So far, hundreds of healthcare organizations have reported breaches to the U.S. Department of Health and Human Services. Some of the largest data breaches include such entities as Optum 360 — that breach affected 11,500,000 individuals; and the Laboratory Corporation of America (LabCorp), which reported its breach affected 10,251,784 individuals (up from original estimates that placed the number at 7.7 million patients).
LabCorp’s breach is notable because aside from the number of customers affected, the company claimed that its breach was a result of the American Medical Collection Agency (AMCA), leading that organization to admit that names, phone numbers, birthdates, and other information had indeed been hacked, dating back to the middle of 2018. (Read Machine Learning Vs. Cybercrime: 4 Ways ML is Fighting Back.)
A sample of healthcare providers, health plans, and business associates with data breaches affecting anywhere from half a million to over a million affected individuals include Iowa Health System, Employees Retirement System of Texas, UW Medicine, Women’s Care Florida, and Georgia Department of Human Services. These breaches usually take the form of hacking/IT incidents, and unauthorized access/disclosure. (Read Why Small Businesses Need to Learn from High-Profile Data Breaches.)
“The healthcare industry is being increasingly targeted by cybercriminals, who seek to access the wealth of private patient information that is stored on company networks,” said Gary Salman, CEO, Black Talon Security.
“Hackers know that healthcare companies have critical personal data, including patients' Social Security numbers, driver's licenses, insurance cards and other information that can be used in identity theft or sold on the dark web.” (Read What Do Patients Want From Health Care Technology?)
The biggest cybersecurity threat facing the healthcare industry right now is ransomware attacks. “Hackers often use ransomware — a type of malicious software that will block access to the company's computer system until a ransom is paid to the hacker — to earn monetary compensation from healthcare providers,” explained Salman.
You might think that healthcare organizations would be off limits to these digital hostage tactics, but the critical nature of their business — along with endless patient databases — make them quite lucrative targets.
“What began as a systematic approach to target large healthcare networks quickly evolved into volume-based efforts targeted at local and regional providers — organizations and individuals that are not as likely to have the same systems or resources in place to address this threat,” explained Thomas Johnson, chief information security officer at ServerCentral Turing Group.
The second biggest threat facing the healthcare industry is malware. “This is also a threat that comes in the form of software specifically designed to damage, disrupt and access the computer system without authorization,” said Salman. “Hackers also often utilize phishing campaigns which target individual employees using deceptive email addresses.”
In this scenario, cybercriminals will send what looks like a legitimate email or one that appears to be coming from a familiar address. “If employees click on links or attachments within these emails, they can immediately give hackers access to the entire network.”
But that’s where your firewalls and antivirus software can protect you, right? Not so much. “As cybercriminals become more sophisticated, defensive measures such as firewalls and antivirus software are no longer enough to protect networks (which include computers, printers, and other connected smart devices),” Salman said.
Further complicating this issue, he said many healthcare professionals don’t know that cybersecurity awareness training is a component of HIPAA (Health Insurance Portability and Accountability Act) compliance.
That’s why Johnson believes the second bigger cybersecurity risk facing the healthcare industry right now is people. Even when the staff at healthcare providers and payers are fully trained in information management and data security practices, he said there’s still a problem: the policies aren’t enforced because they slow down the process of providing service.
“They find it easier to just move personally identifiable information around without thinking about the implications of doing so.”
But it’s not just employees. “The second part of the people risk factor involves patients/customers who maintain and/or share personally identifiable information via unsecured channels,” Johnson said.
Admittedly, just trying to keep up with advances in technology can be overwhelming. “The growth in IoT technologies has led to a major new attack surface comprised of network connectable medical devices, middleware and other enabling technologies,” said Anura Fernando, chief innovation architect of Medical Systems Interoperability & Security at Underwriters Laboratories (UL).
“This, coupled with a surge in the use of data-intensive technologies such as artificial intelligence, machine learning and augmented reality, has led to supporting services like cloud computing, making it increasingly difficult for healthcare IT system administrators to effectively track all of the assets that could be implicated in attacks,” he said.
“Also, the components used in healthcare technologies are becoming one of the biggest concerns, as the number of supply chain attacks continues to rise.” (Read Can IoT Improve Supply Chain Optimization in Healthcare?)
Reducing, if not completely eliminating, these threats
As they used to say on one of my favorite cartoons, (GI Joe: Real American Hero), “Now you know — and knowing is half the battle.” That’s why education is critical, according to Johnson. “In order for these threats to be mitigated, you have to start with the people involved in the value chain.”
Technical threats — like Distributed Denial of Service (DDoS) attacks, etc. are relatively easy to mitigate due to clear indicators and aspects.
However, he said social engineering, ransomware, etc. aren’t as easily detectable and success depends on the people involved in the process. “While it is easy to throw even limited IT budget at technical solutions, the critical success factor is education and policy enforcement/compliance,” Johnson said.
But it’s not just based on employees. Fernando believes that healthcare companies need to improve communication of cybersecurity issues between vendors and purchasers. “This is particularly true of component vendors to medical device manufacturers, as we have already begun to see fairly significant improvements between medical device manufacturers and some hospitals,” he said.
Beyond medical devices and health IT, hospitals should evaluate the interconnectivity of their infrastructure systems. “For example, backup generators, elevator controls, and entertainment systems can all be indirectly interconnected, and hackers have many ways to get from one system to another.”
If you can identify attack vectors, you can systematically minimize those attack surfaces. “But like crime of any sort, the bad actors are always looking for new ways to ply their trade, so security researchers, test labs, medical device manufacturers, component vendors, technology service providers and healthcare providers need to build stronger relationships to try to keep pace,” Fernando said.
It's important to understand that your IT team can’t do everything. Salman recommends bringing in a cybersecurity company to do the following:
- Audit and assess current network security protocols.
- Provide quarterly vulnerability scans of the network.
- Train employees with access to the computer system.
- Conduct penetration testing by posing as "ethical hackers" who attempt to break into the network to identify any weak spots.
The results of the audit can be shared with the company’s IT team to coordinate protective measures.
However, John Sculley, former CEO of Apple and current CMO and chairman at RxAdvance, believes the problem is that the healthcare industry is at least a decade behind other industries.
“While everyone is enthusiastic about blockchain, adopting it is not the issue, since healthcare is a highly regulated industry; instead, it’s getting the proper foundations in place that’s slowing adoption overall,” he said.
“Once adopted, blockchain's ability to create an unbroken chain of data entries from point of origin to transaction completion, and secure that data through cryptography, offers a huge advantage for privacy.”