No one knows you better than you do. But thanks to technology advances and the continued digitization of healthcare data accumulation and sharing processes, we can also honestly say the same about your healthcare provider.
Indeed, every time we get in touch with a health professional, data is recorded (either on paper or electronically), entered into a computer, and then stored in a massive database for record-keeping, analysis, and retrieval.
This digital warehouse of electronic health records (EHR), which contain medical history, diagnoses, and medications (including billing data, insurance, and other personally identifiable information), is what cybercriminals are after. For healthcare facilities in the business of research, intellectual property is their primary asset at risk. Such a trove in the wrong hands could mean nothing good.
A horripilation of dread
Dismally, where healthcare excels in medical breakthroughs and advances in therapy, it lacks in cybersecurity preparedness and adoption of privacy practices. Studies from independent organizations consistently reveal that the continuous use of legacy systems—those outdated programs and computers running Windows XP—scarce resources allocated for cybersecurity, and an apparent shortage of IT professionals top the list of problems the healthcare industry faces. And this is just the tip of the iceberg.
Technological advancements that make reviewing, sharing, and storing digital information possible present other significant challenges that need addressing. They include:
- The easy accessibility of patient records
- The automation of clinical systems (e.g. the ordering of prescription medicine for patients)
- The introduction of external media or third-party devices to the hospital network
- The emergence of mobile health apps
- The increasing adoption of BYOD
- The overall lack of awareness of risks to patient health data among hospital and clinic staff
Below, we take a look at the cybersecurity risks that each of these challenges present.
Easy accessibility of patient records
Public-facing healthcare facilities like hospitals and clinics have embraced the move from paper records to digital records. In so doing, they gather and store patient data into databases open to anyone with access to them, whether it be a doctor 20 miles from the building or a nurse at the reception desk.
The digitization of patient health records also made the process of sharing information across multiple healthcare facilities easier. Patients, too, are given access to their health records. Because of this, the likelihood of exposure to threats increases.
All that storing, retrieving, and sharing leaves the door open to malicious actors who can just as easily infiltrate the database to steal information and sell it on the black market. How valuable is patient data? Very valuable. Medicare ID numbers belonging to 10 patients, for example, are being sold for 22 Bitcoins, which amounts to more than $200,00 as of this writing. EHRs carries a hefty price tag because this is the kind of data that criminals can use and reuse for decades. And unlike credit card data, medical records cannot be altered or canceled once used in fraud.
Automation of hospital and clinic systems
Removing redundant and tedious tasks from healthcare professionals’ workday is a sound business move. It increases productivity, saves money, and improves the patient experience. However, as much good as automation has brought the industry, the implementation of its systems may have been carried out without cybersecurity or privacy in mind.
Those who quickly went about deploying automation for services like refilling prescriptions or making appointments might have medical devices and web-facing computers in the same network when they should be separate, for example. When medical devices are networked on the Internet and not secured, that leaves the door open for threat actors to exploit.
External media or third-party devices
Although the use of unencrypted external media and portable devices is against HIPPA (Health Insurance Portability and Accountability Act of 1996) standards, staff and third-party contractors continue to introduce such devices to computer systems connected to the hospital network. There have also been instances where patients have brought their medical records in via external media for doctors to review.
Two possible ends could come from this: portable media and devices might get stolen or misplaced, resulting in a security breach, and/0r malware might be introduced to the network. Ideally, both ends should be avoided at all cost.
Mobile health apps
We’re talking about mobile health, or mHealth, apps used by patients and medical professionals alike. These apps collect data from whoever uses them, and if doctors have access to this data, they can readily provide feedback or advise. Unfortunately, there is no such thing as a “one app that rules them all.” There are thousands of them out there in the market, believe it or not. And each one of them needs to be secured, else risk all those data getting leaked.
Bring Your Own Device (BYOD)
In 2012, Aruba Networks published the results of their survey, revealing that 85 percent of healthcare staff and professionals support the use of personal mobile devices, such as smartphones, laptops, and tablets, at work. Some say this trend is a natural fit for the industry as doctors and nurses are frequently on the move.
Being able to access records on the fly and sharing them with colleagues increases collaboration and productivity among healthcare staff. However, mobile devices owned by hospital staff and professionals are liable to theft. If they are not encrypted, it’s easy enough for the thief to retrieve, make use of, or sell the EHR stored in them.
Some hospitals and clinics also allow patients and visitors to connect to the facility’s Internet. This results in both patient and staff member BYOD devices overwhelming the bandwidth. On top of this, no one is really sure if such devices are secure enough, if at all. If a potentially infected device is introduced to the network, malware could take residence in the server or spread to other devices connected to the network.
Read: BYOD, why don’t you?
Lack of cybersecurity awareness
Lastly, healthcare staff is generally unaware of threats to patient data and are poorly prepared to identify attack types. This is probably why they may appear negligent in handling email, mobile devices, and hospital records. As we have already established before, cybersecurity issues are not just something that IT staff should scramble to address. Everyone, including nurses and doctors, has a responsibility to uphold when it comes to protecting patient data and securing hospital resources from external threats.
Sadly, there’s no panacea in sight
Unfortunately, there’s no magic bullet to address the myriad of challenges born from an environment this complex. In fact, addressing problems and risks surrounding something this important shouldn’t be rushed. People’s lives, after all, are at stake here, too. Although an overhaul may be needed to completely turn things around for the healthcare industry, this still takes a considerable amount of time to implement. And even if it has been completed, continuous improvement must naturally follow.
The good news is that healthcare facilities, regardless of size, don’t have to wait for a major revamp to happen before they can address the current dilemmas plaguing their industry. In part 2 of this post, we’ll discuss steps healthcare organizations can take to stay secure—beginning with awareness and education campaigns.
Until then, be well and stay safe!
This is a Security Bloggers Network syndicated blog post authored by Jovi Umawing. Read the original post at: Malwarebytes Labs