Healthcare facilities are not without risk when it comes to cyber attacks. The Department of Health and Human Services noted that there was an 84% increase in healthcare-related data breaches from 2018 to 2021. (source)
2022 was an even more troubling year for Healthcare related cyberattacks. Out of any global industry sector, The healthcare industry had the highest increase in weekly cyberattacks in 2022. (source)
Threats will only continue to increase in volume and sophistication. As a result, securing healthcare data is a top priority. As a healthcare facility manager, knowing the ins and outs of healthcare cybersecurity will leave your facility less vulnerable to attacks.
This guide is to provide an overview of healthcare cybersecurity, including but not limited to, terminology, breaches, trends, challenges and prevention.
Cybersecurity Terminology: The Good, The Bad and The Ugly
Healthcare cybersecurity is growing. You need the ability to protect or defend your patients, employees and vendors' online information from cyber attacks.
With the help of the National Institute of Standards and Technology, Glossary of Key Information Security Terms, I pulled together a list of relevant terms healthcare professionals should know.
Breach: A compromise of a company’s security system. This can happen within or outside of an organization. Involves the misuse of data, applications, and network systems.
Cyberattack: An attack on a computer network that disrupts, steals, disables, or destroys the operations of a susceptible organization, resulting in the loss of financial, corporate, and personal information.
Encryption: Algorithms used to protect private data and information.
File Encryption: Encrypting individual files to guard against being read, copied, or deleted by unauthorized people.
Hacker: A skilled computer user who attempts to or gains access to an information system to steal or ransom valuable data.
Internet Protocol (IP): Standard protocol for transmitting data from source to destination in packet-switched communications networks and interconnected systems of such networks.
Malicious Code: Software or firmware that enters network drives and has an adverse impact on the confidentiality, integrity, or availability of an information system. Some examples of malicious codes are virus, worm, Trojan horse, or other code-based entity that infects a host.
Malware: A computer program that infects a system with the intent of inflicting harm on the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.
Passive Attack: This type of attack is similar to eavesdropping because the attacker intercepts data transmission between the claimant and verifier but does not alter the information in any way.
Phishing: Online scam where the hackers send an email that appears to be from a legitimate company. This email usually requests sensitive personal information or directs a user to a fake website.
Recovery Procedures: The process by which information systems and computational capability are restored after a destructive cyber attack or failure.
Risk Assessment: Identifying risks that arise inside information systems. During this process, potential risks are assessed and evaluated in order to create better security networks.
Threat: Any circumstance or event that has the potential to negatively affect computer information operations.
Breaches/Threats: Detection Has Become Vital for the Industry
"Breach", "Hack", "Threat" are terms used interchangeably in regards to digital compromises. The fact remains, no healthcare facility wants to be compromised.
Breach detection has to become a must for your facility, as attackers are not slowing down.
Health IT Security reported on the largest healthcare data breaches of 2022. The list is extensive.
Here are a few healthcare cybersecurity breaches that continue to be a problem for the healthcare sector:
“2.6 Million Individuals across 35 prominent healthcare organizations had their healthcare information stolen,” Reported OneTouchPoint after it had discovered encrypted files on computer systems.
Shields Health Care Group reported another significant breach in 2022, with over 2 million individuals affected. Hackers accessed their systems over the course of 2 weeks and stole information including full names, Social Security cards, billing information, and medical records.
Looking Back at Cybersecurity Threats
HIPAA Journal chimed in with their May 2018 Healthcare Data Breach Report.
"The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records."
The threats are nothing new. The number of healthcare cybersecurity breaches is no doubt on the rise.
The first step to preventing the security breaches that continue to be problematic for the healthcare industry is being aware.
How Hackers Gain Access to Healthcare Facilities [Trends]
There are numerous ways attackers will try and gain access to your data. Some of the standard practices are malware, ransomware and phishing.
1. Malware - Malicious code/software intended to damage computers and computer systems. Malware can include viruses, worms, and spyware.
2. Ransomware - Malicious code that attacks your computer systems. Your data is held at ransom, under the threat that your data may be deleted. In addition, it prevents a user's access to their computer system.
image credit: Christian Colen, Cryptolocker ransomware [cc BY- SA 4.0]Malware is used to encrypt data and demand a ransom (or payment) for the decryption. Of course, it's always good to back up your systems, but most attacks happen without you knowing, and you may only be able to recover some of your data from backups.
3. Email Phishing - Attackers are clever. Phishing is a tool used by hackers to gain access to account data or con you into providing your personal information.
Hoala Greevy, founder and CEO of Paubox; a provider of HIPAA-compliant email services, wrote an article "Don't get phished: 3 email security lessons for healthcare companies". In the article, he identifies mistakes healthcare facilities make that leaves them so vulnerable.
Find out why and how attackers are continuing to target the healthcare industry in this video created by IBM Technology.
Cybersecurity Trends in Healthcare 2023
Reference: IBM Technology. Cybersecurity Trends for 2023.
Is your facility doing all that can be done to tackle the challenges now and in the future?
Challenges From a Healthcare Perspective
Patient information is being shared all over the internet. Here are just a few spaces where confidential information is shared:
- Patient Portals
- Insurance Companies
Think about this...
It's getting harder for organizations to spot when they've even been breached.
Hackers spend 200+ days inside systems before discovery
IBM Security Senior Threat Researcher John Kuhn told HealthITSecurity.com,
“Always backup, have a backup plan, and have backups of these systems. You need to have knowledge of how to restore this system in the amount of time required to not impact someone's health or impact your business at all. And that's where healthcare is struggling a little bit.”
Additional Challenges for the Healthcare Industry
1. Breaches are taking longer to find and longer to resolve.
2. Patient care is always a top priority, so sometimes "security measures are dialed down or updates are delayed so they do not interfere with patient care."
3. The Internet of Things (loT) makes everything a moving target. Nearly every object we know will be connected to the internet. This can make our lives easier but will, at the same time, increase risk.
4. Health Data (Big Data) allows physicians to build better patient profiles and predictive models. However, all the data sharing can be compromised if precautions are not in place.
Gain Control - Plans, Prevention, Safeguards
It's time to gain control of healthcare cybersecurity.
- Identify the Risks - This could be as simple as strengthening and frequently changing your passwords.
- Be wary of Mobile Devices - Different apps on different devices can spell trouble. Therefore, there should be some type of mobile device management. Employees should use their own devices to access their personal emails, etc.
- Know your Data - Keep track of what types of data are flowing in and out of your network.
Organizations must have defined security procedures that address how staff access and interact with the technology in their facilities. Where possible, implementing two-factor identification to further assure privacy is protected adds another level of protection. [source]
Risk analysis should be an ongoing process.
An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data. [source]
The risk assessment should review physical, technical, and administrative safeguards. When potential vulnerabilities are found, covered entities must make applicable changes to keep data secure.
Here are the Top 10 Tips for Cybersecurity:
Highly Functional & Operationally Efficient Heathcare Facility
The healthcare cybersecurity landscape continues to face emerging challenges. As technology continues to grow, so will cybersecurity attacks. Medical identity fraud usually takes longer to detect than other types of fraud. And unfortunately, cyber attackers are becoming extremely savvy in their attack approaches and use of malware.
Healthcare facilities need to take action to protect themselves. Prevention is worth the alternative. In today's high-tech, high-pressure industry, healthcare facilities are faced with more than just online scares.
Healthcare infections, environmental pollutants and emergency preparedness are just a few on an exhaustive list. Behind the scenes are the medical gases and the systems used to sustain life.
As in cyberattack prevention, there is much scrutiny over the use of medical gases and ways to prevent failure or, in extreme cases, death. Your medical gas systems need to be inspected annually.
Adhering to proper maintenance standards will allow your facility to avoid unnecessary risks and delays. Reliable medical gas and vacuum systems are at the crux of patient care and safety. The ongoing maintenance of medical gas systems is essential for patients.
A hospital or healthcare facility must assess risk based on risk to the patient.
Here's what I mean...
Risk based assessment assigns a value to each asset by their use and their potential to be harmful to the patients or staff. For example, an oxygen outlet in an emergency room would have the highest urgency while the outlet in the storeroom would have the lowest priority. [source]
The categories are subsequently defined by threat.
For example, Category 1 would need a highly functional system; failure may cause death or severe injury. In Category 4, patients are not adversely affected
Safety and security requires consistent and dedicated monitoring. A healthcare facility’s cyber security and medical gas systems should require ongoing testing to cultivate stable and resilient systems.
If you have questions concerning the best ways to keep any medical gas system working at its optimum rates, contact your CHT representative.
Medical gas testing, software and inspection will provide a safe, cost-efficient hospital. More than ever, organizations must develop effective risk management strategies.