Cybersecurity continues to be one of the top issues in almost every aspect of business where one deals with digital information. In 2017, the world economy faced a multitude of data breaches leading to substantial financial losses and loss of goodwill. Unfortunately, the healthcare industry was among the major targets for cyber fraud. Data breaches set new records every year, so it is possible we’ll see a new one in 2018.
The Data Breach Report 2017 published by the Identity Theft Resource Center says that by mid-year the number of US data breaches reached a record level of 791, and 334 of those, including hacking, skimming and phishing attacks, took place in the healthcare industry.
According to Accenture’s Cost of Cyber Crime Study 2017, the annualized cost of cybercrime for companies in the healthcare industry is $12.47 million. The report also showed a significant increase in cyber attacks – ransomware attacks have increased from 13 to 27 percent since 2016, and malicious insiders increased from 35 percent in 2015 to 40 percent in 2017. The two most costly attack types were malware and web-based attacks, and the most expensive consequence of cyber crimes is information theft. Data breaches present a serious threat to patient care because they compromise normal workflow and lead to care unit closures stalling and halting operations and care delivery. According to Ponemon Cost of Data Breach 2017 study, the healthcare sector has one of the highest per-record costs - $380. And the notification costs in the United States are the highest in the world.
It should also be mentioned that hospital cybersecurity threats related to patient records and disruption of medical technology are perceived by Moody’s Investors Service as the key factor affecting hospitals credit ratings. When it comes to cybersecurity threats, hospitals should keep in mind that they can be a target of cyber attacks and thus they should identify potentially vulnerable areas in hospital IT systems and reassess management and the protection of data.
Old Technologies Are One of the Loopholes
Legacy systems and applications are still used in healthcare and create hospital cybersecurity threats as well as obsolete operating systems, such as Windows XP which is no longer updated by Microsoft and has no patches to screen vulnerabilities.
US hospitals use hundreds of pieces of legacy medical hardware and software that pose a great risk to cybersecurity in healthcare. Why do they use those legacy systems? The answer is money. Medical equipment and software are very expensive. For example, a state-of-the-art MRI machine costs about $2.6 million in average, the cost of an ultrasound machine varies from $10,000 up to $200,000, and the license fees for a server-based EHR system is about $75,000 each with overall costs of $25-$50 million for a 500-bed hospital.
Healthcare organizations cannot afford to buy new hardware and software every year. Many hospitals still use software that is not supported by manufacturers, and legacy information and communication systems are a perfect way to infect hospital IT systems with malware. At the same time, legacy systems play an important role as they support key functions. Very often they don’t get any updates, so these systems make for easy pickings for hackers. Integration of these legacy systems toward new, state-of-the-art communication systems is a time-consuming, laborious process involving complicated programming and a lot of manual steps. However, pulling data from disparate legacy systems to create a single database is just a matter of time as HIPAA compliance makes it a pressing matter.
The Key Problem Areas of Information Handling in Hospitals
According to the study of the state of cybersecurity and cyber threats in healthcare organizations, there are several key areas that pose risks to information security.
At the organizational level, the main issue is the lack of funding – the budgets allocated to Information Security are much lower than in other industries and facilities cannot afford to retain in-house information security personnel. Another source of problems is the lack of resources – very often security matters are handled by the IT staff that has no sole leader responsible for information security and no security operations center to identify and evaluate threats. And the third problem area at the organizational level is the lack of hospital staff training. Medical and administrative staff are often unaware of basic practices and the threat landscape.
There is also a technical level of the problem. Most hospitals do not know their IT infrastructure and the vulnerabilities it has. It is the reason why updates and upgrades are not timely, devices are misconfigured and legacy systems are kept online even if they are not used. Many hospitals do not track, report and manage threats effectively – as they seldom log network or system events and monitor attacks to detect cyber attacks (both present and past ones). Though the capacity to analyze and translate the threat data could help them reduce damages and identify loopholes. And very often the IT infrastructure of hospitals is build without taking into account security matters – the lack of security controls makes it possible to access important information without proper rights and, moreover, diverse information and communication systems of a hospital, such as EHR portals, medical devices, tablets, smartphones, and wearables can freely communicate with each other without proper data protection. This poses 2 major risks – infection of the systems with malware and data leaks, and the possibility to access medical devices connected to patients.
And, of course, we should mention such a simple thing as physical threats. In most healthcare facilities it is quite easy to get physical access to the hospital network – WiFi connections are available in most hospitals, patient rooms offer connections to the network through open ports for plugging in medical devices, and the outdated equipment and devices themselves with unnecessary internet connectivity also add further risk. So, these network entry points can be used by hackers to access hospital data.
What Healthcare Organizations Do to Boost Hospital Cybersecurity?
Things are not all bad, however. Developments in technology and a complex regulatory environment make cybersecurity a growing issue for hospitals and their boards. According to Accenture, cybersecurity program maturity is shifting to the middle stages, i.e. cybersecurity program activities are planned and defined by organizations, though deployed only partially.
AHA suggests that hospitals can prepare and manage cybersecurity risks by making cybersecurity “a part of the hospital’s existing governance, risk management, and business continuity framework”. The American Hospital Association also rated hospitals implementing cybersecurity measures and the 2017 AHA Most Wired Survey showed that the majority of hospitals are already taking many important security steps, such as:
· Unique identification of system users
· Automatic logoff of system users
· Required use of strong passwords
· Passcodes for mobile devices
· Use of intrusion detection systems
· Encryption of wireless networks
· Encryption of laptops and/or workstations
· Encryption of removable storage media
· Encryption of mobile devices, etc
As we can see, the situation is improving, but there’s still a long way ahead to make hospital IT infrastructure really safe. It is always necessary to have a checklist for hospital cybersecurity at hand and to take steps to keep your IT systems secure and compliant.
Hospital Cybersecurity Checklist
Identifying the Problems
· Is your staff’s cybersecurity awareness sufficient? Most hospitals are focused on the medical aspect of the business. They upgrade medical technology, train and employ good specialists to provide better care and save lives. Cybersecurity is also very important for ensuring the quality of care and even saving lives. Hospital administration and staff must be aware of best practices in the industry and cybersecurity policy used by the facility.
· Are they aware that healthcare facilities are attractive to hackers? The number of attacks is growing in every industry, and healthcare organizations are low on cybersecurity whilst they handle data on thousands to millions of people, including financial data, which is very lucrative for cybercriminals.
· The bigger the healthcare organization is in size, the greater the threat. The larger size of a healthcare organization, the more people are involved in the system. And, the more people are involved, the more points of potential exploitation exist.
· Are your processes consistent? The big hospitals and healthcare organizations can face difficulties while creating and enforcing consistent security standards and processes. “Best practices” and security measures must be identified and unified for all departments.
· Are your networks protected? Most hospitals rely on large, shared wireless networks including many different devices, which create vulnerabilities.
Steps to Take
What can hospitals and healthcare facilities do to get more prepared and protected?
· Use better technology. Hospitals can adopt more state-of-the-art technological solutions to protect patient data and prevent their systems from being attacked. These include more advanced software, such as multifactor authentication, and best practices used in other industries, such as tokenization, blockchain technology, better monitoring systems, and biometrics-based security applications.
· Boost cybersecurity to one of the top priorities for infrastructure advancements. Most healthcare organizations have some budget for cybersecurity improvement, but simply do not pay enough attention to this matter. However, one good reason to keep it in mind is the high cost of data breaches. Just one experienced administrator or a better cybersecurity system can drive substantial improvement.
· Make your networks more secure. Shared hospital networks must be segmented, encrypted and fit with strict policies about bring-your-own-devices (BYOD) and access rights.
· Purchase insurance if you can afford it. Cyber insurance is a trend in many financial services organizations, and it can be a good solution for healthcare facilities, too.
· Train your staff and patients. Human errors that open doors for phishing attacks are the top cause of data breaches today. Therefore, healthcare organizations need to inform both their staff and patients about the best practices for cybersecurity. You can use handbooks and information leaflets, all kinds of seminars and workshops, emails and even educational apps to keep your staff informed and alert about potential breaches and vulnerabilities.
· Outsource IT specialists who know all the traps and pitfalls. If your facility does not have enough cybersecurity professionals you can use the experience of those who know how to deal with the problem. Choose a company which is HIPAA compliant and ISO-certified and has solid experience in healthcare IT. This will help you get a state-of-the-art cybersecurity system and reduce costs and decrease contracting costs as you won’t have to hire full-time employees and buy additional computer equipment for the staff.
Archer-Soft has over 19 years of experience in healthcare IT and our portfolio includes mobile applications, web services, online platforms, and software in the healthcare industry. We can provide you with a custom and fully secure solution that will protect your organization from ransomware attacks and prevent data breaches. Contact our team at firstname.lastname@example.org and forget about cyber threats!