Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure

January 20, 2016
by Heather Landi
| Reprints
Click To View Gallery

As almost daily news headlines indicate, the healthcare industry is increasingly a target for cyber attacks and data breaches. In fact, according to a report from the Institute for Critical Infrastructure Technology (ICIT), the healthcare industry is the most targeted sector in the U.S. for cyber attacks, yet it’s also the least prepared, and the human element in the healthcare cybersecurity infrastructure continues to be the weakest link.

The report, titled “Hacking Healthcare IT in 2016,” lays out a number of lessons that the healthcare industry can learn from previous large-scale security breaches, specifically the United States Office of Personnel Management (OPM) and Anthem.

According to the report authors, the same organization presumed to have carried out the OPM hack has since continued to target healthcare organizations post Anthem and Premera Bluecross breaches, which put at risk more than 91 million American’s electronic health records.

“The remainder of the healthcare sector needs to learn from these prolific breaches before their organizations are the next to fall and place patients at risk. Cybersecurity reform must encompass the people in the organization, the policies and procedures in place, and the technologies deployed,” the report authors state.

The healthcare industry is in the unfortunate position of managing and storing sensitive data that’s very valuable to cyber criminals while simultaneously having significant vulnerabilities in its “insecure and antiquated networks” that these malicious hackers can exploit to get to patient health records.

The healthcare sector manages very sensitive and diverse data, which ranges from personal identifiable information (PII) to financial information. An electronic health record (EHR) contains a patient’s personal identifiable information, their private health information, and their financial information.

And while healthcare organizations are subject to greater regulatory pressure than government entities, healthcare organizations also have greater fiscal flexibility and greater autonomy, according to the report.

“As a result, healthcare organizations have the opportunity to rapidly decrease the risk to their systems by propagating a multilayer information security program within their organizational culture. An effective program would justify budget allowances by deterring cybersecurity incidents, by better adhering to regulation (such as the HIPAA Security Rule), and by providing a definitive competitive operational advantage over other competitors,” the authors wrote.

And, the report author also stated, “Rather than ignoring the threat hoping that insurance policies are large enough to cover the costs of a breach, the healthcare sector needs to invest in risk management based information security programs. Cybersecurity programs should be a multilayered defense that protects the confidentiality, integrity and availability of information whenever it is stored, in transit, or being processed.”

The 97-page report outlines a multipronged approach to meaningful cybersecurity for healthcare organizations with a focus on people, policies and procedures and technical controls. The report also highlights the cybersecurity challenges of healthcare in the digital age, such as the Internet of Things (IoT), telehealth, embedded devices and mobile apps. To that end, the report authors advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, the authors state, but “rather it will create more opportunities through the perfection of technology.”

And, the report addresses how legislation and collaboration could help address cybersecurity issues for the healthcare industry.

To address the human element in the cybersecurity infrastructure, healthcare organizations should focus on ongoing training as hackers often target staff using spear phishing and watering hole attacks.

“Staff education, pre-market dissection of technology and patching of vulnerabilities that stimulate innovation and protect the public, and legislation that protects patient privacy and enforces device cybersecurity at the manufacturer level are only the first steps in creating better national cybersecurity hygiene,” the report authors wrote. “A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers.”

 

 

 

Get the latest information on Finance and Revenues and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

NewYork-Presbyterian, Walgreens Partner on Telemedicine Initiative

NewYork-Presbyterian and Walgreens are collaborating to bring expanded access to NewYork-Presbyterian’s healthcare through new telemedicine services, the two organizations announced this week.

ONC Releases Patient Demographic Data Quality Framework

The Office of the National Coordinator for Health IT (ONC) developed a framework to help health systems, large practices, health information exchanges and payers to improve their patient demographic data quality.

AMIA, Pew Urge Congress to Ensure ONC has Funding to Implement Cures Provisions

The Pew Charitable Trusts and the American Medical Informatics Association (AMIA) have sent a letter to congressional appropriators urging them to ensure that ONC has adequate funding to implement certain 21st Century Cures Act provisions.

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.