Healthcare Entities Must Consider The Consequences Of Not Making Cyber Security A Top Priority
Cyberattacks against the healthcare industry are on the rise and barely a week goes by without news of a patient data breach or attack on a hospital or healthcare provider.
With healthcare organizations embracing new technologies and digitizing their operations to improve efficiency, so too do they take on new risks. Without adequate cyber security, IoT security measures, enforced policies, and a strong culture of compliance, healthcare entities are vulnerable to cyber attacks, data leaks and breaches.
Why Is Healthcare A Prime Target For Cyber Attacks?
The healthcare industry has become a prime target for cyber attacks because cyber criminals know that hospitals and healthcare entities cannot afford disruptions to their operations and are particularly vulnerable to ransomware demands. The sensitive patient data that is entrusted to the care of health organizations represents value to cybercriminals for resale on the dark web for the purposes of healthcare fraud and other monetary gains.
It is vital that healthcare organizations seriously consider the consequences of not effectively prioritizing their cyber security efforts.
A Matter Of Life And Death
In the event of barred access to patient data, shutdown of computers, systems, medical devices and equipment, regular operations can be compromised and it can be a matter of life and death. Getting medical devices back up and running following a breach can take time, with many devices requiring assistance from their respective manufacturers in order to reset them.
Even in the aftermath of an attack or breach event, the consequences can be lasting. Even if a breach or attack does not directly cause a disruption there could be a disruption to operations during the investigation process. A Vanderbilt University researcher has linked over 2,100 patient deaths to hospital data breaches and lack of cybersecurity.
“A breach triggers remediation activities, regulatory inquiries and litigation in the years following a breach… [these activities] disrupt and delay hospital services, and therefore leads to care quality problems.”
– PhD researcher, Sung Choi, according to the Wall Street Journal.
The Cost Of Non-Compliance
The Health Insurance Portability and Accountability Act (HIPAA) applies to most health care providers. It establishes a set of national standards for the use and disclosure of individually identifiable health information (often called protected health information or PHI).
Healthcare organizations that fail to comply with the HIPAA Rules can be subject to civil and criminal penalties for failure to protect the health records of their patients. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is responsible for administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint investigations, compliance reviews, and audits. State Attorneys General may also enforce provisions of the HIPAA Rules.
The OCR may impose hefty fines on covered healthcare providers for failure to comply with the HIPAA Rules.
Fresenius Medical Care North America Fined $3.8 Million Six Years After Breach
In February 2018, The OCR announced that Fresenius Medical Care North America, a provider of products and services for people with chronic kidney failure, had agreed to pay a $3.5 million settlement for violation of the HIPAA Privacy and Security Rules.
Fresenius Medical Care North America (FMCNA) had filed five separate breach reports five years ago (in January 2013) for separate incidents occurring between February and July of 2012 implicating the electronic protected health information (ePHI) of five separate FMCNA owned covered entities.
The OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic protected health information. Not only was the the ePHI of patients accessed for unauthorized purposes, the company failed to:
- implement policies and procedures to address security incidents
- implement policies and procedures governing the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility
- safeguard their facilities and equipment from unauthorized access, tampering, and theft
- implement a mechanism to encrypt and decrypt ePHI.
“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.”
“Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”
– OCR Director, Roger Severino
FMCNA has over 60,000 employees that serves over 170,000 patients. The FMCNA network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.
Healthcare IT Challenges
Securing healthcare IT networks, systems, equipment and data is a challenge in this internet connected world.
Healthcare IT professionals face the daunting task of trying to keep pace with the rapid development of new and innovative healthcare technologies, including implementing, maintaining and upgrading their electronic health record systems. Between the need to continually upgrade systems and patch software to address security vulnerabilities, all while ensuring compliance with national privacy and security rules, healthcare security and risk professionals have their work cut out for them.
Cyber Attacks in Healthcare
According to a Ponemon Institute survey survey, 62% of executives reported a cyberattack in the past year and more than half of those report losing patient data.
There have been 2,181 healthcare data breaches involving more than 500 records between 2009 and 2017 that resulted in the theft or exposure of nearly 177 million healthcare records (equating to over 50% of the US population), according to the HippaaJournal. Disturbingly, healthcare data breaches are now being reported at a rate of more than one per day.
There have been many examples of hospitals and other healthcare providers that have fallen victim to ransomware in recent years and multiple instances of major patient data breaches. Ransomware isn’t the only form of cyber attack the healthcare industry has to combat. There are also other forms of malware and attacks, including phishing, hacking and Distributed Denial of Service (DDoS) among others.
When ransomware hits a hospital, it could mean that the doctors and nurses have their limited to no access to sensitive patient information and thereby affecting their ability to take care of their patients. This has led to some hospitals opting to pay the ransom demand, even though they had their data backed up, as they felt they could not afford disruptions to their operations. In other cases, patient data was unknowingly exposed for months and in some cases over a year.
See below news headlines for the major breaches and cybersecurity incidents that have taken place just in the first quarter of 2018.
Major Patient Data Breaches And Cyberattacks In The Healthcare Industry Making Headlines In Q1 2018
image source: Healthcare IT News
What can Healthcare Enterprises Do To Protect Sensitive Healthcare Data?
Healthcare entities should start with a commitment to cybersecurity that goes beyond merely meeting compliance. It is about adopting cybersecurity best practices, taking an enterprise-wide risk analysis program to include routine audits and risk assessment and implementation of policies and procedures. It is also about allocating necessary resources to enable an effective cybersecurity strategy and program.
Adequate Staffing And Expertise
For effective cybersecurity efforts adequate funding and manpower is required. Despite the fact that any cybersecurity program needs dedicated and skilled personnel, there is serious understaffing of enterprise risk and security IT professionals in the healthcare industry. 75% of leaders surveyed in the Ponemon study complained of insufficient cybersecurity staffing and despite the growing cyber threats, only half said their organization has a chief information security officer.
In addition to lack of staff on the frontline, there appears to be a severe lack of representation at the C-suite level with only 2 out of 10 healthcare organizations having a leader to manage cybersecurity at the enterprise-wide according to a Black Book Market Research report.
To implement a cybersecurity protection strategy organizations simply must have sufficient staff members in place who are properly trained, and have appropriate technical tools to help reduce cyber risk and ensure that a proper cybersecurity response can occur following a security incident.
Best Practice Cybersecurity
Healthcare enterprises should keep software and equipment updated to defend against cyber-attacks, and implement all necessary cybersecurity tools and have a proactive cyber monitoring program, including endpoint protection.
Unfortunately, according to the Ponemon survey, it would appear that healthcare providers are lagging in adopting cybersecurity best practices, with 54% conceding that they don’t conduct routine risk assessments. This is not surprising given that the healthcare industry respondents reported that they have insufficient cybersecurity staffing.
Healthcare organizations can help protect private patient information from cyber criminals by educating employees on how to be proactive, identify risks and take appropriate measures to prevent breaches before they happen.
Employees are the guardians and gatekeepers of sensitive patient data. Organizations should ensure staff understand the role they play in protecting patients and educate them on the risks and consequences of cyber-attacks.
Encrypt Sensitive Data
With the increase in mobile device usage, the need for encrypting data is more critical than ever. All sensitive data should be encrypted prior to being stored and transferred. If a healthcare professional’s phone or laptop is lost, misplaced or left unattended, unauthorized access to the unencrypted data could easily put patient data and privacy at risk.
Research Software and Technology Vendors
Healthcare organizations rely on different software vendors to handle various processes. Whether it be for human resource management, billing, or document management, software vendors should meet your enterprise security standards.
If your enterprise needs help when it comes to assessing whether a software vendor lives up to your required standards for privacy and security, an independent cybersecurity consultancy like Ascension Global Technology can assist you in the vendor vetting and selection process.
Know How Third Partners Treat Your Data
Organizations commonly keep more than one copy of data or documents. Sometimes these copies of confidential information are stored by a third party. For example, e-signature vendors frequently store e-signed documents so the document and signature’s legal validity can be verified. By ensuring that third parties are safely handling and securing your sensitive information, or better yet, by limiting your data footprint, you can decrease the risk of unauthorized access to your data.
Establish A Formal Cybersecurity Incident Response Plan
Healthcare entities in particular must work to create a comprehensive cybersecurity incident response plan. According to The Third Annual Study on the Cyber Resilient Organization by IBM Security and the Ponemon Institute, 77% of organizations said they do not have a formal cybersecurity incident response plan (CSIRP) applied consistently across their entity. Of the 2800 respondents, approximately half stated that their incident response plan was informal or did not exist.
Clearly, there is much room for improvement when it comes to establishing and applying a cybersecurity incident response plan in preparation for a security incident.
Healthcare Cyber Risks Are Too Great To Ignore
The risks of a cyber attack in the healthcare industry are too great and too serious to ignore, especially when patient lives and privacy is on the line. Healthcare organizations should work on ways to better defend themselves against potentially deadly, disruptive and costly cyber attacks and data breaches. For more information on how you can supplement your cybersecurity team and reduce your cybersecurity risk, contact Ascension Global Technology.