Anyone who watches the news should be aware of the constant threat of identity theft. Every day, hackers create new scams and tactics to steal private information that they can sell to the highest bidder or use to take out loans and credit cards and put victims in debt. Unfortunately, few industries are as exposed to these threats as the healthcare industry.
Every time someone goes to the doctor, they are sharing personal details with their medical provider and other staff, which gets logged into a computer for later — and hackers are eager to unlock this treasure trove of private info. As technology advances, so will the threats, so extra precautions will be necessary. Below are the threats coming down the pike and how to prevent them.
Emerging Healthcare Threats
Healthcare will always be a huge target for cyber thieves simply because of the pure amount of information that is created with every doctor’s appointment or surgical procedure. An emerging threat that is gaining steam is ransomware attacks, where hackers take control of patient data with the hope of illegal profit.
Just one example includes how, early in 2019, hackers gained access and encrypted the data within the computer system of provider NEO Urology. Fearing the worst, the staff paid the requested $75,000, and the data was freed. It was a painful price to pay for a threat that could have been avoided.
All it takes is one successful scheme to bring the criminals out of the woodwork. Since the NEO hack, several other ransomware attacks have occurred around the country, including instances in New York and California, where thousands of patient records have been compromised. When these attacks occur, it is not only patients that face the consequences, but also the business, as the cost to repair a corporate image and fix the damage could cost a company millions.
New technologies are on the horizon, but they too must be safeguarded from cyber threats. Lately, the idea of integrating artificial intelligence into hospitals has been gaining steam, as experts believe that this technology could limit the number of hospital errors as well as assist with earlier detection of medical issues. However, while this technology continues to evolve, it is still open to the risk of cybercrime.
As a first step to securing your hospital systems, a penetration test should be completed. Penetration testing involves inspecting your system for vulnerabilities, such as weak firewalls or poor security policies, and creates a report, so you know what to fix to protect patient information involved. Your baseline security should be intact before adding any new features.
By Dena Bauckman, vice president of product management, Zix.
When you go to the hospital, you want to be under the care of the best personnel and state-of-the-art technology. It’s easy to assume that’s the case when you’re surrounded by astronomically expensive devices like MRI machines, CT scanners, and surgical robots.
Behind the scenes, however, systems might not be on the cutting edge. According to a report from the Institute of Global Health Innovation at the Imperial College of London, the National Health Service is plagued by inadequate cyber defenses that could put the service system’s patients at risk. The picture isn’t any rosier on this side of the Atlantic Ocean. In September 2019 alone, just shy of 2 million records were breached in American healthcare hacks.
Antiquated computers, insufficient funding, and a lack of necessary expertise in cybersecurity are all combining to create a dangerous situation in healthcare. Sensitive as patient data may be, its theft isn’t even the biggest risk. “A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details — such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care,” one of the aforementioned report’s authors wrote. “It can also prevent life-saving medical equipment or devices from working properly.”
A Typical Diagnosis
Despite the plethora of healthcare cybersecurity breaches in the headlines, most organizations still aren’t prepared to defend themselves against the latest generation of cyber threats. That’s no surprise because the number of threats they must contend with is increasing each day. In order to provide the best care possible, healthcare organizations must also collect some of the most valuable data available to enterprising cybercriminals.
Birthdays, Social Security numbers, payment information, and health records all add up to an identity theft gold mine. Once they have the information, hackers can steal even more with targeted phishing campaigns (a practice called spearphishing) that are almost impossible for the average user to detect. If all else fails, the granular detail associated with healthcare information means that the data can fetch a large sum on the dark web — especially when records are stolen by the millions.
As healthcare organizations adopt exciting new technologies, the problem only becomes worse. Those new technologies come with new vulnerabilities, some of which won’t be discovered until they’ve caused a breach. With so many digital devices (including those owned by employees) being used to access, store, and transmit sensitive data, it’s no wonder hackers are having an easy time finding an entry point.
By Glenn Day, chief sales officer and practice leader of healthcare, HUB International.
True Story: An employee at one New England medical practice stayed after hours to search patient records for gossip on her neighbor. She found what she was looking for – evidence that the neighbor was seeking psychiatric counseling. She posted it on Facebook. As soon as the clinic discovered what happened, the employee was terminated.
But, the damage had already been done. The practice was named in a lawsuit for failing to properly supervise the employee and safeguard patient medical records. Without cyber coverage, the medical clinic was on their own for legal fees and settlements.
Healthcare data breaches are complex and this story is just one example. It doesn’t matter who the perpetrator of the breach is, the responsibility for regulatory-compliant breach response almost always falls upon the original data collector.
With more than half – or 63% – of healthcare cybersecurity breaches caused by criminal or malicious activity; hacking accounts for 20% and ransomware represents 10% of healthcare breach claims.
Data breaches have also brought new regulations and guidelines to healthcare, like the HIPAA and ransomware guidelines published by the Department of Health and Human Services. The rule requires HIPAA-covered entities that have suffered a ransomware attack to prove thorough a documented investigation that their data wasn’t actually acquired, but only frozen by the hacker.
These forces have contributed significantly to healthcare’s rising data breach costs. According to the Ponemon 2017 Cost of Data Breach Study, healthcare has the highest per capita data breach cost.
Having a robust healthcare cybersecurity policy, and understanding what’s covered and what’s not can help alleviate losses and put your healthcare institution into the driver’s seat post-breach.
Here are seven things you need to know about healthcare cybersecurity coverage:
Developments in technology have had a profound impact on nearly every aspect of our lives. We can hardly get through an hour without tech having an effect on what we’re doing, let alone a full day. From the morning alarm on our smartphones, to the Bluetooth sound system in our cars, to the social media accounts we share everything on, technology surrounds us.
Perhaps one of the aspects that many of us think the least about is how it has utterly transformed the way we manage our healthcare data. The development of electronic health records and, even more importantly, the cloud, have brought about all sorts of changes. Many have the potential to impact our lives in both positive and negative ways depending upon how they are managed.
When it comes to our health data, there is an added urgency in making sure everything is safe and secure no matter where it is ultimately stored. Well managed data can mean a more efficient and effective healthcare service, while mismanaged data can lead to the loss of personal information and an unraveling of the privacy most of us have come to expect in a professional healthcare setting.
Medical Records, HIPAA and the Cloud
In 1996, the United States government passed HIPAA, a landmark healthcare act that helped to create and enforce privacy and data security requirements associated with medical information. The act has since been expanded in an effort to keep up with modern technologies, and nearly everyone involved in the healthcare system is expected to follow the rules. Because of this legislation, one can expect that their medical records will be kept private unless they choose to release them, no matter where they are stored.
Cloud-based data storage and technology provides numerous benefits to the healthcare system including things such as better dataset analysis, improved efficiencies in individual patient care, and a much lower cost. However, it can also lead to a number of concerns, especially when it comes to HIPAA compliance. HIPAA rules not only apply to the medical facilities that are using cloud technology, but also to the tech vendors as well.
Unfortunately, just because cloud technology providers are not exempt from HIPAA rules, does not mean that they necessarily follow them. There is no real certification process and the government doesn’t exactly clear companies to work with healthcare organizations. It is completely up to the healthcare entity and the tech provider to make sure their services are meeting the necessary HIPAA standards.
Loopholes in the System
It may come as somewhat of a surprise to both patients and healthcare providers to learn that there are popular new aspects of medicine and technology that aren’t necessarily covered by HIPAA regulations. For instance, HIPAA does not cover anonymized data such as the data that is collected during genetic testing. Essentially, this allows for a patient’s anonymous information to be shared at will.
Only a few industries require resilient cybersecurity measures like healthcare. Yet, healthcare has a colossal cybersecurity problem. Data breaches continue to plague patients’ private medical records, in spite of their life-threatening conditions, spending large amounts of money, and entrusting financial information.
Healthcare remains a big target for cybercriminals, sitting firmly in their cross-hairs. Just for 2015, IBM reported more than 100 million breaches of medical records. Some organizations commit to privacy no matter what, but healthcare organizations are not keeping pace in adopting and promoting cybersecurity. But why do most healthcare organizations not have the latest cybersecurity tooling? Some of these reasons, we review in this article.
Why Hospitals and Care Facilities Lack of Robust Cybersecurity
The key reason why cybersecurity is not a conspicuous feature in may healthcare set-ups include:
#1 Limited cybersecurity awareness
Most hospitals concentrate on upgrading their medical technology and employing the best medical personnel and peripheral staff. They ensure they save lives more quickly and offer better overall care. While this is a reasonable practice, they soon relegate cybersecurity to the back-burner. The truth is, cybersecurity is a vital complement to these core values and priorities. Most of the time, hospitals can justify their need for an entire IT team, or at worst, a cybersecurity lead. However, directors may not have the necessary information to decide so.
#2 Lucrative healthcare targets
Hospitals are not always to blame, though. There’s an avalanche of attacks on hospitals. It is worth all of an attacker’s time to target a healthcare organization. As highly lucrative targets, these organizations can reveal data on a cast number of people at once. That is why standards are high to keep these organizations from the reach of attackers. But, what do you do when the attacker never quits chasing?
#3 Size of the specific organization
Many healthcare organizations are massive operations. It makes them increasingly vulnerable. Because more people are involved in the system, there are inevitable, more possible points an attacker can exploit. Imagine just one healthcare staff among several thousand falling for a phishing scam. It can compromise the whole system.
#4 Inconsistency with process
It often appears almost impossible to create and enforce consistent security standards and procedures. The reason is that the size of health organizations and hospitals means they may need to operate out of several buildings. Employees may then adhere to varying best practices, and in some cases, use different systems. Thus, it is hard to have a decent cybersecurity posture.
#5 Shared networks in healthcare organizations
Infosec revealed that one primary reason hospitals continue to appeal to cybercriminals is that most hospitals depend on shared wireless networks. Multiple devices on one network mean that one single point of vulnerability is all a hacker needs to access the whole system. It is a ticking time bomb.
Possible Solutions to Healthcare’s Cybersecurity Issues
What then can healthcare institutions and hospitals do to be on par with the latest cybersecurity practices? It turns out there’s so much they have control over:
Most hospitals can begin by adopting more advanced current technologies to protect patient information and keep their systems secure. Advanced software, monitoring systems, and futuristic tech such as biometrics are examples.
A cybersecurity budget is small fry for most healthcare organizations. It is merely a question of how much premium is on it like the infographic at the end shows across several industries. Prioritizing technological security features will add a decent layer of security around hospital operations. While hospitals may commit their entire budgets to cybersecurity, a hire, who knows their onions can promote substantial improvement.
We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning:
By Steeve Huin, vice president of strategic partnerships, business development and marketing, Irdeto.
The Internet of Things (IoT) market is booming, with IHS Markit forecasting there will be 73 billion connected devices in use around the world by 2025. IoT technology has moved beyond speakers and smart fridges and is increasingly being utilized for critical applications across the healthcare industry, such as pacemakers, insulin and infusion pumps and medical imaging systems.
This Internet of Medical Things (IoMT) is subsequently opening up a new world of possibilities to improve upon patient care, while also improving operational productivity and effectiveness. However, as the proliferation of connected and complex medical devices grows, healthcare providers are more susceptible to cyberattacks.
The key challenge is that cyber criminals often operate as businesses themselves and will focus on targets that will provide the greatest return on their hacking investment. Therefore, as the healthcare sector becomes increasingly connected, we could see an extremely costly impact of IoT-focused cyberattacks, if security is not prioritized. Insecure devices, and potentially companion apps, present a variety of risks to safety and privacy in a critical industry such as healthcare.
The IoMT Threat Landscape
Unfortunately, cyberattacks are already an all too common reality for many organizations in the healthcare space. A recent survey by Irdeto of security decision makers in the healthcare, transport and manufacturing sectors, found that 82% of healthcare organizations have experienced an IoT-focused cyberattack in the past year, with 30% of attacks resulting in compromised end-user safety.
IoT devices are often targeted by cybercriminals as they are much easier to compromise than businesses’ more sophisticated perimeter cyber defenses. The problem is that growth in the use of IoT has far outstripped the increase in trained professionals emerging. As a result, healthcare organizations often don’t have the expertise internally to ensure the connected devices they are using within their organizations are secure.
The research also emphasized this point, revealing that only 6% of healthcare organizations have everything they need to tackle IoT cybersecurity challenges, with an urgent requirement for increased skills and more budget for security identified. In addition, the research found that 98% of respondents in healthcare organizations believe the cybersecurity of IoT devices could be improved and one in four manufacturers of IoT devices for healthcare only update the security of devices they manufacture while they are in warranty.
These alarming findings, combined with reported cyber incidents to critical connected devices in the last few years, make for worrying reading. For example, in the last two years we have seen pacemakers recalled to install a critical patch to update firmware against cybersecurity issues, as well as cybersecurity warnings for insulin pumps from the FDA and Health Canada.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
As we become more and more reliant on electronic medical records, the susceptibility of a hospital suffering a cyberattack or struggling because of a network failure is continuing to increase. To reduce the risk of this happening, all hospitals will need to have an extremely complex network security system that is resistant to hackers. They also need to make sure they have back-up files in case they have to deal with network failure.
Telemedicine is the practice of remote patient care, so the patient and the provider won’t be physically present with each other. This modern technology has been developed to enable consultations with patients over easy and robust telemedicine software. Although this is convenient, it may create challenges when trying to ensure the quality of care. If things go wrong, then a lawsuit could be filed for medical negligence. In these cases, a Miami medical malpractice attorney should be contacted.
Recently, there has been a huge development in medical device technology and there is a wide range of medical devices on the market. These wearable sensors are constantly transmitting a vast amount of health information to doctors. This has already been proven to increase the expectations of patients because they believe doctors are constantly monitoring and will act upon this.
The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.
CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven. They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.
Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.
Overlooking Second Most Prevalent Asset Type — Printers
But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.
Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department. Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.
Little Known Facts about Print Fleets
Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:
Printers are mission critical to patient care and part of providers’ tier one applications.
Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
Printers have built-in security settings, but they are not being set or maintained.
HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).
Why Act Now to Secure Printers?
The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
Unfortunately, this is the reality that healthcare industry professionals are facing today. And while 92% of healthcare organizations are confident in their ability to respond to cyberattacks, there is a plethora of malicious activity that poses a great threat to their networks. Here are the main cybersecurity challenges faced by the industry today:
The Rise of Ransomware
You might recall the WannaCry attack of 2017, the ransomware worm that attacked hospitals as well as other industries by exploiting a weakness in Windows machines. This worm infected thousands of computers around the world and threw the United Kingdom’s National Health Service into chaos. This resulted in the Health Care Industry Cybersecurity Task Force to conclude that healthcare cybersecurity was in critical condition.
Why was the healthcare industry so impacted by this cyberattack? Many hospitals struggle to keep up when it comes to upgrading their operating systems due to the sheer volume of devices on the network. However, much of the software in a medical-specific device is often custom made, making system upgrades difficult. Additionally, manufacturers tend to avoid prematurely pushing out modifications that could potentially impact patient safety. For these reasons, medical machines continue to exist with outdated software, putting them at greater risk of cyberattacks such as ransomware.
Lack of Investment
Many organizations within the healthcare industry suffer from a lack of investment in cybersecurity solutions. Despite the number of breaches that occur, healthcare is behind other sectors when it comes to taking security measures. Only 4-7% of healthcare’s IT budget is allocated to cybersecurity, while other sectors allocate about 15% to their security practices. However, the finances associated with a cyberattack if these solutions aren’t put in place can take an even greater toll on an organization. Some hospitals and healthcare insurers see estimates of over $5 billion in costs as the result of cyberattacks on their systems. On top of the costs incurred finding a solution to fix these breaches, healthcare organizations then have to deal with fines from the Department of Health and Human Services Office of Civil Rights.
Securing Connected Devices
With the growing adoption of IoT, more and more devices are being connected and used in healthcare systems. However, as connected medical devices become more powerful and widely adopted, they become greater targets for malicious actors to exploit. According to the Cybersecurity in Healthcare report, over 16% of IT professionals can’t patch their own operating systems, leaving the network wide open for attack. Now imagine if a cybercriminal gained access to just one medical device on the exposed network. This could lead to the theft of sensitive patient data or even unauthorized access to an implanted device that could cause physical harm to the user.