With cyber-attacks over the course of 2018 targeting one of the largest industries in the United States – the healthcare industry – it’s time to hone in on protecting patient and institutional information with a more focused approach to cyber-security. Compared to other industries, most healthcare organizations are underinvested in cybersecurity and spend roughly half as much as others. Quite alarming when phishing attacks and patient data base breaches could be as severe as being life threatening.
“Healthcare is an attractive target for cybercrime for two fundamental reasons: it is a rich source of valuable data and its defenses are weak. Cybersecurity breaches include stealing health information and ransomware attacks on hospitals and could include attacks on implanted medical devices. Breaches can reduce patient trust, cripple health systems and threaten human life.”1 There is definitely a sense of urgency for healthcare providers and institutions to better maintain and practice cyber security efforts.
Healthcare networks do not include just inpatient facilities and clinical departments, but also Telemedicine practices, rural healthcare providers/patients, internet medical device monitoring, and multi-cloud environments. “Today’s game-changing technologies-utilization of social media, mobile devices, the Internet of Things, and cloud-computing-present an increasing number of access points. Security strength varies widely. Available data sources about an individual can easily be stitched together to exploit high value items like financial assets and medical identity.”2
Interesting enough, most cyber-attacks on healthcare institutions are done for minimal monetary payout and usually does not involve revenge against a specific corporation or individual. The strongest stimulus of cybercrime in healthcare is the value placed on the acquired personal data. According to the 2015 Ponemon report on security of healthcare data3, the average cost of a data breach for a healthcare organization is estimated at more than $2.1 million and criminal attacks are the number one cause of data breaches in healthcare, up 125 percent compared to five years ago. The payout for each set of stolen data could range well into the thousands (US dollars) depending on the type of information retrieved and how complete the set of patient data is. “Stolen medical identities can be used for anything from a victim’s relative attempting to gain coverage, to massive deception and fraud perpetrated by organized crime.”2
It may only take an attacker a few seconds to minutes to compromise an organization, but it could be a matter of a few weeks or months before the breach is detected, damaged is evaluated, and new security efforts put in place to avoid the same type of attack from happening again. A new approach that is highly favored and based off healthcare organizations heavily relying on third-party services and vendors can be referred to as a software supply-chain attack. This particular degree of attack is dangerous for healthcare institutions due to access of a larger base of possible breach points. This is frequently done by directing traffic from the main domain to an infected domain; directly compromising a vendor’s software; and targeted third-party hosting services. Other common cybercrime threats include: malware and ransomware; phishing attacks; cloud risks; illusion websites; and employee compliance.
Attackers can damage or disable servers, devices, and networks utilizing malware. Ransomware is an extended version of malware in which a monetary demand is typically made in exchanged for promised restoration.
Phishing attacks are a common method where mass amounts of emails are typically sent out to an institution with addresses that seemingly appear to be from a reputable sender. Usually this is done to obtain sensitive information like login credentials and user data in order to breach the system or account.
The cloud systems are becoming a popular source for institutions and organizations to store large quantities of data, such as protected health information (PHI). This is found to be a common weak spot within healthcare organizations, stemming from improper encryption of the network.
Clever illusion website trends have been on the rise recently. Website addresses appear very similar to reputable sites and can easily be mistaken, even with a quick glance. This can lead the unknowing user to sharing access or entering PHI or even personal data such as a credit card number or social security number.
A less-thought of, but important risk factor is solely employee error. After all, the weakest link in any computer system is typically the operator. An entire healthcare organization could be vulnerable to a cybercrime by unencrypted devices, generic or weak login credentials, and other failed compliance measures.
The convenience and popularity of telemedicine combined with rising medical technological advancements allow medical most implanted medical devices to be monitored, adjusted, and data recorded simply by being connected to the internet. Medical devices carry breach risk and vulnerabilities just like other computer systems and servers. It is highly recommended that the device manufacturer and healthcare provider/institution that implants the devices implement additional security measures to ensure total patient safety.
System protection is “easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.”4 According to HealthIT.gov5, top recommendations to enhance cybersecurity in healthcare are: an established security culture, mobile device protection, good computer habits, implementation of a firewall, installed and maintained anti-virus software; a plan for the unexpected; controlled access to PHI; limited network access; and controlled physical access. Even with foundational recommendations in place, a one-size-fits-all methodology does not apply well to every institution. New implementations of security measures can be developed based on current utilization of technology resources, critical aspects to patient care, and individual organizational needs.
Due to the intricacy of today’s healthcare networks, PHI is often shared internally and externally throughout various multidisciplinary teams and servers. This creates a demand for an organization to have transparent visibility across the entire user surface, especially utilizing cloud-based storage, in order to analyze threat, maintain compliance, and respond as an integrated system to changes in the network.
Although the healthcare industry is behind the curve in terms of monetary investments towards cybersecurity, it is marginally ahead of the curve in terms of encrypting communication from devices. While this offers protection to the PHI data moving throughout a network, it increases the need to examine both inbound and outbound encrypted data due to the potential use of hidden malware and disguised stolen data being retrieved from the network. An inventory of all IoMT (Internet of Medical Things) devices could be utilized to track and reference them periodically against exposures.
A common cybersecurity technique is the implementation of firewalls to protect the organizations’ IT system. Firewalls come in several different forms depending on internal or external network processes. Most organizations utilize a packet filtering firewall, status inspection firewall, and an application level gateway. “A packet filtering firewall is considered standard, and functions as an internal electronic feed filter that essentially protects the security of an electronic health record (EHR).”6 “A status inspection firewall are used to verify a correlation of incoming electronic feeds with previously filter feeds.”6 The third type of firewall is the application level gateway. This type of firewall “acts as a gatekeeper for the organization’s network when scanning the IP web page for any threats prior to forwarding the page on to the end user. In this type of firewall, external network connections are accessed through the gateway in order to prevent external intrusion into the organization’s intranet.”6
With the increasing dependency of IoMT devices for functionality of work done, organizations may also want to strengthen network segmentation. This can be achieved with a segmented-strategy approach by using a Next Generation Firewall (NGFW). NGFWs essentially integrate a traditional firewall with other network device sorting capabilities. Not only are NGFWs placed to handle segmented users and data, but they monitor traffic moving across across the network or through different domains. This would allow a healthcare organization to oversee multiple points of the network to regulate users, applications, and data.
Healthcare organizations have also lacked in investing money and time available in order to adequately train to recognize threats, address vulnerabilities, and halt security breaches. Emphasis on safe computer practices and continuous cybersecurity education would reiterate that each employee of the healthcare organization is responsible for secured patient data. An established cybersecurity protocol would be beneficial for network users and the organization collectively to follow a chain-of-command in the event of a cyber-attack.
The healthcare industry has not only trailed behind other industries in cybersecurity progression, but has failed to protect current stakeholders through unsuccessful systems protection. Healthcare organizations must take necessary steps to improve security measures and continuously realign cybersecurity efforts with the ever-evolving advancements in cybercriminal capabilities.