Cybersecurity in Healthcare: threats and existing solutions

Daria Bulatovych
20 April 2018

Nowadays existing resourceful cybercriminals are clever enough to hack into seemingly the neatest security systems. Healthcare is among their basic aims since more than ⅓ of all attacks in 2016 were carried out on healthcare organizations, as evidenced by IBM’s X-Force Threat Intelligence Index 2017.

During 2017, there were permanent attacks on medical institutions. Hackers assailed defenseless networks and weakly controlled areas to get access to medical devices and databases nearly every day.

Statistics speak for itself, just during January and February this year, 24 healthcare providers reported data breaches influencing more than 1,000 patients each. There is a 60 percent rise in comparison to the same time period in 2017. These numbers are taken from a Harvard Business Review article written by 3 security experts working at the market research company Forrester.

It is significant to note that just 53 percent of healthcare and public-sector security decision-makers reported an attack in 2017 according to the above-mentioned article. The truth is that the real number of breaches remains unreported.

The danger is constantly becoming more critical. Ransomware attacks have become more frequent in the healthcare industry and might damage a clinical network and worsen the quality of services. The situation is complicated by the fact that most clinical networks are more often “flat” than segmented which means that infections spread more simply from IT to hospital networks.

Healthcare information is highly in demand for cybercriminals. Stolen healthcare data can be sold on the black market, used for intimidation and marketed to foreign agencies. In addition, it is profitable to sell patient identity data to other perpetrators as well as to utilize the information in illegal financial transactions.

In this article, we are going to review some of the most discussed sources of danger for cybersecurity in healthcare and give you tips on how to achieve maximally possible security for your organization.

Hackers are Employing Creative Techniques to Thieve Healthcare Information

Cybercriminals are always anxious for the ways of their techniques and approaches improvement. For instance, there was a hackers’ penetration into Banner Health’s payment processing system at its food and beverage outlets. Hackers employed it as a gateway into the network, thereby getting to the servers with patient information. That way, the data of 3.7 million patients at 27 locations was obtained by the criminals which is demonstrated in year-end financials.

We can’t say yet what amount Banner Health will be penalized by OCR, as the breach is being investigated now. However, the similar in scope to Banner’s attack, 21st Century Oncology paid OCR $2.3 million in December 2017 for a breach of 2.2 million patient records which took place in 2015.

Taking into account sophisticated approaches that are utilized by hackers to steal healthcare data, medical institutions must have the most effective in-house data security provided by veritable security professionals.

Ransomware in Healthcare

Cybercriminals are actively stealing the healthcare information with a view to extortion. This type of cybercrime is called ransomware.

Criminals will not give you access to the information till you pay them the required sum of money. This type of cybercrime shocked the healthcare industry in 2016, occupying a number of medical institutions’ data. It caused the business outage and loss of money.

In February 2016, for example, cybercriminals captured the healthcare information of Hollywood Presbyterian Medical Center in Los Angeles. Eventually, the Center paid $17,000 to obtain the data decryption key from the criminals. As a result, the hospital experienced the outage for the whole week.

According to Healthcare IT News, more than 4,000 ransomware attacks take place every day only in the USA, and healthcare is the main aim for perpetrators.

The number of ransomware attacks is increasing as there is a comparatively low cost of launching an average attack and it is highly difficult for the police to detect criminals.

Luckily, there are some steps which can be taken to essentially minimize the danger of ransomware. The steps are:

1. Patching and keeping all the software updated

It is appropriate for all healthcare facilities to see to patching weaknesses as soon as it is possible. IBM, for example, utilizes an automation tool by means of which their clients are quite safe as the malware is dangerous for unpatched vulnerability.

It is vitally important to halt the ransomware whenever it reactivates. Otherwise, software patches are not efficient enough if IT solutions do not maintain updated programs via installed patches as they are issued.

In order to provide the best possible security against malicious programs including ransomware, all healthcare organizations have to check for updates and patches, particularly if new danger is revealed.

2. Performing periodic and сomplete data backups

Despite updated software in addition to effective device and network security operation, it is appropriate for the complex of IT solutions to take into account how to cope with the aftereffects if an attack happens.

As ransomware encrypts the information on local networks causing its being out of reach, the most reliable way to regain information is to have a backup.

Entire data backups which involve the whole software and stored information must be a usual part of all managed IT solutions for that particular reason. Organizations which have access to a copy of their information are able to upload it and continue normal operations faster.

3. Procuring permanent staff training

In addition to out-of-date and vulnerable software, staff can be the gateway for malicious programs attacking working computers as well as networks.

In order to solve this problem, healthcare facilities have to train their staff about the danger of ransomware or other malware and conduct periodic training as a usual part of continuous security IT solutions.

Organizations have to make policies on the permitted utilization of organization technology and provide staff with information on how to maintain private data secure.

Ongoing training about recognizing malicious programs with simultaneous updates concerning new possible danger is extremely helpful as a part of all IT solutions.

All the above-mentioned steps are practical and can be used in any healthcare organization, taking into account the appropriate skills and founded action plan.

Third-Party Stakeholders Increase the Risks

Medical institutions often work through contractual obligations with third-party stakeholders. Occasionally, there is a need to give them access to or share with them some healthcare information in order to avoid substandard service or operation.

However, along with help in improving service and operations, third parties represent the security threat. The following example illustrates the reality of this issue. The New Jersey Attorney General fined Virtua Medical Group for more than $418,000 by reason of a misconfigured database breach of patient data which happened in January 2016. The number of patients whose information was exposed totals 1,654.

It was investigated that Virtua hadn’t analyzed carefully the risk of sharing patient information with a third-party vendor. In addition, officials stated that Virtua didn’t take security measures which could reduce the risk level and this was violating HIPAA.

During the investigation, it was discovered that the Medical Group didn’t have a security awareness as well as an in-house program to train employees.

It is worth to know that a healthcare provider should have a well-formed in-house data security policy to manage the information they share with their third-party vendors.

A medical institution should also include information security provisions and responsibilities in a contract. Third-Party Stakeholders, in their turn, should access, store, utilize and govern the information by execution of their security commitments.

Insecurity of Mobile Applications

Applications are essential to compete effectively against other providers in the fast-changing healthcare industry. However, they also pose data security risks. Medical services are utilizing mobile applications to look for data. A tiny loophole in the app may cause a breach.

Best Security Techniques to Create Secure Healthcare Mobile Apps:

Mobile Device Security – Lots of healthcare facilities provide caregivers and different non-staff members with their devices. This could cause loss and theft of devices. This way, the lost or stolen thing can be obtained by criminals. To avoid data breach in this situation, it is appropriate to limit the accessibility of the device. Furthemore, there are multiple methods like GPS location tracking, remote wiping, and locking, etc.

Data Encryption – The patient information can be elicited from the server via wireless networks on request. If information is not encrypted, cybercriminals are able to get it easily. Therefore, it is vitally important to define the device communicating with the server for accessing the data. In order to do that, you can use the encryption. It helps to reveal and restrict the leakage and provide reliable information protection to ensure compliance.

Restriction on Access to Data – Only those users who are authorized, have a right to access the protected information on mobile phones. What is more important, you have practices like recommending a complex password or two-factor authentication (2FA) to assure healthcare application security.

Application Testing – Through testing a mHealth application, it is simple to reveal bugs and errors, as well as to prevent the intrusion. You can also get to know if all the functionalities are as they were expected. Penetration testing, Data security testing, and Network security testing are among the efficient testing techniques you can use.

Application Update – Pushing app update regularly is one more efficient method to combat the loopholes in the application and make it more secure.

Healthcare Email Security Needs

Most the biggest US public healthcare facilities are not using enough protective gears on email security, a recent Global Cyber Alliance (GCA) survey reported.

Just 22 of the top 48 for-profit clinics of the country have employed the Domain-based Message Authentication, Reporting and Conformance protocol, according to GCA survey. Only 6 of the 50 biggest healthcare facilities are working on improving their email security.

NIST issued a publication called Trustworthy Email in 2016 to inform IT managers on how to manage email security.

NIST said in its executive summary that Simple Mail Transport Protocol was sensitive to different types of attacks.

“The basic standards have been modified and augmented over the years with adaptations that mitigate some of these threats,” the report states. “With spoofing protection, integrity protection, encryption, and authentication, properly implemented email systems can be regarded as sufficiently secure for the government, financial and medical communications.”

How to choose the most appropriate cybersecurity provider

There is a popular misconception among people that cost reduction is the most challenging task for medical institutions. However, the truth is that patient data protection is more important and complicated than cost reduction.

It is certainly true that making-ready is all-important in order to remain connected and protected, but it is not easy to do so in place in spite of a fully manned IT department. Consequently, healthcare facilities have to decide on the cloud-based IT-solutions partner which provides the most latter-day infrastructure for its network support.

A healthcare organization should also give special priority to its security partner’s work in the direction of compliance. Only that IT partner which has undergone successful audits and confirmation for PCI, SOC 2 and HIPAA compliance is worth consideration.

Ask a vendor if they have due documents pertaining to HIPAA, including policies and procedures related to training staff, and if independent firms have audited them. You should also check if the vendor has business-associate agreements.

Take an interest if they provide services as encryption and single sign-on for your partner’s ability to improve their compliance as time goes by while cutting costs.

Since last year the U.S. Department of Health and Human Services (HHS) has been assessing cybersecurity risks, big data as well as incipient technologies to streamline compliance standards.

HHS keeps revising HIPAA requirements, the way healthcare information is stored, shared and consumed. Therefore, you should cooperate with a partner that feels the heartbeat of changing HIPAA standards.

In addition, an appropriate cybersecurity partner has plain and prompt сommunication to top-tier networks by means of a secure and fully-owned connection that evades the Internet, where information is in danger of hacks and attacks.

Your data partner should also have expert professionals willing to wholly recognize your needs and offer relevant solutions as well. The functioning of healthcare facility requires the staff of a security provider to be available around the clock, alert providing support.

There is an improvement of technology which is making new capabilities for medical institutions to treat people, have access to shareable data, and get in touch with patients and employees through connected devices. However, all the above-mentioned capabilities involve risk. A reliable and skilled partner aware of compliance significantly reduces that risk.

Our company is also employing the above-mentioned techniques and methods to provide cybersecurity to avoid the threats reviewed in this article.

Get in touch with us to establish the system that will empower you to get rid of the concern related to possible cyberattacks.

The End

ISDDesign