Security and privacy remain one of the most significant issues of almost every business, particularly those that handle volumes of digital information. Last year, several data breaches led to substantial losses. Unluckily, the healthcare industry is still one of the targets of hackers for cyber fraud. It seems that healthcare information privacy is difficult to protect and secure even with the technological advancements that we have today.
Hackers are attracted to hospitals because they have a lot of data. Regrettably, hospital cybersecurity is not as sturdy and reliable when compared to the other industries. In fact, a hospital breach in the UK that took place in May last year resulted in 16 hospitals shutting down. It was only then that security information specialists realized that it is time to enhance hospital cybersecurity.
Why are Hospitals Appealing Targets?
Without a doubt, technological advancements provide great convenience for us. However, they can also increase the risk of specific damages. When it comes to the data breach at hospitals, hackers can do a lot with the information they can get from a health record. They can get a mortgage, open a credit card, and even file insurance claims. Getting into the system is even more valuable than getting access to someone’s credit card number.
Stealing paper records would most likely need a car or a large getaway vehicle. When hackers take social security numbers, driver’s license data, and addresses from more than 130 million Americans, they only need a USB drive. For this reason, it is imperative that a medical organization has a technical and practical team for securing hospital data every day. This team will help support the staff that provides medical care since its members make sure that the data of the patient will remain where they belong.
Traditionally, the healthcare industry has weaker controls in place compared to certain sectors, such as the financial industry. Therefore, hospitals are not just data-rich, but they are also more susceptible to hacker attacks. Medical organizations should aim to possess security that is on the same level with big financial institutions.
According to the Data Breach Report in 2017, the data breaches in the US reached a record-breaking number of 791 by mid-year alone, and 334 of the number took place in hospitals. The data breaches included hacking, phishing attacks, and skimming.
The Cost of Cyber Crime Study in 2017 mentioned that the annual cost of cybercrime in the healthcare industry is almost $12.50 million. In the same report, it showed that there is a significant increase in the number of cyber-attacks from 13 to 27% since 2016, while malicious insiders grew from 35 to 40% last year. The costliest attack types were considered to be web-based and malware attacks, and information theft is the most expensive effect of these cybercrimes.
Health Organizations that Use Old Technologies are the Most Vulnerable
Outdated applications and systems are still used for healthcare information privacy. Unfortunately, these systems do not do much and can even create hospital cybersecurity threats. Some hospitals also use obsolete operating systems like Windows XP that does not receive updates from Microsoft anymore and no longer has patches for screening vulnerabilities.
Even with the developments in technology, many US hospitals still use these pieces of legacy software and hardware that do not help these medical organizations but instead pose a great risk to them. The reason behind the use is money. Software and medical equipment can be very expensive. For instance, an ultramodern magnetic resonance imaging (MRI) machine costs more than $2.5 million, while an ultrasound machine costs anywhere from $10k to $200k. Getting the license for an electronic health record (EHR) system is about $75k each.
With the numbers above, it is almost clear as to why several healthcare organizations find it a challenge to afford new software and hardware every year. As a result, hospitals use software and applications that are no longer supported by the creators or manufacturers. Unfortunately, legacy communication and information systems can easily be infected with malware. Additionally, they do not get updates from the manufacturers, so hackers find them as easy targets. The hospitals top priority should be to protect themselves from hack attacks.
The Key Problem Areas of Hospitals in Handling Information
According to a study, some important areas pose risks to the security of information of hospitals. The main issue is still the lack of funding where the budgets assigned to information security of the healthcare organization are much lower than other industries.
Another problem is the lack of resources since it is normal for the IT staff that handle security matters not to have a leader who is responsible for safeguarding information. Additionally, there is no center for security operations to distinguish and assess the cyber threats.
The third problem area is the lack of training of the hospital staff where both the administrative and medical staff is unaware of the threat landscape and best practices in dealing with issues. Aside from that, most hospitals do not know the information technology infrastructure that they have and its vulnerabilities. It is why upgrades and updates are delayed, and devices are often misconfigured.
Boosting Hospital Cybersecurity Effectively
Despite all the problems mentioned, things are not all bad. Technological developments and a regulatory environment can help make hospital security better. The American Hospital Association (AHA) suggests that health organization should prepare and handle their security risks by making it a part of the current governance of the hospital. Cybersecurity should also be a part of the business continuity framework as well as the risk management of the organization.
The hospitals that are implementing the security measures in protecting data and privacy are taking the necessary steps that will help them achieve a stronger and better system. These efforts include:
Automatic log off of the users of the system
A unique identification of all the users
The requirement for strong passwords
Mobile devices have passcodes
Usage of intrusion detection systems
Wireless network encryption
Workstation and laptop encryption
Removable storage media and mobile devices protection
The situation is now improving, although there is still a long way to go for the hospital information technology infrastructure to become genuinely safe.
Implementing the Checklist
It is always necessary to start by identifying the problem first:
Is the knowledge of the hospital staff sufficient when it comes to hospital cybersecurity? Most hospitals focus on providing treatment or the medical aspect of this particular business. Therefore, they only upgrade technology connected to delivering their medical services. They also train and hire good specialists for caring and saving lives. Hospitals should understand that protecting data and strengthening cyber technology is essential as well to ensure the quality of care.
Is the staff aware that the medical facilities are appealing to the hackers? With inadequate security in the cyberspace, healthcare organizations are an easy target.
Financial data of the patients can be very lucrative for the criminals.
Size corresponds to the threat where bigger organizations face greater dangers than smaller ones. More people are in the system, so more possibilities of exploitation exist.
Can the processes remain consistent? Healthcare organizations face difficulties in creating and applying procedures and standards in security. It is crucial that the security measures and best practices are identified and are the same for all the departments in the hospital.
Are all the networks safe? Hospitals typically rely on shared wireless networks, and this feature can create vulnerabilities.
If you own or run a hospital, there are a few steps that you can take so that the business will remain prepared and protected at all times. Here are some suggestions:
Use better technology to protect the data of the patients and prevent the systems from getting attacked. Have a more advanced piece of software, including one with multifactor authentication. Some of the best practices to copy from specific industries include tokenization, improved monitoring systems, biometrics-based applications, and blockchain technology.
Prioritizing infrastructure advancements for cyber safety is a must. A healthcare organization should allocate some budget for its improvement. It is expensive, but it is costlier to lose data. Just employing one specialist or upgrading a system can lead to substantial progress.
Have a more secure network by using encryption and segmentation.
If the hospital can afford it, purchasing insurance can be valuable. Cyber insurance is now a trend, particularly at financial organizations and healthcare facilities will also benefit from it.
Staff and even patients should be trained. Human errors open doors for hacker attacks, including phishing, which is considered the top cause of a data breach these days. It is significant that the healthcare organizations inform everyone about how they can help boost the cyber protection of the hospital. They can provide information leaflets and handbooks, even emails, workshops, and seminars to educate the staff and the people who use the services of the hospital.
IT specialists should be hired since they know the pitfalls and traps of cyber-attacks. If the hospital does not have enough professionals for security, it is possible to use the experience of other people who can deal with the problem.
Companies are everywhere where they can supply specialists and knowledgeable persons for the job. The company, however, should be HIPAA-compliant and should also be ISO-certified. Solid experience in hospital IT is also useful.
The landscape of cybersecurity for hospitals is currently changing. It is still challenging to navigate, but focusing on its importance can make taking care of healthcare information privacy much easier in the coming years.