For healthcare organizations that handle a lot of patient data, including very sensitive information, cloud computing is a revolution to data storage. Cloud computing in healthcare lowers data storage costs (compared to the old paper-storage era), enables easy retrieval of patient data and also improves the privacy of patient information. This has inevitably led to a rise in the adoption of cloud computing in healthcare. In fact, the healthcare cloud computing market is projected to exceed $92 billion by 2027, according to Research and Markets. However, the increasing adoption of cloud computing in healthcare has led to serious cybersecurity concerns. Medical information is of far greater value than financial information. However, most healthcare facilities lag in terms of data protection considering the enormous responsibility they have. This article explores the current spate of cyber attacks on healthcare companies and recommends pragmatic solutions for better security.
Malware and Ransomware Attacks
The most pressing cybersecurity threats in the past few years are ransomware attacks. One of the heaviest attacks in recent times was against three DCH hospitals in Alabama. Eventually, the hospital system recovered their files from the attackers only after parting with an undisclosed sum of money. According to the 2019 Verizon Data Breach Investigation Report (DBIR), ransomware accounted for over 70% of malware attacks suffered by healthcare outfits last year. Assumptions that such attacks only affect large healthcare organizations are wrong. According to the RiskIQ brief on Ransomware in the Health Sector 2020, small hospitals and healthcare centers are the most often targeted. The reason is simple: they have the least budget and resources for security, becoming soft targets for attackers. In the absence of official figures, experts estimate that at least 85% of small- or medium-sized hospitals lack a single IT security person on staff. Solutions: In view of rising ransomware attacks, healthcare organizations should perform regular backups, and every backup should be stored offline or on a separate network from the major network. In the event of an attack, data recovery is better than being held at ransom. Consistent evaluation of security infrastructure must also take place to find out and block vulnerabilities.
Data Theft and Breaches
So far in 2020, no less than 28 healthcare data breaches have been reported. One of the worst was the Beaumont Health data breach that impacted over 110,000 patients. The important thing to note is that though news of it emerged this year, the incident actually occurred in mid-2019. That such a revelation took so long to come out is a testament to the damning subtlety of data breaches. According to the Protenus Breach Barometer, in 2019, the average time it took a healthcare organization to discover a data breach was 224 days. That was an improvement compared to 2018! Also, the healthcare sector suffers the most from data breaches financially. According to an IBM Security report, the cost of a data breach in health globally in 2019 was a whopping $11 million. In second place was the financial sector at $5.5 million. Solutions: Encryption goes a long way in mitigating data breaches. Encryption protects not only the hospital system from being hacked, but it also ensures that the protected records would be unreadable to the attacker without the possession of a unique decryption key. Healthcare providers should therefore consider integrating customer-centric encryption into their infrastructure, particularly a solution which makes for tightly secure yet flexible user experience.
According to the 2020 Verizon DBIR, internal threats accounted for 48% of data breaches. Although it is a lower percentage than the 59% recorded in the previous year’s report, the figure underscores the fact that insider threats are still a tremendous problem in healthcare cybersecurity. Many organizations (not just in the healthcare sector) aim most of their resources at combating external threats, all-the-while oblivious to the fact that insider attacks are just as dangerous. This form of attack is even more difficult to check since anybody from indirect employees (18%) to staffers with allowed access (78.2%) may stage an attack. Solutions: Kathy Hughes of Northwell Health recommends Security Information Event Management (SIEM) technology for combating insider threats. Such a data loss prevention technique alerts management to any suspicious activity on the hospital network or database.
Phishing Attacks and Employee Errors
In another view, insider threats are not limited to deliberate criminal actions. They include the negligent worker who connected to the hospital system via an unsafe network. They also include the worker who fell for an email phishing, exposing the hospital system to a malware attack. The ‘curious’ employee snooping around poses a security risk, too. According to the HIMSS Cybersecurity Survey in 2019, 59% of healthcare IT experts claimed that email was the most common point of information compromise. The second, at 25%, was human error. Solution: Healthcare providers need to upend cybersecurity education for their employees. There is a deep public lack of trust (one-third, per a survey) in the ability of healthcare IT systems to not yield to a cyber-attack. Many errors could be avoided if medical staff were trained in basic cybersecurity hygiene to avoid inadvertent dangerous exposure of patient data and also to identify warning signs of a potential attack.
Hospitals often outsource some of their jobs such as cleaning and security to professional agencies. If any of these indirect employees, including contractors, business associates, etc., have access to the hospital network, they can unwittingly or willfully do damage. Most times, these vulnerabilities may go undetected for a long time. For instance, the largest healthcare data breach of the last year was traced to a business associate. The attack on the American Medical Collection Agency put the information of about 12 million patients at risk; the actual figure could be much higher. According to the 2020 Protenus Breach Barometer, business associates were responsible for the breach of over 24 million patient records in the whole of 2019. Solutions: Onboarding third-party vendors, contractors, and associates should begin with a full cyber risk assessment. In fact, the outcome of such an assessment should play a major role in determining which organization to work with. But this shouldn’t be a one-off affair. Once there is a working relationship, there should be continuous monitoring of the third-party as well for security risks.
Internet of (Medical) Things Insecurity
Cybersecurity experts and researchers have demonstrated that most medical IoT devices deployed today have serious cybersecurity risks and are easy attack entry points. The average medical device has about 6.2 vulnerabilities. Considering that hundreds of those have been in use in clinics and hospitals for many years (over 20 years, averagely), cyber attackers have an easy time of it. Worse is that there is no agency responsible for testing medical devices for cybersecurity vulnerabilities. This leaves the security of the devices completely in the hands of manufacturers, who are often overcome by a need to control the market quickly before considering the attendant risks. Solution: According to the FDA, the responsibility for the security of medical devices lies with manufacturers and healthcare providers. Providers should test every device they deploy for security risks and vulnerabilities.
Cybersecurity in healthcare is a serious issue given the sensitivity of information passed around. Healthcare providers urgently need to step up their security as they adopt cloud computing methods. There should be constant evaluations and upgrades of security infrastructure to meet the current global best standards. This would begin by having a security expert(s) assess your facilities for security risks and give specific advice for improvement.
About the Author: Michael Usiagwu is an Entrepreneur, Tech Pr Expert and CEO of Visible Links Pro. He assists various organizations to stay abreast of the latest technology. Some of his insightful content can be seen in Readwrite, InfoSecurity Magazine, Hackernoon, and lots more. He's very much open to assist organizations to increase their latest technology development. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.