The healthcare industry is one of the biggest targets for hackers and other bad actors, given the massive amount of personal data these organizations have in their possession and the critical nature of the environment. To put this into context, in 2017, more than 5.6 million patient records were breached, according to the Protenus Breach Barometer.
For cybersecurity teams in healthcare, the job is not only about protecting vital patient data, it’s also about keeping their systems and networks running to protect patients by preventing potentially life-threatening situations.
While the current cybersecurity environment places a heavy burden on the industry, it also offers new opportunities, both for cybersecurity and healthcare professionals. But first, it’s important to understand the threats the industry is facing and the skills needed to overcome those threats.
Unique Cybersecurity Concerns
A survey of US physicians by Accenture and the American Medical Association (AMA) found that 83% of physician practices have experienced some form of cyber-attack, such as phishing and viruses. Also, 74% cited interruption to their clinical practice as a primary concern and the number of events attributed to ransomware increased by 89% from 2016 to 2017.
The advent of the Internet of Medical Things (IoMT) has created similar challenges. Connected medical devices such as pacemakers and insulin pumps are at risk for being held for ransom as well, particularly because there are currently no security standards in place for these devices.
As they connect to health provider networks, they create an additional avenue of entry for cyber-criminals. Both the patients who use these devices and the providers who care for them are at risk for compromise.
The intersection of cybersecurity and healthcare
Cybersecurity plays a major role in the modern healthcare industry and presents new opportunities for both those already working in healthcare and those in IT.
Existing healthcare professionals have a deep understanding of the rules laid out by HIPAA, the regulatory framework that all US healthcare providers operate under. This provides significant context for cybersecurity, as HIPAA specifies rules for data privacy.
Existing staff in healthcare not only understand HIPAA, they also understand the patient care environment. They can determine and prioritize potential risks to patient livelihood, to patient privacy and to other healthcare systems and services. Their familiarity with industry-specific regulations and the patient care environment gives them a strategic head start.
On the flip side, there are also unique advantages that IT professionals bring to the table, the most significant being an understanding of IoT and endpoint security. This knowledge can serve as a strategic asset when securing the patient environment.
Also, when introducing new devices and other new threats, this is where someone with security expertise in the technology space really shines. These are the individuals who can ask the security questions that medical professionals don’t know to ask. However, they must also gain an understanding of patient care and data privacy regulations in healthcare to fully mitigate security risk.
New skills needed
There are a number of aspects unique to healthcare that are essential to understand when it comes to implementing a strong security posture. A big component of this is a good working knowledge of HIPAA. This includes data privacy rules and security provisions for safeguarding medical information – and there can be significant penalties if these aren’t met.
There’s also another layer of healthcare security - securing the actual equipment, underlying software and medical devices that support patient care. Securing these devices is critically important – if a ventilator was to lose power or be hacked, it could potentially be life threatening.
Even maintenance is a security challenge: applying security patches to device software must be strategically scheduled to avoid interruption to patient care. There are also additional layers of healthcare security that aren’t as intuitively obvious. For example, payment processing requirements are enforced from the payment industry association. On top of all of this, there’s a mandate to prevent Medicare fraud and insurance fraud.
At the most basic level, a fundamental understanding of these regulations and compliance obligations is necessary.
Other aspects of healthcare cybersecurity posture include risk management, including supply chain risk regarding the handling of Protected Health Information. Healthcare organizations often also handle government information (such as Social Security numbers and Medicare and Medicaid details) and insurance company information – as well as employment status data. They must also observe patient privacy requirements from the General Data Protection Regulation for EU citizens. Mobile devices connected to Wi-Fi, such as patient devices and those of visiting physicians pose additional security challenges.
Preparing to protect and prevent
While healthcare organizations are busy caring for people, cyber-criminals are busy trying to exploit weaknesses in those organizations’ networks. These bad actors are experts at applying maximum leverage to their victims, since the threat of patient harm must be dealt with immediately – and the remedy is usually quite expensive.
Overcoming cyber threats requires a comprehensive security strategy, which requires skilled talent. There are two ways to procure the required talent: one is to bring cybersecurity professionals into the healthcare industry and train them in the particular challenges and compliance needs—the context—of the industry. The other is to train those already working within the healthcare industry on cybersecurity topics. Given the scarcity of cybersecurity talent, organizations may choose to pursue a combination of the two.
As healthcare becomes an increasingly vulnerable and valuable target for cyber-criminals, the risk to patient safety and the risk of personal data theft also increase. To effectively mitigate cybersecurity risk, it’s essential that healthcare organizations leverage not only technologies but also well-trained talent with the correct knowledge and skills.
Bringing together individuals from both healthcare and IT best positions these organizations to ensure the security of patients, their data and their health.