The Center for Medicare and Medicaid Services (CMS) found that, in 2019, the U.S. spent 3.8 trillion dollars on healthcare, accounting for 17.7% of the nation’s GDP. Despite this high intake, a study from Becker’s Hospital Review found that only 5% of healthcare IT budgets are dedicated to cybersecurity.
Combining those two statistics — coupled with the fact that personal health information (PHI) is vastly more valuable than personal financial data — leads to a question that carries serious consequences with it. If the healthcare industry is so lucrative and the data it possesses is so valuable, why aren’t more resources devoted to guarding it?
The answer isn’t as simple as a linear comparison between investments and IT budgets, but that doesn’t change the fact that healthcare data is dangerously exposed, and more must be done to protect it. Phishing, malware, and other cyberattacks target healthcare and pharmaceutical companies every day and are responsible for more than 5.6 billion dollars in losses each year.
While the battle against cybercriminals will always continue in one form or another, the healthcare industry must still take full advantage of the cybersecurity measures available to protect themselves and their patients to the best of their ability.
Cybersecurity in Healthcare: Growth and Root Causes
Understanding why the healthcare industry has become so vulnerable to cybercrime requires a survey of the healthcare landscape as a whole — and a glance is all it takes to see why healthcare facilities are a prime target for cyberattacks. A few of the reasons behind this include:
- PHI value: Research shows that personal health information is 20–50 times more valuable than personal financial information, and for a good reason. Because customers quickly report lost or stolen cards, financial data typically has a short shelf life. Meanwhile, breaches in healthcare systems can take up to 18 months to detect, giving cybercriminals more time to capitalize on the data they acquire. PHI also enables cybercriminals to commit medical fraud, obtain narcotics, and gain valuable financial information. This is why the average hacker spends up to $250 per PHI record, as opposed to $5.40 for financial records on the black market.
- Legislation: The Health Insurance Portability and Accountability Act (HIPAA) implemented multiple regulations to require the safeguarding of personal health information. The Health Information Technology for Economic and Clinical Health Act (HITECH) provided incentives for transitioning patient data onto digital records and charting systems. As a result of these policies, an increased emphasis has been placed on shifting healthcare systems towards network-connected digital records, which are vulnerable to hackers.
- Technological trends: Electronic devices as a whole are shifting towards network connectivity, so it should come as no surprise that medical devices are following suit. Pacemakers, IV pumps, ventilators, electronic charting systems, and even facility HVAC units are all becoming integrated into a broader Internet of Things ecosystem, leaving an unprecedented number of devices vulnerable to attack.
- Outdated systems: Technology evolves quickly, and as network-connected devices are phased out by updated versions with newer security safeguards, patches and updates for their legacy counterparts are often neglected, even if the device is still in use. As a result, legacy systems are left without the upgrades required to keep them safe from digital predators.
- Vulnerable vendors: As with physical security systems, cybersecurity infrastructure is only as strong as its weakest link. As such, a healthcare facility may be taking effective measures against cyberattacks, but associates like vendors or device suppliers who have higher data privileges can be used as an access point if their own systems are left exposed.
- Telehealth: The CDC reported a 50% increase in telehealth visits over the first quarter of 2020 relative to 2019, marking a significant rise in online medical visits. Much of this increase is due to the COVID pandemic, but telehealth uses are not expected to drop any time soon. Telemedicine presents new opportunities for expanded patient care. However, the practice’s side effect is that more PHI is transmitted across multiple devices than before, affording cybercriminals more chances to gain valuable patient data.
- Budget and focus: While many factors have led to lagging cybersecurity in healthcare, the most basic is the reality that the healthcare industry is already tasked with various burdens, all of which require resources and attention to solve. Much of a healthcare company’s budget (rightly) goes to improving patient care, and often little time or emphasis is placed on penetration testing or data encryption. Simply put, many healthcare companies don’t have the time or budget to focus on cybersecurity adequately.
Although the above list is not exhaustive, it shows that a combination of policy, economic, and technological factors have created both a high demand for PHI data and an ample opportunity to attack it.
Cybersecurity in Healthcare: Threats
Although cybercriminals are continuously developing innovative means of breaching security networks, their most effective tactics are also their oldest. Let’s take a look at a few of the most common hacking schemes so you can keep your organization from falling prey to them.
Malicious Network Traffic
According to the cloud–based cybersecurity firm Wandera, malicious network traffic is the most common form of a cyberattack against healthcare providers. Affecting 72% of all organizations, this cyberthreat gains remote access to a healthcare system’s network via an app to a website that demonstrates black hat behavior, like downloading keyloggers, viruses, or othefr malware.
Perhaps the oldest form of a cyberattack, phishing is the practice of sending out massive amounts of emails that appear to be legitimate in an attempt to lure recipients into entering personal data and sensitive information. Frequently these attacks come with urgent appeals or promises of reward to prey on the user’s emotional state but can be identified by their invalid web addresses. Several phishing variations include:
- Spear phishing, where the email attempts to sound more user-specific to appear more legitimate.
- Whaling, which attempts to target more prominent company figures, like CEOs or C–suite executives — frequently in an attempt to get them to transfer money to resolve company transactions.
- SMiShing, which is the same thing as phishing, except for SMS text message-based systems.
Although one of the most common attacks, phishing schemes are also one of the easiest to avoid, as organizations may stay safe simply by interacting only with senders they know.
First developed in 1989 by a researcher attempting to gain access to AIDS data, ransomware has become a prominent threat not only to PHI but also to medical devices and patient health. In this practice, hackers install software into medical systems that will shut down entire networks until the money is sent to an account, effectively holding healthcare data for ransom.
A California hospital fell prey to a ransomware attack in 2016. It was forced to pay $17,000 to unlock their own records, trusting that the cybercriminal would hold true to their promise to unlock the system if paid. I n addition to the $17,000 ransom, the hospital faced the untold expense of operational shutdown and business loss due to their damaged reputation.
Physical misuse of remote devices is a common entry point for cybercriminals — and one that no security system can cure. By leaving devices such as laptops or monitors unguarded, cybercriminals can easily access data by either viewing unauthorized files or stealing entire devices. Other tactics involving device negligence are more subtle, such as the “evil maid” scheme, whereby a hacker may briefly tamper with an unattended device to install software that will grant them access to valuable data later on.
Cybersecurity Solutions for Healthcare
While thinktanks are still coming up with new ways to catch the healthcare industry up to speed with their hacking opponents, a few common security measures could go a long way toward that end. A recent study by the University of Illinois at Chicago mentions a few of these, including:
- Developing a culture of safety: By educating employees on recognizing phishing scams and practicing safe device handling techniques at every level, healthcare organizations can reduce their susceptibility to digital attacks.
- Keeping software up to date: Keeping operating systems and firewalls current is a simple yet often neglected way to keep cybercriminals at bay.
- Using strong passwords: Replacing default or multi-use passwords with thorough, regularly–changed passwords makes a cybercriminal’s job much more difficult.
Although these basic steps go a long way in heightening cybersecurity in healthcare organizations, more technical steps should also be taken. The Healthcare Information and Management Systems Society (HIMSS) suggests the following cybersecurity measures:
- Installation of anti-theft devices
- Business continuity and disaster recovery plan creation
- Digital forensics
- Multi-factor authentication
- Network segmentation
- Penetration testing
- Threat intelligence sharing (also called information sharing)
- Vulnerability scans
Other measures that can be taken include increasing data granularity to ensure that successful cybercriminals do not gain access to patients’ entire PHI and require more training for frontline users like clinicians on the importance of software maintenance none of these can provide a fail-safe cybersecurity solution.
The above cultural and digital security measures are essential for effective cybersecurity in the healthcare industry, but another layer of protection is necessary for data security.
At the governance level, C–suite executives must have someone on their team tasked with the oversight and management of cybersecurity implementation and must understand the importance of keeping their company’s network and data safe. Many Chief Information Security Officers (CISOs) have been hired at leading healthcare facilities for that reason. However, creating yet another C–level position requires an investment of time and resources into cybersecurity — one which will only be made if the cost of a data breach is made clear to board members and stakeholders.
To that end, executives would benefit from knowing that the average cost of infiltration in 2016 was over $200 per patient record. In contrast, the cost of preventing one was only $8 per record — proving that cybersecurity spending is a worthy investment of company funds.
Improve Your Data Governance With Diligent
At the heart of the lag in cybersecurity within the healthcare industry is a lack of awareness by leaders of the potential legal and financial repercussions of a cyber attack. The only way to prevent such attacks is through proper data governance.
At Diligent, we provide a secure, integrated platform to keep your board on the same page and offer the analytical tools they need to make intelligent business decisions. We deliver modern governance solutions so your board can stay on point and up-to-date.
Request a demo of our platform today to see how Diligent can empower your board to guard your organization against cybersecurity threats.