’s HCEG Annual Forum. The HealthCare Executive Group (HCEG), a 31-year old networking and leadership organization, facilitated interactive discussions around such issues in their 2.5 day marquee event in Boston.
Executives from payer, provider and technology partner organizations were presented with a list of over 25 topics. Initially compiled from webinars, roundtables and the 2019 Industry Pulse Survey, the list was augmented by in-depth discussions during the Forum, where industry experts explored and expounded on a broad range of current priorities within their organizations. The HCEG Annual Forum concluded with HCEG Board Members announcing the results of the year-long process that determined the 2020 HCEG Top 10.
2020 HCEG Top 10 Challenges, Issues and Opportunities
Costs & Transparency — Implementing strategies and tactics to address growth of medical and pharmaceutical costs and impacts to access and quality of care.
Consumer Experience — Understanding, addressing and assuring that all consumer interactions and outcomes are easy, convenient, timely, streamlined, and cohesive so that health fits naturally into the “life flow” of every individual’s, family’s and community’s daily activities.
Delivery System Transformation — Operationalizing and scaling coordination and delivery system transformation of medical and non-medical services via partnerships and collaborations between healthcare and community-based organizations to overcome barriers including social determinants of health to effect better outcomes.
Data & Analytics — Leveraging advanced analytics and new sources of disparate, non-standard, unstructured, highly variable data (history, labs, Rx, sensors, mHealth, IoT, Socioeconomic, geographic, genomic, demographic, lifestyle behaviors) to improve health outcomes, reduce administrative burdens and support transition from volume to value and facilitate individual/provider/payer effectiveness.
Interoperability/Consumer Data Access — Integrating and improving the exchange of member, payer, patient, provider data and workflows to bring value of aggregated data and systems (EHR’s, HIE’s, financial, admin and clinical data, etc) on a near real-time and cost-effective basis to all stakeholders equitably.
Holistic Individual Health — Identifying, addressing and improving the member/patient’s overall medical, lifestyle/behavioral, socioeconomic, cultural, financial, educational, geographic and environmental well-being for a frictionless and connected healthcare experience.
Next Generation Payment Models — Developing and integrating technical and operational infrastructure and programs for a more collaborative and equitable approach to manage costs, sharing risk and enhanced quality outcomes in the transition from volume to value. (bundled payment, episodes of care, shared savings, risk-sharing, etc).
Accessible Points of Care — Telehealth, mHealth, wearables, digital devices, retail clinics, home-based care, micro-hospitals; and acceptance of these and other initiatives moving care closer to home and office.
Healthcare Policy — Dealing with repeal/replace/modification of current healthcare policy, regulations, political uncertainty/antagonism and lack of a disciplined regulatory process. Medicare-for-All, single payer, Medicare/Medicaid buy-in, block grants, surprise billing, provider directories, association health plans, and short-term policies, FHIR standards, and other mandates.
Privacy/Security — Staying ahead of cybersecurity threats on the privacy of consumer and other healthcare information to enhance consumer trust in sharing data. Staying current with changing landscape of federal and state privacy laws.
For the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector, according to the recently issued 2019 Verizon Breach Investigations Report. Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.
Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure. Every day we read about another headline breach in healthcare.
Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.
CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the Home Care field is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. Syddall said, “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data. Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.”
“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised. At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back,” continued Syddall.
Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.
It’s hard to understate how much the internet has benefited society. It distributes knowledge to the world, it allows us easy access to myriad services, and it makes it easy to communicate with people the world over, bringing us all closer than ever before. And that’s just the basic things the World Wide Web provides.
But, wonderful though it may be, the internet also holds its own perils. Cybercrime has turned into one of the greatest threats to businesses and by extension the whole of society. In 2018, a hacking attempt took place somewhere in the world about every 40 seconds. Billions of dollars in damages are attributed to cyberattacks every year. The health industry has become a favored target for hackers, mainly because of patient data which is valued more than financial information.
It’s a sad fact, then, that many businesses do not take cybersecurity, the only line of defense against this online onslaught, as seriously as they should. Around half of all businesses admit that they do not consider cybersecurity a very high priority.
That is a mistake that could cost a company everything. This infographic, brought to us by HostingTribunal, serves to warn everyone about the incredible danger that are hackers. It lists all the most devastating and notorious cyberattacks to take place in recent history. These hacks caused monumental harm to their victims, and this visual journey details the exact extent of the damage as well as how the attacks happened — and lots more. So read on if you wish to learn about the biggest hacks in recent history.