Skip to content Skip to navigation

Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure

January 20, 2016
by Heather Landi
| Reprints
Click To View Gallery

As almost daily news headlines indicate, the healthcare industry is increasingly a target for cyber attacks and data breaches. In fact, according to a report from the Institute for Critical Infrastructure Technology (ICIT), the healthcare industry is the most targeted sector in the U.S. for cyber attacks, yet it’s also the least prepared, and the human element in the healthcare cybersecurity infrastructure continues to be the weakest link.

The report, titled “Hacking Healthcare IT in 2016,” lays out a number of lessons that the healthcare industry can learn from previous large-scale security breaches, specifically the United States Office of Personnel Management (OPM) and Anthem.

According to the report authors, the same organization presumed to have carried out the OPM hack has since continued to target healthcare organizations post Anthem and Premera Bluecross breaches, which put at risk more than 91 million American’s electronic health records.

“The remainder of the healthcare sector needs to learn from these prolific breaches before their organizations are the next to fall and place patients at risk. Cybersecurity reform must encompass the people in the organization, the policies and procedures in place, and the technologies deployed,” the report authors state.

The healthcare industry is in the unfortunate position of managing and storing sensitive data that’s very valuable to cyber criminals while simultaneously having significant vulnerabilities in its “insecure and antiquated networks” that these malicious hackers can exploit to get to patient health records.

The healthcare sector manages very sensitive and diverse data, which ranges from personal identifiable information (PII) to financial information. An electronic health record (EHR) contains a patient’s personal identifiable information, their private health information, and their financial information.

And while healthcare organizations are subject to greater regulatory pressure than government entities, healthcare organizations also have greater fiscal flexibility and greater autonomy, according to the report.

“As a result, healthcare organizations have the opportunity to rapidly decrease the risk to their systems by propagating a multilayer information security program within their organizational culture. An effective program would justify budget allowances by deterring cybersecurity incidents, by better adhering to regulation (such as the HIPAA Security Rule), and by providing a definitive competitive operational advantage over other competitors,” the authors wrote.

And, the report author also stated, “Rather than ignoring the threat hoping that insurance policies are large enough to cover the costs of a breach, the healthcare sector needs to invest in risk management based information security programs. Cybersecurity programs should be a multilayered defense that protects the confidentiality, integrity and availability of information whenever it is stored, in transit, or being processed.”

The 97-page report outlines a multipronged approach to meaningful cybersecurity for healthcare organizations with a focus on people, policies and procedures and technical controls. The report also highlights the cybersecurity challenges of healthcare in the digital age, such as the Internet of Things (IoT), telehealth, embedded devices and mobile apps. To that end, the report authors advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, the authors state, but “rather it will create more opportunities through the perfection of technology.”

And, the report addresses how legislation and collaboration could help address cybersecurity issues for the healthcare industry.

To address the human element in the cybersecurity infrastructure, healthcare organizations should focus on ongoing training as hackers often target staff using spear phishing and watering hole attacks.

“Staff education, pre-market dissection of technology and patching of vulnerabilities that stimulate innovation and protect the public, and legislation that protects patient privacy and enforces device cybersecurity at the manufacturer level are only the first steps in creating better national cybersecurity hygiene,” the report authors wrote. “A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers.”






ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.