'Healthcare is ground zero for cyberattacks': 5 thoughts from CHIME's Russell Branzell

Thousands of cyberattacks — some successful and others detected and prevented — are carried out everyday across every industry. In the digital world of healthcare, vulnerability to such attacks is greater than ever. During the American College of Healthcare Executive's 2016 Congress on Healthcare Leadership, Russell Branzell, president and CEO of the College of Healthcare Information Management, outlined key cybersecurity concepts for healthcare leaders to know.

Here are five takeaways from Mr. Branzell's presentation.

1. Why healthcare is a prime target for cyberattacks. The medical information compromised during a cyberattack commands a high value on the black market. "A financial identity can be worth anywhere from $1 to $3," said Mr. Branzell. "A medical identity can be sold for $7 to $10. Healthcare is ground zero for cyberattacks."

Additionally, a medical identity, once stolen, has the potential to be used for years before the perpetrators are caught. The value of medical data, coupled with healthcare's tendency to overlook the importance of cybersecurity, makes the industry ripe for these attacks.

2. The main threats. The faces behind cyberattacks can belong to anyone. "They aren't coming to the front door with a gun and saying 'I am going to rob you.' They are far smarter than that," said Mr. Branzell. The main threat actors include:

•    Organized crime groups
•    Hacktivists
•    Cyberthieves
•    Malicious insiders
•    Careless insiders
•    Busy insiders
•    State actors

While financial gain is the most obvious motivation behind healthcare data breaches, the end-game can range from identity theft and embarrassment to espionage and extortion.

3. Top healthcare security risks. While high profile cyberattacks may garner the lion's share of media attention, there are number of other significant security risks in healthcare. Theft, fraud and loss of medical data cost billions of dollars each year, and nearly 15 percent of all documented attacks are carried out by insiders, according to Mr. Branzell. Additionally, many hospitals and health systems become vulnerable to attack due to unintentional errors made by insiders.

Healthcare employees accidentally leave laptops unattended, only to find they are stolen. Organizations may not have an accurate inventory of all the devices storing protected health information. Risk expands beyond a hospital's own walls and network, as well. Vendors have access to healthcare data, but are they held to the same security standards?

Nearly everything in healthcare is connected to a network, including medical devices, and these devices are particularly vulnerable to breaches. "Medical devices can easily be hacked into," he said. "[This] may be the most critical weakness in your health system."

Attacks come in many forms — spear phishing, trojans and malvertising being some of the most common — but regardless of the mode, healthcare's defenses are not keeping pace. "We are never going to get ahead of the bad guys. We are just trying to shorten the gap," said Mr. Branzell.

4. Barriers to security measures adoption. Effective cybersecurity is complex and expensive. The major barriers healthcare providers face when working to adopt and maintain security practices include:

•    Volume and expanding types of threats
•    Too many software applications, devices and network touch points
•    Lack of qualified personnel
•    Lack of financial resources
•    Lack of cyberthreat intelligence
•    Lack of effective tools

Additionally, the CISO position, entirely dedicated to security, is still underutilized in healthcare. Even healthcare organizations that do have CISOs face budgetary issues. "Even if you have the smartest CISO, you are probably underfunding [him or her]," said Mr. Branzell.

5. Minimizing risk. While it is no longer a question of if a breach will happen, but a question of when, there are ways to reduce the risk. Here are eight actions healthcare providers can take, according to Mr. Branzell:

•    Increase awareness of major threats
•    Implement data exfiltration controls
•    Enhance user education and accountability
•    Put in place vendor security management
•    Implement risk assessment and management programs
•    Improve detection and reaction capabilities
•    Manage long-term challenges around medical devices
•    Plan ahead for possible incidents

More articles on health IT:
St. Joseph Health to pay $7.5M settlement to patients affected by 2012 data breach
5 recent must-reads on Cerner
Epic leads in HIE vendor outlook for future interoperability

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months