On May 12, 2017, the Wannacry ransomware attack was launched. Its victims spanned the globe, with Britain's National Health Service (NHS) hit particularly hard.
Subsequent investigations revealed that the NHS was not a specific target of this cyberattack; it simply got in the path of the malware. Nonetheless, the attack inflicted real damage and while revealing a troubling truth: healthcare systems, in general, are inadequately prepared to fend off cyber security threats.
This vulnerability poses a significant risk given our medical system's use of digital medical records and billing and payment processes, increasing reliance on telemedicine (thanks to the pandemic), and use of wearable healthcare devices.
In this article, we examine the critical role of cyber security in healthcare, as well as the following:
Like so much of our personal data, our healthcare information is now digitized. Time was, anyone who wanted to violate the sanctity of our personal health records had to physically break into a doctor's office or a records room in a hospital. Nowadays, bad actors can violate your medical privacy from the other side of the world without leaving their house. Compounding the problem: hospital records often contain other personal patient data, such as social security and credit card numbers.
The cyber security risks only increase from there. Hospitals use myriad electronic medical devices (e.g., heart, blood pressure, and ECG monitors) and digital applications that, as part of the Internet-of-Things (IoT), are all connected to the outside world. While these devices help physicians remotely monitor the health of their patients, they also offer a host of cybercriminals additional opportunities to attack.
Given our healthcare system's chronic financial challenges, institutions must allocate funds as they see best. Sometimes, shoring up defenses against the burgeoning cyber security threat doesn't receive adequate fiscal support (especially when balanced against providing quality patient care). Yet, when data breaches occur in ransomware attacks, human lives are potentially at stake, making it likely that the attacked institution will comply with the criminals' extortion demands to avoid further endangering their patients' health and well-being. That can exact a huge cost in both financial and human terms.
Despite measures in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (developed by the Department of Health and Human Services (HHS)) mandating safeguards for private patient information and strictures regarding when that information can be given out without the explicit permission of the individual, violations are still too common.
Those violations can cause all sorts of problems. It would be bad enough if the only risk were that your personal health information could fall into the wrong hands. We learned the extent of the risk in January 2015, when two separate incidents—one at Anthem Blue Cross and another Premera Blue Cross—compromised the medical records of nearly 9 million people.
But responding to such intrusions also takes up time and resources that would otherwise go to patient care, thus interfering with healthcare providers' ability to serve their primary function. In this light, cyber security should be seen by the healthcare industry as essential not just to the industry's financial well-being but also to the well-being of its patients.
Medical records are largely digitized these days. Hospitals also rely heavily on technology for improvement in care coordination, error reduction, efficiency enhancement, and data tracking. Cybercriminals can wreak all kinds of havoc, not only by stealing sensitive information but also by altering it so that efficient care becomes far more difficult. They can even threaten to interfere with any of the myriad machines and devices used in treatment.
For example, a 2020 cyberattack forced all of George Washington University Hospital's medical and financial record keeping offline. While the cybercriminals didn't access medical records or employee data, they locked the hospital out of its computer system until they paid a ransom. No patients were harmed in this particular instance, but the potential damage from a compromised operational system could have been devastating under the different circumstances.
Technological integrity is preserved through such basic security practices as access control, encryption, and monitoring, making it harder for hackers to obtain the information in the first place—and ensuring that the cybersecurity professionals on staff know the moment a breach occurs. Additionally, the use of integrated risk management allows the entirety of an organization to be secured under an umbrella-level cyber-risk paradigm, reducing the chance of illegal incursions.
The process of paying for medical services is complicated and increasingly digitized—which creates uniquely modern vulnerabilities. The large amounts of money being transferred, the personal and medical data associated with bills and payments, and the frequency with which hospitals are targeted for their lack of sufficient information security have made the healthcare sector a prime target for cybercriminals.
An estimated 95 percent of data breaches, including healthcare data breaches, result from human error (for instance, employees being duped by phishing emails and revealing passwords or inadvertently downloading malware into the organization's computer system). That's why all staff must receive comprehensive security training.
Additional data protection security measures include secure passwords, multi-factor authentication, solid encryption, stringent hiring practices, and fully realized disaster-preparation plans for instances when security measures prove insufficient.
Third-party vendors present unique and pernicious challenges to healthcare organizations. No matter how meticulous your organization's digital security protocols are when dealing with third parties (not to mention their subcontractors), their security shortcomings often become your cyber security risks. Just this year, an attack on the New England-based Shields Health Care Group left dozens of affiliated organizations—including Tufts Medical Center and UMass Memorial—vulnerable as well. A third-party vendor's poor cyber security defenses can also adversely affect your organization by hampering operational ability and the achievement of goals and result in financial culpability and reputational damage.
Organizations can deal with the potential hazards of third-party vendors through security awareness—by keeping detailed records of who they deal with and, whenever possible, who their third-party vendors deal with. Your information security apparatus needs to be well-versed in your associated partners' cyber security defenses through risk assessments, tiered categorization, and constant monitoring.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) represents a significant effort to safeguard patients' private information. HIPAA set standards and limits regarding how a patient's healthcare organizations handle and utilize private information.
But that law was implemented 26 years ago, and healthcare and information technology have changed considerably since then. Think about the prevalence of electronic health records (EHR) today compared to their use in the late 1990s.
More recently, the National Institute of Standards and Technology (NIST) issued a revised draft publication of its initial cyber security guidance for health systems. It's a useful document in that it acknowledges the changes that have occurred since HIPAA was enacted and compiles all of the critical information that has come to light during this time.
First and foremost, the threat of cybercrime and the duty to guard protected health information and patient safety must be taken as seriously as a heart attack, pun intended. This seems like a fairly easy lift, as protecting patients is the health industry's primary function. Safeguarding their sensitive data from unauthorized access is simply an extension of that mission—and thinking of it in this way facilitates decisive and effective action.
True security will come when the entire healthcare industry learns to work across boundaries to address cyber security risks to the system as a whole. In the meantime, each organization must be as thorough as possible regarding its operations. This is achieved by appointing a central figure who oversees all aspects of the organization's cyber security and identifies and addresses all potential threats to critical infrastructure and operating systems through the lens of risk management.
Choosing a career in cyber security opens up career opportunities in any number of industries, including healthcare. Working in this field is particularly rewarding, as you're joining a team of professionals dedicated to protecting patients' personal medical information and helping them when they're often most vulnerable.
Whether you choose to work as a consultant, an architect, or an investigator, you will help support a worthy effort in the mitigation of risk to patients' confidential medical records.
Earning certification in general cyber security or one geared specifically towards cyber security in healthcare can benefit your career significantly. The latter certificate, geared towards people seeking entry-level positions in the field, teaches you the ins and outs of understanding, recognizing, and reacting to cybercrime in a healthcare setting. You're instructed in how healthcare systems work, educated in the regulation of healthcare information, prepared to spot weaknesses that allow cyber intrusions into private data, and trained in incident response to react effectively to breaches if they occur.
Questions or feedback? Email email@example.com