A perfect storm is raining down on healthcare cybersecurity. The industry is vast and complex, has tremendous amounts of patient data, and it's not equipped to protect it.
The U.S. Congress established the Health Care Industry Cybersecurity (HCIC) Task Force to help address the problem. The 21 members of the task force set out to research cybersecurity in healthcare and make recommendations.
The result, published last week, is the Report on Improving Cybersecurity in the Health Care Industry . The 88-page document has dozens of recommendations for health organizations and the companies who serve them.
The problems in healthcare IT security are massive. They are highlighted throughout the document. Here are the top 10 we found.
Healthcare transformed with the adoption of electronic health records (EHRs). Compared to paper, the digital documents yielded huge in efficiency and the quality of patient care.
The U.S. federal government set aside billions of dollars to incentivize the rapid adoption of EHRs. For example, an average physician with at least 30% of patients covered by Medicaid could receive up to $63,750, according to The Commonwealth Fund.
“With this adoption and widespread use of EHRs, effort was originally placed on installing hardware and software required to earn the incentives. Unfortunately, a majority of the healthcare sector made financial investments in cybersecurity only in the last five years,” according to the HCIC Task Force report.
In short: the healthcare industry found a new and powerful way to store its health records, but no one remembered to lock the door.
Healthcare organizations must constantly balance the need for advanced equipment with the need for everything else – everything from magazines in the waiting room to a network security firewall.
Organizations cannot afford to replace medical systems every year. Some years, even decades old, and many use software that is no longer supported by the devices manufacturers.
The same goes for computer systems. Last year, at least three hospitals were infected with malware that entered through legacy systems.
“Researchers discovered ‘a multitude of backdoors and botnet connections,’ that had been installed using ancient exploits of the unsupported Windows XP platform,” according to reporting by HIPAA Journal.
It’s difficult to convince non-believers that cyberattacks on their computers and servers could cripple their organization. It’s even harder to convince them that healthcare cybersecurity attacks are inevitable.
“Without experiencing a breach or data loss, many security professionals and organizations have difficulty demonstrating the importance of cyber protections and how proactive risk mitigation can save money and protect against reputation damage,” said the report’s authors.
This problem is likely to fade for large institutions. The wave of medical data breaches is hard to ignore year after year. Healthcare exposed more social security numbers than any other industry in 2016, according to the Identity Theft Resource Center.
For smaller organizations, however, the problem may persist.
Small practices and rural hospitals dominate the healthcare industry, the report notes. These groups do not have the resources needed to stop ongoing cyber threats, especially ones that change tactics and attack vectors quickly.
Small medical offices are plagued by cybersecurity problems similar to their larger counterparts, but they are often worse.
For example, small offices are likely to use EHRs, but they are less to have made the significant investments in security needed to protect them.
Even if a small healthcare organization invests in technology to monitor attacks, it’s unlikely to have the staff or expertise necessary to act on the information quickly and correctly.
The headlines erupt when a big health organization is breached. The cyberattack on National Health Services, the primary healthcare system of the UK, was a huge story in May 2017.
The healthcare cybersecurity breach at mega-insurer Anthem, which exposed records affecting nearly 80 million patients in Feb. 2015, is not easily forgotten, either.
Cyberattacks on small medical offices, though expected to be far more numerous, rarely make headlines. This leads many to believe the small organizations are ignored by hackers and malware makers.
However, the interconnected nature of the modern healthcare industry makes these small targets as an easy means of entry to breach a larger organization.
“A common, yet flawed, perception is that only large organizations are the target of cyber attackers due to the volume of sensitive, confidential, or proprietary information they possess,” according to the report.
“In reality, health care organizations of all sizes are targets due to the interconnected nature of the industry and all organizations face resource constraints.”
“This is similar to a seemingly innocuous scrape on your leg that can lead to a systemic infection that jeopardizes your life.”
Another analogy is the 2013 cyberattack against Target Corporation, which stole about 40 million credit card numbers, and which began with a breach of an HVAC service provider contracted by the mega retailer.
Why do thieves rob banks? Because that’s where the money is.
Why do hackers breach hospitals? Because that’s where the valuable data is.
Stolen credit card and bank account numbers are sold online every day. They can be used for many schemes, but banks often quickly detect the fraudulent activity and cancel the account – rendering it useless.
Medical history can last much longer. In fact, many details – including a person’s diagnoses, treatments, and personal data such as full name and social security number – never change.
Criminals can use stolen medical data for decades. A tax or medical fraud scheme can last for years before it’s discovered, netting thieves a fortune in the meantime.
Patient data can also be used for blackmail, even when the stolen records are 10 or 20 years old.
This is why medical records are more expensive on the black market. They can be 10-times, even 60-times more costly than stolen credit cards. One reason is the longevity of the data, and another is its richness.
"Criminals want what they refer to as ‘fulls,’ full information about their victim. Name, birth date, Social Security number, address, anything they can learn about their victim. All that information is in your health-care records," according to reporting by MSNBC.
Patients increasingly demand access to their medical records. Hospitals and doctors’ offices are responding, providing the records on request, and even setting up web portals where patients can access data online.
Unfortunately, this is often done without understanding cybersecurity in healthcare.
Most consumers are unaware of the risks associated with mishandling their medical information. Many keep the login credentials for a bank account under close watch, but few are as protective of their medical records and credentials.
The report’s authors make it plain: “Growing patient involvement in their care increases exposure to threats.”
Also increasing the demand for patient involvement is a need for medical offices to cut costs. “Self-service” – such as having patients log into web portals and provide information before an office visit – is helping organizations save but also increasing their attack surfaces.
Small healthcare organizations struggle to protect their networks and other systems, but they are not alone.
“No organization has all the financial resources it needs to employ enough personnel necessary to consistently and confidently protect its networks and data,” according to the report.
The members of the task force feel it’s impossible to make a healthcare computer network water-tight secure. The money needed to hire expert IT staff, purchase security solutions, manage them, and train other staff, is simply not there.
Healthcare cybersecurity investments must compete with other demands – such as the need for new medical technologies, medical staff, and basic supplies.
“A two-person dental office or independent home health care provider cannot establish a fully resourced cybersecurity office that is necessary to stay ahead of cyber threats,” according to the report.
Cybersecurity is largely considered an IT problem, including in healthcare.
Other staff members – such as nurses, doctors, and administrators – often don’t understand the risk of a data breach. They also don’t realize everyone, not just healthcare IT staff, playS a role in keeping an organization secure.
This is partly due to a failure to educate staff members and raise the awareness of cyber threats and the harm they can pose to organizations, and more importantly, to patients.
“Data collected for the good of patients and used to develop new treatments can be used for nefarious purposes such as fraud, identity theft, supply chain disruptions, the theft of research and development, and stock manipulation. Most importantly, cybersecurity attacks disrupt patient care,” according to the report.
Responsibility for healthcare cybersecurity is often poorly defined. No one is accountable, so no one pushes hard to demand the changes necessary to secure the network and systems against attacks.
Nearly three out of four U.S. hospitals have no designated IT security professional, and some small and medium organizations lack even a single IT person, according to reporting from Healthcare IT News.
Even at small organizations, it’s important to designate a single person to lead and prioritize cybersecurity risks. The person needs the authority and expertise necessary to ensure cybersecurity requirements are identified, prioritized, fulfilled, and maintained.