It’s mostly not news to anyone anymore (at least to those within cybersecurity and healthcare circles) that healthcare is heavily vulnerable to cyberattacks. In 2018, the healthcare industry received about twice the number of attacks as other industries.
But what’s worrisome is that this hasn’t really changed. Things don’t look much better in 2020, where cyberattacks and human error have led to millions of exposed records. And that’s only the breaches that have been reported so far.
So why, even with ample proof of the cybersecurity challenges and threats to healthcare,nothing has changed? Why aren’t hospitals, providers, and vendors taking the necessary steps to ensure better security practices and thus better patient confidentiality? Let’s dive into the healthcare industry’s cybersecurity problems and look at some of the solutions to them.
Those in healthcare are very familiar with budgetary limitations. Underfunding has long been an issue for hospitals and clinics in general, but even more so when it comes to the IT department. In the past, very little of the budget has gone to cybersecurity efforts in all but the big hospitals in metropolitan areas.
There is a silver lining, however. According to the HIMSS Cybersecurity Survey, change – while slow – is happening. Healthcare organizations are starting to allocate more of their budget to cybersecurity – although there’s no significant data on how much that may be.
A complex industry
Healthcare systems have a large attack surface and lack security strategies that can deal with this type of structure. Other industries like finance and manufacturing may have robust security strategies in place, but these principles can’t be easily transferred.
The complexity of the healthcare system makes it extremely difficult to come up with succinct defensive cybersecurity policies and procedures. A big part of the problem is the fact that hospitals are a mixed bag of different systems, vendors, and equipment.
Then there’s also the fact that legacy systems are hard ingrained, and it’s tough to overhaul a system like this that’s constantly under strain because of other factors, which is why no one has been able to do it yet.
One potential solution, in lieu of a lack of alternatives, is to use a custodial provider. This would mean medical records are safeguarded by escrow agencies, and third parties (like clinics) would need to request temporary access. Consumer advocates have reportedly been advocating for this change, but an overhaul in an industry of this size is unlikely.
A shortage of qualified professionals
It’s not that healthcare services don’t recognize the problem. They’re fully aware of it and often also of what needs to be done. But execution and manpower are two major hurdles. Information Security and Healthcare Informatics professionals are in high demand but in short supply.
Cybersecurity, in general, is facing a shortage of qualified professionals, and that exacerbates the issue further. Skilled experts are being snatched up by those willing to pay for their sought-after skills, leaving the underfunded healthcare industry further behind.
Poorly managed systems
Healthcare practices, clinics, and hospitals rely on a massive variety of equipment and digital systems. On top of that, there are devices, like smartphones, laptops, and tablets, brought in and used by the staff.
This vast array of devices and potentially vulnerable endpoints can seem nigh on impossible to manage. Leaving CEOs and personnel overwhelmed to the point of inaction. But it is imperative that this issue is tackled because hospitals are still very lucrative targets for hackers, and they bank on that. Data breaches in healthcare have not declined since 2010 and cost the industry billions every year.
The only way to tackle something of this magnitude would be to break it down into parts and take it one step at a time.
Hospitals need to start adding security requirements to their discussions and purchase agreements with vendors. They should also make sure to keep firmware up to date, as this often isn’t prioritized. For their part, vendors should notify hospitals of the ways their equipment could be exploited.
Network security is another big issue that can be tackled as a whole. Adding strong firewalls and making use of VPNs can greatly reduce vulnerabilities here. VPNs can also offset some of the risks that come with additional connected devices. But it’s still just as important to implement procedures like strong password policies and two-factor authentication to protect those devices individually.
The bottom line
Those in healthcare face many challenges – cyber threats being only one of them. But it is imperative that cybersecurity starts being treated as a critical division in healthcare practices. Hackers see the healthcare industry as a profitable target – and they’re right. Organizations need to start taking extensive steps towards dealing with security weaknesses.