2019 has a bad year for healthcare security breaches. Over 30 million patients in the U.S. have been affected by data breaches so far this year. The majority of attacks have been traced back to third-party vendors and phishing attacks.
Furthermore, the industry at large is still dragging its heels on adopting the Health Insurance and Portability Accountability (HIPAA) compliance regulations and updating technology to combat the latest threats.
Cisco’s 2019 report regarding technology use in the healthcare industry revealed that over 50% of organizations still operate on legacy Windows 7 systems and outdated IoT equipment.
If healthcare providers do not take appropriate measures to safeguard patient information, the number of hacks will continue to climb. Healthcare administrators need to focus on technology upgrades, staff training, network access limitations, and greater accountability with third-party vendors.
HIPAA: Where Cybersecurity Begins for Healthcare Organization
No discussion on data breach prevention is meaningful without first addressing compliance. HIPAA’s Security Rule outlines what healthcare administrators must do to maintain the confidentiality, integrity, and availability of health information. The rule is designed to prevent problems that arise from data breaches, system failures, or natural disasters.
HIPAA covers vital concerns, such as:
- Patient rights regarding access to their sensitive medical data.
- The role of administration in adopting and executing policies and procedures.
- Physical security measures to protect on-site data, software, and equipment.
- Digital security measures to prevent breaches or unauthorized access.
- Maintaining updated and accurate records of all patients.
Administrators must also establish a risk analysis to assess vulnerabilities and risks to the organization’s infrastructure. The analysis should cover the following:
- data collection
- risk identification
- security measures
- data breach impact
- data breach response.
For instance, an IT team can conduct penetration testing to expose vulnerabilities in a facility’s infrastructure. This type of risk analysis can provide valuable insight into what needs to be done to tighten security.
Last, organizations need to implement technology and strategies such as cloud-based software, data protection, IT outsourcing, and monitoring systems.
Cybersecurity and third-party vendors: Exploiting the circle of trust
In April 2019, Becker’s Health IT & CIO Report revealed that 44% of data breaches occurred as a result of third-party vendor activity or negligence. Third-parties heighten risks and create vulnerabilities that often go undetected because they have access to the organization’s infrastructure.
Even the most advanced secure technology cannot secure a network once an authorized user gets inside. Just last month, the Department of Homeland Security released a scathing report that exposed the vulnerabilities of virtual private networks (VPNs) applications. Remote attackers (i.e., vendors and third-parties) can bypass a VPN once they are assigned a username and password to a system.
Similar technology, such as intrusion detection systems (IDS), is also limited in its capacity to monitor authorized activity. These systems suffer from lack of scalability, false positives and negative reports, inability to detect encrypted packets, and susceptibility to crashes caused by malware.
Prevention of data breaches
To prevent data loss and security breaches, companies must consider the following:
- Ensure that all third-parties are secure and HIPAA compliant.
- Create a more structured approach to network authorization and access.
- Consider using remote access software or SaaS to monitor all third-party activity and manage authorization.
- Assign usernames and passwords instead of allowing users to assign their own.
- Update usernames and passwords during third-party onboarding/outboarding.
Related Content: Can Cyberattacks Cause Human Fatalities?
Cybersecurity 101: Phishing attacks
In today’s digital climate, nearly every employee in a healthcare organization knows what email spam is. However, few employees know how to distinguish email scams from legitimate work email. Furthermore, employees often use work computers or devices to check personal emails and messages.
Jama Network Open’s report released in March of this year disclosed two alarming statistics:
- First of all, 14% of workers in the healthcare industry open phishing emails.
- Secondly, the phishing email click rate among healthcare institutions is just over 16%.
In nearly every instance of a successful phishing campaign in 2019, the hackers used phishing to get directly to patient files.
Related Content: Ransomware Attack! What to Do on Day One
What’s the appropriate response to phishing attacks?
Healthcare entities should respond to the upsurge in phishing attacks, as follows:
- Implement web filters (blacklists, category filters, keyword filters) to prevent employees from visiting an unsafe website.
- Utilize SSL inspection to decrypt, read, and re-encrypt secure websites.
- Provide ongoing employee training in current cyber and phishing threats.
- Create levels of authorized access and limit computer and device usage.
- Consider outsourcing all IT and security to an agency that provides 24/7 monitoring and instant threat response.
- Implement and update all security network software such as antivirus, anti-malware, VPNs, and intrusion detection
End-user security: The key to detection and response
Data transmission is never safe. There are three points at which a hacker can access data: the sender, the receiver, or the transit. Thanks to AI and machine learning, advanced technology is getting better at detecting anomalous behavior and sealing user-to-user gaps.
Companies like Cisco, Microsoft, Cylance, Carbon Black, Crowdstrike, and Trend Micro offer end-user security in ways that surpass VPN or traditional antivirus. Cisco’s Talos Security Intelligence and Research Group consists of the industry’s top threat researchers who create intelligence and share information for Cisco and its partners/clients.
Providers can help healthcare administrators develop security policies and apply the right applications based on infrastructure, security protocols, and organizational models.
End-user security defends against a range of modern cyber threats such as zero-day exploits to more advanced attacks targeted at patients. Most providers offer security packages that include anti-malware/ransomware, data loss prevention/recovery, email encryption, endpoint analysis, and signatureless protection.
Outsourcing IT and cybersecurity: A current trend in healthcare
Healthcare administrators who are restructuring their infrastructure are now considering outsourcing their IT and cybersecurity as opposed to keeping it in-house. Outsourcing offers a range of benefits, such as:
Reducing operational costs
Adding an IT department to a healthcare facility comes with high costs. Expenditures range from hiring and accommodating staff to equipment costs, frequent technology requests, insurance, benefits, and fringe expenses. Outsourcing reduces costs to the services and equipment that the company provides.
Working with skilled, licensed professionals
Some IT providers work strictly with healthcare professionals. They understand HIPAA compliance, facility needs, common security concerns, and patient privacy. They offer cybersecurity solutions that are custom-designed for the healthcare industry.
Ongoing 24/7 monitoring and response
Most outsourced managed IT companies offer on-site and remote 24/7 help desk services. When the healthcare providers close their doors for the evening, the IT company is still monitoring their network round the clock. Outsource companies utilize advanced technology to prevent hacks before they occur.
However, as with any third-party, outsourcing does present the same risks:
- Can the administrator trust the company not to exploit or share patient information?
- Is the IT company certified HIPAA compliant?
- What services and products does the company offer that secures data and prevents disasters instead of responding to them after the fact?
Eyes on the future: Cybersecurity is no longer a choice
No healthcare provider large or small is immune from cyberattacks. Every business from local general practitioners to accountants and massive healthcare networks are targets for ground zero attacks every minute of every day. The goal of most attackers is to gain access to patient files.
2019 may have been the worst year yet for healthcare data breaches. However, experts predict that cyberthreats will only worsen as hackers become more adept at breaking into systems. Therefore, it is incumbent upon providers to protect their devices, hardware, software, internal networks, and, most importantly, their staff and patients.
As is evident with HIPAA regulations, cybersecurity is no longer a choice. It is now a mandate and a primary concern for all who operate in the medical field.
Related Content: The State of U.S. Healthcare: An Iron Cage of Bureaucracy