Cybersecurity, so far, remains the most daunting challenge facing the healthcare industry, amplifying every passing day. Data breaches occurring every year cost the healthcare industry as much as $5.6 billion per annum, according to Becker’s Hospital Review. Year in Review, also states, an average of at least one health data breach per day was reported in 2016 alone, which ultimately impacted as many as 27 million patient records. Now that’s big!
What is even more alarming is the fact that these cybersecurity risks are becoming increasingly difficult to identify, prevent and mitigate. As per a Whitepaper published by Workgroup for Electronic Data Interchange (WEDI), the primary factor that needs to be blamed here is the significant and chronic underinvestment in cybersecurity, which has resulted in high exposure to cyberattacks and very minimal capabilities to detect and mitigate them. And while cybercriminals may hack through a given healthcare organization in only a matter of seconds, it more than often takes weeks and even months to detect the breach. And by then the amount of damage that has been done is so massive and grave that reversal is technically impossible. Moreover so, with the rapid adoption of HER and mobile devices, healthcare cybersecurity departments have become highly prone to oversights that unintentionally invite malicious hackers on board.
Most Common Cybersecurity Challenges in Healthcare
Numerous data breach investigation reports have identified a host of vulnerabilities that all healthcare organizations face and that merit special attention while devising data management and risk mitigation strategies:
- Malware and Ransomware – malware and ransomware are primarily used by cyber criminals to completely shut down the victim devices, servers and sometimes the entire networks. In some cases, ransom is then demanded to fix the encryption.
- Cloud Threats – since majority of the health information of patients is stored on the cloud, inadequate encryption of this data can become a potential weak spot for cybersecurity.
- Phishing Attacks – mass emails are sent out from seemingly reputable sources to capture sensitive information from the users which is then misused by cyber criminals.
- Encryption Blind Spots – as much as encryption is crucial for data protection, it has an inherent tendency to create blind spots where hackers can hide from the detection tools.
- Misleading Websites – forged websites have been created by cyber criminals with addresses similar to the original reputable sites. Sometimes they simply substitute the .com for .gov, which sends off a very imprudent illusion that both the websites are the same.
- Employee Errors – apart from all the technology related concerns, sometimes employees can also leave the healthcare organization and relevant data susceptible to attack through mistakes such as unencrypted devices, weak passwords and other failures of compliance.
- Patient Medical Devices – medical devices that require connectivity to external systems, such as pacemakers that need to be connected to the internet, also face serious vulnerabilities to data theft. Preventive security measures have been mandated by FDA prior to the installation of such devices.
Improving Cybersecurity in Healthcare
Improving cybersecurity in the healthcare industry has, therefore, become imperative to sustain the industry at large and to maintain patient satisfaction.
The most important undertaking for improving cybersecurity is to make appropriate risk assessment for the practice in focus. This should address concerns such as data loss through hardware failure or software bugs, deliberate theft or data corruption by employees, accidental viewing of confidential data, active hacking attempts to infiltrate network security including DDOS attacks too crash the servers, and so forth. The primary purpose of this activity is to proactively address every possible risk that might be associated with the practice. It will also assign due accountability. Moreover, the policies implemented must also include contingency plans that outline the consequences in case of any breach occurs.
Every Day Common Practices
There are certain everyday common practices that are required to streamline cybersecurity process and to make it an ongoing process. This includes activities such as ensuring strong passwords and regular change of passwords, disabling unnecessary account, preventing unauthorized software installations, removing unnecessary software and browser plugins, restricting access to doubtful websites, and restricting access to physical ports. Moreover, it is imperative to note that gone are the days when IT admins used to blindly assume reputation as a guarantee for quality. In today’s uncertain times, it is extremely important to conduct thorough research before making any important decision, because security comes first.
Continuous Training & Education
On-going education and training of the staff is often the forgotten component of cybersecurity. Practices must necessarily invest in training their medical staff about workplace security protocols, privacy practices and most importantly, the significance of protection of confidential patient data. Regular training allows them to ensure swift response and appropriate actions when something goes wrong.
While it is inevitable to ensure 100% security, it is always advisable to develop and document a comprehensive back-up plan. This is essentially part of disaster planning, which should include both a thorough assessment on what information needs to back-up and how, and what procedures need to be put into place for restoring back-ups. Interestingly, many healthcare management solutions now include data archival solutions that are updated with electronic health record software stored offsite in the cloud.
Limit Physical Access
Besides data protection through encryption and establishing other security protocols, physical access to devices carrying electronic health information must be limited to authorized access only. You need to understand that data is not only stolen through network breaches, but also through theft of device carrying the critical information. Loss of laptops, hard drives, flash drives, DVDs containing medical data, etc. accounts for about half of the data losses reported. Hence, strict actions to limit physical access to data must be ensured for data protection.
Regular Audit and Evaluation
Apart from deploying all the strategies discussed above, regular evaluation and audit is perhaps the evolving ideal for the healthcare industry. Regular assessment of the policies and procedures must be an essential part of the data governance process, critically assessing all the items on the list that are working well and all those that merit attention. Adopting a proactive systematic approach, even a small practice can comply with safety protocols and ensure cybersecurity.
The healthcare industry continues to be the hot favourite target of hackers. Rapid and constant changes to the digital environment and healthcare communication have significantly impacted how medical practitioners use medical devices, perform patient care, store and retrieve patient data and conduct other business operations.