As COVID-19 cases push hospitals around the country to their limits, medical facilities are facing challenges beyond sick patients. Long hours and an uptick in cyberattacks are putting serious strain on existing cybersecurity defenses. Without the right practices, these defenses may fail, exposing patient and hospital data to hackers and cybercriminals.
Here is why security remains key as the coronavirus outbreak grows more severe — and how hospitals can rise to meet current cybersecurity challenges.
Why Healthcare Data Security Remains Important
While cybersecurity may seem overshadowed by other healthcare concerns, the current crisis makes hospital data security more essential than ever.
Many hospitals and health systems are currently expanding or introducing COVID health data collection programs to get the information needed to combat the novel coronavirus. Many of these same systems are also ramping up data-sharing between institutions to ensure that medical providers around the country have the best possible information to work with.
New operating conditions — like hospitals that set up tents in parking lots to expand their number of available beds — have also changed how hospital systems, like electronic health records, are used and secured.
At the same time, hackers are stepping up their operations and trying to take advantage of the chaos. Security researchers have already noticed a serious rise in attacks like phishing emails, as well as new malicious health tracking and COVID-19–related apps.
Current stress on staff may make hospitals more vulnerable to hacks. Cybersecurity professionals were, on average, overworked before the crisis began — an issue that has likely gotten worse as the crisis has progressed. Doctors, nurses and hospital administrators are working overtime, and organizations are bringing on new workers to manage the increased need for professionals. Existing staff may struggle to keep up with good security practices, and new team members may not receive the full training they need to keep data safe.
New information collecting schemes are critical for medical providers — but if the data they collect isn’t secured, it may also put a lot of patients at risk. This patient information may not seem like the most valuable target for hackers — but health data is actually widely sought after by cybercriminals. These hackers use health information, along with other personal information, to construct comprehensive identity packages about individual patients.
What Hospitals Can Do to Handle Security
There are steps hospitals can take to ensure that patient and hospital data stays as safe as possible — even while the staff is under immense pressure.
During the crisis, operational security will become more critical. Doctors, nurses and hospital staff should be highly aware of what they are sharing on social media. Personal information should be kept private, and employees must take note of any information in the background of the photos they take. A cybercriminal scouring the posts of doctors and hospital workers may find what they need to break into a network — like a password taped to a monitor.
Advancements in medical device technology has allowed for services, initiatives and changes in healthcare delivery to evolve at a break-neck pace. Smartphones are increasingly integrated into patient care planning, providing internet connectivity to share data to healthcare delivery organizations (HDO), doctors and researchers. It is unfortunately also true that as the medical treatment landscape has evolved, it has been challenged by cyber-attacks. While shows like Homeland have portrayed the vice president’s wireless pacemaker introducing a vulnerability that can be used in an assassination attempt, individual patient harm is not the common scenario HDOs and patients face.
Instead, as a recent report from Positive Technologies indicates, healthcare hackers seem motivated to seek sensitive information and control over a system, compared to stealing financial information, or even money. How does this motivation impact a defense strategy in the already complicated healthcare ecosystem?
Location of care delivery
Let’s begin by understanding the volume of the situation. The average hospital bed has 10 to 15 devices connected to it. With the American Hospital Association count of hospital beds above 6,000 in 2019, this is in the frame of 900,000 devices inside U.S. hospitals. These devices often have Bluetooth or wireless capabilities. An adverse player in the ecosystem can potentially exploit this connectivity with the intention to expand into the HDO network, hospital/device database or elsewhere.
Healthcare has been shifting outside of the HDO to accommodate increasing costs in care delivery, remote patient geography and to accommodate populations that are unable to access an HDO on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that some connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points also serve as the introduction of additional threat vectors that need to be managed.
Types of data available
It’s not immediately obvious what data used in clinical care could be used by hackers to elicit monetary benefit for themselves. The idea of a blood pressure or ECG reading doesn’t exactly bring dollar signs to mind.
HDOs and care providers regularly obtain patient social security numbers (SSN), which can be relevant for billing purposes, or in an attempt to share data between HDO systems. This same data can be used by a malicious actor to commit requests for loans, prescriptions or insurance claims, open bank accounts, perform online transactions and even file taxes or claim rebates. Imagine the SSNs from a pediatrician’s office being sold and the fraudulent activity going undetected for a prolonged period, or the SSN of a deceased person that can be used with zero concern for active monitoring by the individual.
Records can also include communication methods for patients, such as email and phone numbers, which can be used for spreading spam/malware with the intention of running phishing campaigns. This is to say nothing of personal distress that can be introduced if patient medical conditions are known by individuals without the patient’s best interest in mind.
Individuals who use commercial trackers to identify fitness patterns and metrics to discuss with providers have intentions of bringing more data to a potentially difficult diagnostics. However they are also capturing information that can be correlated to determine physical location. The army base location that was disclosed because of GPS-related workout data demonstrates how different types of information can appear unrelated, yet end up unintentionally giving something crucial away.
Guest post by Dave Willsey, CEO and co-founder, Integrify.
Data security is a top concern of every healthcare provider today. And for good reason. A recent news story from The Wall Street Journal reported that healthcare is “frequently cited as one of the industries most exposed to cyberattack due to large networks with numerous access points and vulnerable, legacy computer systems.”
If there is an industry more vulnerable to hackers today than healthcare organizations, you’d have to search far and wide to find it. Healthcare hacking is a growing problem. It is a trend that will not change course anytime soon.
Unfortunately, hospitals and other providers present a target rich environment for criminals and malicious hackers. And, to make matters worse, a recent study by researchers at three leading universities concluded that additional threats are coming from within “the house” as clinicians and other staff are taking shortcuts and finding workarounds to security measures in an attempt to deliver better patient care.
The federal government response to this growing threat is two-fold: mandatory reporting of data breaches and financial penalties that sting when violations of protected health information occur.
When it comes to reporting and ensuring continuous improvement to guard against future risk to data security, the number-one best practice today is a well-conceived, executable and automated incident response plan (IRP).
The good news is seven-in-ten providers have an IRP in place. The not-so-good-news is most of those plans are based on manual, labor intensive, error-prone processes. What’s needed to step-up the game for healthcare providers is an automated IRP workflow process. Automation is the only way to protect your data as the threat continues to evolve in the future.
Secure data and information is the chief reason to automate IRP workflow. But ROI is another major business driver to invest in automation. Here’s why – you’ll get quick payback from more accurate information about threats and breaches sooner in the process before they get out of hand; your teams will be able to execute with rapid response times that lead to fast resolution when compared to manual processes; and, finally, automation will bring your leadership team and other key stakeholders a unique capability to apply analytics and intelligence to support and measure continuous improvement in critical processes against future threats.
Automated IRP can provide all users with a simple incident reporting tool across the healthcare ecosystem – if a doctor or nurse or someone in the pharmacy formulary, for example, notices a potential security issue, that user can immediately trigger an automated IRP process. This action would notify the front line responder teams who can then escalate a response if needed.
Effective incident response planning addresses three key areas – people, process and data. With people, it’s very important that the roles of each person handling patient data are well identified and this would include all clinical staff, billing and administrative personnel, insurance agents, IT personnel, outside vendors, contractors, and others.