Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Human Element is the Weakest Link in Healthcare Cybersecurity Infrastructure

January 20, 2016
by Heather Landi
| Reprints
Click To View Gallery

As almost daily news headlines indicate, the healthcare industry is increasingly a target for cyber attacks and data breaches. In fact, according to a report from the Institute for Critical Infrastructure Technology (ICIT), the healthcare industry is the most targeted sector in the U.S. for cyber attacks, yet it’s also the least prepared, and the human element in the healthcare cybersecurity infrastructure continues to be the weakest link.

The report, titled “Hacking Healthcare IT in 2016,” lays out a number of lessons that the healthcare industry can learn from previous large-scale security breaches, specifically the United States Office of Personnel Management (OPM) and Anthem.

According to the report authors, the same organization presumed to have carried out the OPM hack has since continued to target healthcare organizations post Anthem and Premera Bluecross breaches, which put at risk more than 91 million American’s electronic health records.

“The remainder of the healthcare sector needs to learn from these prolific breaches before their organizations are the next to fall and place patients at risk. Cybersecurity reform must encompass the people in the organization, the policies and procedures in place, and the technologies deployed,” the report authors state.

The healthcare industry is in the unfortunate position of managing and storing sensitive data that’s very valuable to cyber criminals while simultaneously having significant vulnerabilities in its “insecure and antiquated networks” that these malicious hackers can exploit to get to patient health records.

The healthcare sector manages very sensitive and diverse data, which ranges from personal identifiable information (PII) to financial information. An electronic health record (EHR) contains a patient’s personal identifiable information, their private health information, and their financial information.

And while healthcare organizations are subject to greater regulatory pressure than government entities, healthcare organizations also have greater fiscal flexibility and greater autonomy, according to the report.

“As a result, healthcare organizations have the opportunity to rapidly decrease the risk to their systems by propagating a multilayer information security program within their organizational culture. An effective program would justify budget allowances by deterring cybersecurity incidents, by better adhering to regulation (such as the HIPAA Security Rule), and by providing a definitive competitive operational advantage over other competitors,” the authors wrote.

And, the report author also stated, “Rather than ignoring the threat hoping that insurance policies are large enough to cover the costs of a breach, the healthcare sector needs to invest in risk management based information security programs. Cybersecurity programs should be a multilayered defense that protects the confidentiality, integrity and availability of information whenever it is stored, in transit, or being processed.”

The 97-page report outlines a multipronged approach to meaningful cybersecurity for healthcare organizations with a focus on people, policies and procedures and technical controls. The report also highlights the cybersecurity challenges of healthcare in the digital age, such as the Internet of Things (IoT), telehealth, embedded devices and mobile apps. To that end, the report authors advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, the authors state, but “rather it will create more opportunities through the perfection of technology.”

And, the report addresses how legislation and collaboration could help address cybersecurity issues for the healthcare industry.

To address the human element in the cybersecurity infrastructure, healthcare organizations should focus on ongoing training as hackers often target staff using spear phishing and watering hole attacks.

“Staff education, pre-market dissection of technology and patching of vulnerabilities that stimulate innovation and protect the public, and legislation that protects patient privacy and enforces device cybersecurity at the manufacturer level are only the first steps in creating better national cybersecurity hygiene,” the report authors wrote. “A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers.”

 

 

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.

Report: Healthcare Accounted for 45% of All Ransomware Attacks in 2017

Healthcare fell victim to more ransomware attacks than any other industry in 2017, according to a new report from global cybersecurity insurance company Beazley.

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.