As almost daily news headlines indicate, the healthcare industry is increasingly a target for cyber attacks and data breaches. In fact, according to a report from the Institute for Critical Infrastructure Technology (ICIT), the healthcare industry is the most targeted sector in the U.S. for cyber attacks, yet it’s also the least prepared, and the human element in the healthcare cybersecurity infrastructure continues to be the weakest link.
The report, titled “Hacking Healthcare IT in 2016,” lays out a number of lessons that the healthcare industry can learn from previous large-scale security breaches, specifically the United States Office of Personnel Management (OPM) and Anthem.
According to the report authors, the same organization presumed to have carried out the OPM hack has since continued to target healthcare organizations post Anthem and Premera Bluecross breaches, which put at risk more than 91 million American’s electronic health records.
“The remainder of the healthcare sector needs to learn from these prolific breaches before their organizations are the next to fall and place patients at risk. Cybersecurity reform must encompass the people in the organization, the policies and procedures in place, and the technologies deployed,” the report authors state.
The healthcare industry is in the unfortunate position of managing and storing sensitive data that’s very valuable to cyber criminals while simultaneously having significant vulnerabilities in its “insecure and antiquated networks” that these malicious hackers can exploit to get to patient health records.
The healthcare sector manages very sensitive and diverse data, which ranges from personal identifiable information (PII) to financial information. An electronic health record (EHR) contains a patient’s personal identifiable information, their private health information, and their financial information.
And while healthcare organizations are subject to greater regulatory pressure than government entities, healthcare organizations also have greater fiscal flexibility and greater autonomy, according to the report.
“As a result, healthcare organizations have the opportunity to rapidly decrease the risk to their systems by propagating a multilayer information security program within their organizational culture. An effective program would justify budget allowances by deterring cybersecurity incidents, by better adhering to regulation (such as the HIPAA Security Rule), and by providing a definitive competitive operational advantage over other competitors,” the authors wrote.
And, the report author also stated, “Rather than ignoring the threat hoping that insurance policies are large enough to cover the costs of a breach, the healthcare sector needs to invest in risk management based information security programs. Cybersecurity programs should be a multilayered defense that protects the confidentiality, integrity and availability of information whenever it is stored, in transit, or being processed.”
The 97-page report outlines a multipronged approach to meaningful cybersecurity for healthcare organizations with a focus on people, policies and procedures and technical controls. The report also highlights the cybersecurity challenges of healthcare in the digital age, such as the Internet of Things (IoT), telehealth, embedded devices and mobile apps. To that end, the report authors advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, the authors state, but “rather it will create more opportunities through the perfection of technology.”
And, the report addresses how legislation and collaboration could help address cybersecurity issues for the healthcare industry.
To address the human element in the cybersecurity infrastructure, healthcare organizations should focus on ongoing training as hackers often target staff using spear phishing and watering hole attacks.
“Staff education, pre-market dissection of technology and patching of vulnerabilities that stimulate innovation and protect the public, and legislation that protects patient privacy and enforces device cybersecurity at the manufacturer level are only the first steps in creating better national cybersecurity hygiene,” the report authors wrote. “A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers.”