It’s no secret that healthcare is a lucrative target for hackers around the world, with increasing levels of cyber-attacks on healthcare organizations, despite greater awareness and tighter security measures.
The last 10 years of technology in healthcare has focused on the electronic medical record, allowing disparate systems to connect. I believe the next 10 years will be about ensuring the data that has been collected and stored in the cloud is being used in a secure and meaningful way. With 69% of healthcare organizations planning to move more sensitive data to the cloud, security and privacy regulations must be the highest priority for healthcare and their IT systems over the next decade.
Talking to the Healthcare Security and Privacy Forum in Los Angeles recently, the discussion turned quickly to the mounting importance of protecting healthcare data, staying one step ahead of the hackers.
Stolen healthcare information can be used for a variety of gains: identity theft, insurance fraud, extortion, or even market manipulation. "Stealing" information that indicates a public figure or celebrity has mental health issues, a sexually transmitted disease or a medical condition, could be used to harm or for blackmail. Likewise, imagine if Steve Jobs' cancer diagnosis had been stolen and leaked before he was ready to announce. An attacker could have stolen that information, shorted Apple stock, then leaked the cancer information to the media; while the stock plummeted, the attacker would have made a lot of money until Apple was able to recover.
Healthcare organizations, while under fire, have been improving their cybersecurity posture over the last few years. Many have hired cybersecurity professionals from more mature industries, like financial services; most are working to adopt strong frameworks such as ISO, NIST, and HITRUST to evaluate and improve cybersecurity controls, including security awareness training for the healthcare workforce. One recent study indicates more than three-quarters of healthcare organizations are planning to increase spending on cybersecurity this year.
Some of the most important steps healthcare organizations can take in data security and protection are to start with the security basics:
• Know what’s on your network – There are tools that will help identify the current inventory of devices on the network, and notify when new devices are added, providing the visibility to understand what’s on the network, what those devices are sending, and whether it’s appropriate.
• Apply patches and software updates – Implementing incremental patching and software version releases are critical to preventing breaches from opportunistic attackers. For instance, Orion Health Rhapsody customers are strongly encouraged to upgrade to the latest version to ensure the highest levels of security are implemented
• Apply least privileged access – Access to sensitive and critical data assets should be based on need to know, and users with access should only be able to see what’s necessary to do their jobs. Access should be removed automatically when no longer needed.
• Train users to avoid and report attacks – Security Awareness campaigns are an inexpensive way to reinforce your defenses by providing your employees with the means to recognize and report suspected attacks, like phishing and malware.
• Engage a trusted partner – Outsourcing data processing to a trusted partner with a strong cybersecurity program and controls can provide assurance that your data is safe, while freeing your own employees to focus on other business priorities.
The 2018 Cloud Security In-depth Report by Netwrix shows 55% of healthcare organizations rated their own employees as the biggest security risk. In fact, according to the recently published Verizon PHI Data Breach Report, 58% of healthcare data breach incidents involved insiders, the highest percentage of insider threat in any industry.
This shows the importance of educating end-users and ensuring the highest security in authorizing and authenticating access to health data. For example, healthcare professionals who need to access a patient's electronic health record through a clinical portal should be following a protocol to ensure the information is only accessed by those who have permission to view it. Access to health data should be restricted to authorized staff, and this access should be reviewed frequently. The system should employ multi-factor authentication (MFA) and access control lists for administrative access to the system.
Healthcare information breaches are happening on a daily basis, and attackers aren’t likely to stop their attempts to steal such valuable information. Starting with basic security controls will provide a strong foundation for any security program, and position organizations to more adeptly address emerging cybersecurity risks and threats.
Marnie Wilking is the Chief Information Security Officer at Orion Health.