Cybersecurity in healthcare: how to improve the overstressed industry
Sep 25, 2020
Cyberattacks are growing year-on-year, affecting businesses and individuals. But there’s one industry that’s especially vulnerable — healthcare. While it was evident that the industry is trailing behind as far as finance and technology go, the spike in attacks during COVID-19 has revealed just how far behind other industries healthcare is.
What makes hospital breaches so prevalent? What could be done to protect them against cyberattacks? We’re going to discuss all that in just a moment. But first, let’s look at what criminals are after — and that’s PHI.
What does PHI stand for?
When talking about cybersecurity in healthcare, we’re focusing on the security of protected health information (PHI). The GDPR and HIPAA regulations both cover data protection, but while all sensitive data goes under the GDPR umbrella, HIPAA is only concerned with PHI.
PHI includes data like names, locations, phone numbers, and email addresses. However, it could also contain biometric data, social security data, insurance plan data, medical records, and more.
Cybersecurity challenges in healthcare
What makes healthcare more vulnerable to cyberattacks than other industries? Every industry has its weaknesses, but healthcare is where many of them come together.
There are a lot of clients.
Our lives start and end at the hospital, and that’s almost every person who has lived in the last 400 years.
There’s a lot of sensitive data.
The number of clients can only be outshined by the importance of collected PHI data. The industry has an all-access pass to people’s most intimate secrets that could expose their strengths and weaknesses.
There are many different standards.
Medical institutions have an ongoing debate not only about the best treatment options, but also about the proper way (sometimes even within the same country) to protect collected data. We’ve already mentioned HIPAA, which is just one of the legal instruction manuals on how PHI data should be stored. Also, note that HIPAA compliance doesn’t necessarily guarantee data security.
There’s a lot of stress.
If you’re a criminal, you want your targets to be overworked and overstressed. You’ll hardly find a more perfect industry to fit that description. Working long shifts, dealing with life-and-death situations, and fighting over budget constraints often goes hand in hand with working at a healthcare institution.
Today, we have an understaffed, overworked group of people responsible for other people’s lives and data. So slip-ups come as no surprise, but the spike in cyberattacks during COVID-19 has revealed that the scope of the problem is much bigger.
Why PHI must be protected better
According to a 2018 study by the American Journal of Managed Care (AJMC), hospital data breaches account for over 30% of all attacks. These breaches are the most common and often cost over $150 per hacked account. SafeAtLast has estimated that the industry lost over $25 billion to data breaches in 2019. Given what 2020 has been like so far, you shouldn’t count on things getting better this year either.
There’s plenty to protect. All that information about who you are, where you’re from, and what you’re allergic or immune to — that’s actually why our trust in doctors can hurt us. Imagine receiving a call from your clinic. They mention your recent test results and ask you to follow up on something important. But, to do that, you have to visit a site and fill in some details. Many people wouldn’t even consider double-checking the caller’s identity, which could easily be a criminal attempting a vishing attack.
How to do better in healthcare in 2020
There’s no magic bullet to solve all the problems in healthcare overnight. But there are steps we can and should take today, as they can have a significant and immediate impact.
Culture of awareness
Medicine is constantly changing. Not so long ago, heroin was prescribed to cure cough. Today, we can see how absurd that is. But is it as evident that using default passwords and storing unprotected data is just as unsettling as the medical practices of the 1920s?
Education, knowledge sharing, monitoring, and reporting any suspicious activity are the key steps that can make or break any security system. Penetration testers have demonstrated how easy it is to get into banks and prisons when employees aren’t ready for a security breach.
Embracing the easy parts of cybersecurity
Some things are easier than others. You can measure your temperature at home, but for brain surgery you have to go to the hospital. The same principle applies to cybersecurity: passwords are easy, while network security is complicated. You don’t have to be a cybersecurity expert to use a strong password. And if we take care of the easy parts, it might be enough to prevent hacking attacks.
Password managers are a great example, since they allow you to create and share complicated passwords without having to remember them. The best password managers integrate seamlessly into daily processes, store your passwords, and pop up whenever you need them.
Besides password managers, there’re a variety of cybersecurity tools that do the heavy lifting in the background, like VPNs, antivirus software, firewalls, and more.
Cloud data and encryption
In the last few years, many countries have embraced the digitization of medical data. If you’ve ordered any medical forms online recently, you know how much easier these new services make the patients’ lives. The cloud has improved collaboration between healthcare professionals as well as institutions, enhancing the overall quality of health services. COVID-19 location tracking apps are a more recent example of this new era of cloud adoption.
But this is where we have to be extra selective with what kind of data can be collected, how it should be stored, and when it should be deleted. Because when it comes to PHI security, data privacy standards don’t explain patients’ data collection and management practices well enough. That’s why to reduce the risk of data exposure, institutions should choose a privacy-first approach — collect only essential data and make sure it’s always protected with strong encryption.
Defending against ransomware
Ransomware is a bit different than what we have just covered. But you can’t talk about cybersecurity in healthcare and not mention ransomware. Recently, a woman in Germany lost her life because a nearby hospital was under a ransomware attack, which hindered its ability to provide urgent health services.
Most ransomware attacks start with a phishing email or exploiting an unpatched software bug. Both of these can be addressed directly without overhauling everyday processes. Awareness and education will help recognize phishing scams, while managing updates can be centralized and controlled by the IT security department rather than separately by each user of a network computer.
Last year, Tesla’s Elon Musk admitted that there was a hack where someone could take over the entire fleet of Teslas. Think about it: one hacker — all the Teslas. Now, imagine that, as medical devices are becoming more advanced, someone finds a similar bug in the technology responsible for keeping patients alive. We already know of people sabotaging hospitals in the middle of a healthcare crisis, so why couldn’t someone go after wireless pacemakers or other life-supporting technology? Luckily, this is not a problem yet, but we should be extra careful when considering connecting new medical devices to the internet.
There are many reasons hospitals and health care providers have to catch up with the latest cybersecurity practices, but this will take a long time. Until then, we have to start somewhere, even if it’s just changing the default password to a more complicated one.
Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.