In light of the recent Merck hack, there is growing concern that the healthcare industry is particularly susceptible to cyberattacks. Hospitals track a lot of sensitive data, including medical records and PII (personally identifiable information).
There is also the need for an open flow of data between healthcare facilities and insurance providers, and between doctors and patients. This data is an appealing target for hackers, and the attacks have already started, both in the U.S. and around the world.
While it’s clear that hospitals must secure their systems from threat actors, it’s incredibly important that they don’t impede the systems with unwieldy methods of security that could frustrate staff and patients. When a security process becomes cumbersome, it is inevitable that authorized users attempting to access records and files will seek workarounds or shortcuts, creating loopholes that hackers can infiltrate – ultimately defeating the point of security altogether.
Why are Hospitals So Susceptible?
While it’s true that every industry is at risk of being attacked, hospitals tend to be more susceptible because they are widely considered to be laggards compared to other industries like finance and government. While cyber-attacks on those industries can cause significant damage, an attack on a medical facility could be even more disastrous.
For instance, a system shutdown resulting from ransomware wouldn’t simply be inconvenient. It could prevent necessary surgeries from taking place, disrupt emergency services, and even interfere with life-saving IoT-connected medical devices like IV drips or pacemakers. These are particularly vulnerable because they are remotely maintained and updated, and a hacker could shut them down and put patient lives at risk.
Examples of Hospital Hacks
Hospital hacks are not just theoretical; several recent examples demonstrated how a cyber-attack can disrupt their daily operations. The most notorious was the massive May 2017 ransomware attack that completely shut down more than a dozen healthcare centers across the UK. Staff in 16 hospitals saw a chilling message when they tried to access their computers – they could only open files if they paid a ransom of $300 in bitcoin. This led to entire systems being frozen, with the inability to access medical records resulting in waves of canceled appointments. While urgent surgeries were kept on track, at least one hospital made the decision to reschedule elective ones.
These attacks have also happened in the U.S. Two hospitals in Pennsylvania were affected last summer when the healthcare network that runs them fell victim to the worldwide NotPetya ransomware attack. According to a local news station, some surgeries had to be postponed and lab and diagnostic offices were closed due to the attack. In addition, facilities in California, Maryland and Kentucky were affected by ransomware attacks in 2016, leading some to turn patients away.
A Treasure Trove of Data
In the past few years, most hospitals have updated their legacy systems to go digital and reduce reliance on paper records. The U.S. government allocated billions of dollars to incentivize and promote electronic health care records, leading to an industry-wide adoption. According to the Office of National Coordinator for Health Information Technology, less than 10% of hospitals used a basic electronic record system in 2008. However, by 2014, that number had jumped to 96.9%.
While this has been a boon for efficiency, it has also left sensitive information highly vulnerable. Hospitals are (rightly) focused on ensuring medical care for all patients – security and IT are not normally a top priority. However, they also store mountains of data; medical records alone include a patient’s medical history, social security number, date of birth, address, close family members, and more. Hackers can use this data to commit identify theft or fraud, opening myriad accounts under somebody else’s name or simply selling the information to the highest bidder. The Dark Web is a prime place to buy and sell identifying information, which can fetch hundreds of dollars per record.
This is especially troubling for high-profile patients, like celebrities. To protect patient privacy, there are strict access rules on who can view medical records. If hackers were to gain access to the records of a well-known individual, they could demand payment to keep his/her private information out of the press.
Finding the Balance Between Security and Efficiency
It’s clear that hospitals must invest in comprehensive cybersecurity solutions to protect patient data and their own reputations. However, this can often mean employing layers of security solutions without the right integration, which can create a burdensome and slow system that frustrates both staff and patients.
If it’s too difficult or intrusive, people will end up circumnavigating it and creating security loopholes, which enable hackers to infiltrate a system. Instead, centralized security is the best option for hospitals. This means that whichever solutions are implemented, they must be run in ‘stealth mode’ – filtering, analyzing and securing in the background while files are sent and received. Hospital portals with contractors are especially vulnerable, because multiple lines of communication are established with a variety of different companies and access is granted much more freely. These portals must be secured to limit avenues for hackers to infiltrate systems.
While security is crucial, hospitals must make sure not to simply rush and update systems or pick any solution under the sun. Finding a solution that ensures good user experience and efficient data exchange is crucial. Some tips to finding a balanced solution include:
• Look for a centralized solution which will handle the entire data access and usage life cycle
• Ensure the chosen solution can integrate with your existing security infrastructure, with emphasis on data leak prevention (DLP) and anti-malware solutions
• Ensure it complies with regulations such as HIPAA
• Ensure it monitors and audits all actions
• Pick one that is transparent to all users
• Ensure the chosen solution supports role-based management and separation of duties
Over the past few years, hospitals have made significant leaps in improving efficiency by digitizing their records, but they’ve lagged in securing them. While other industries can weather a cyber-attack, hospitals hold people’s lives in their hands and should thus ensure that security is both effective and efficient.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.