Want to read more on cybersecurity? Check out our comprehensive guide analyzing the cybersecurity trends and themes impacting healthcare in 2017 and beyond.
With healthcare data breaches occurring at a rate of more than one per day in 2016, it's vital for hospital administrators to understand their greatest vulnerabilities. Here is a bird's eye-view of the top areas of concern for hospitals this year.
Poor cybersecurity practices
In many organizations there remains an inadequate culture of security, with hospitals or employees failing to follow best practices, either due to lack of education or an attitude that the effort and/or cost to comply is too burdensome.
With many aspects of healthcare cybersecurity remaining unregulated, levels of interest and investment vary widely within the industry. From the IT corner, one basic issue remains a lack of data encryption; among clinicians, a common issue remains poor password selection and protection, with some people outright working around them by sharing passwords among groups or posting them on monitors.
Federal regulation currently leaves healthcare developers and organizations very much making their own calls, though some stakeholders argue that's preferable to more regulation. While lawmakers have been considering further regulation, it's unclear what will happen under the new Trump administration.
Whatever the case may be, organizations shouldn't depend on regulations to tell them what to do or to ensure they are meeting a prudent level of security. Banner Health was slapped with a major class action lawsuit last year alleging the health system was negligent in its cybersecurity efforts, resulting in data for 3.7 million people being compromised through its own systems and those of its food vendors. According to TrapX Security, that was the largest healthcare cyber attack of 2016 by number of patient record. Earlier this month, Children’s Medical Center of Dallas was fined a civil money penalty of $3.2 million by HHS' OCR over privacy breaches dating back to 2009 and 2013. The agency stated Children’s had failed to take actions to prevent such breaches until 2013, despite being aware of the risks.
"If you aren't following good practices, the regulatory environment isn't going to save you," as Rep. Will Hurd (R-TX), head of the House Oversight cybersecurity subcommittee said in 2016, adding, "healthcare has to help itself."
Nearly half (43%) of the healthcare data breaches in 2016 were a result of insider threats, both unintentional and malicious, according to a report by Protenus.
Internal issues continue to include the loss or theft of take-home/personal laptops, USB and other mobile devices, though with the rise of the cloud, there is less need for sensitive data to be stored on such devices and that particular vulnerability can more easily be avoided. Just last year the American Dental Association was criticized after inadvertently mailing USB drives infected with malware to members rather than using secure cloud technology.
Another basic issue that continues to be seen is the accidental exposure of patient data via IT snafus by hospitals or connected vendors. Such a scenario unfolded in August when Bon Secours Health System in Marriotsville, Maryland had to notify more than 650,000 patients their data was exposed for several days while associated business R-C Healthcare Management adjusted its network settings.
As recently stated by Forbes' cybersecurity expert Reg Harnish, "Those responsible for security admit that people are their biggest risk, but still do little about it."
Data protection also needs to consider malicious insider intent, which underscores the need for as-needed data access and protected, individual log-ins – particularly amid quick staff turnover, visiting consultants and the possibility of outsiders being able to walk in and access insider systems. Recent incidents illustrate that surprises do come from within, as when staff engage in billing fraud or improperly view records for celebrity patients, or when outsiders pose as hospital staff.
The issue of cybersecurity extends beyond primary computer systems to less obvious technologies that can provide back doors for hackers, such as bedside monitors and scanners that connect with other hospital systems.
This process is known as medical device hijack or "MEDJACK," and after first becoming known in 2015, increased through 2016 and is projected to continue upward. Medical devices are a segment of the growing "Internet of Things," which refers to the various technologies that now comprise an integrated web.
Medical device hacking has been a particular threat given a lack of regulation, with device manufacturers not subject to the security standards of HIPAA. However, some movement took place on the issue in the final days of 2016 when the FDA released a 30-page document that included guidelines not just for new devices, but for manufacturers to identify and address vulnerabilities in devices already on the market.
The guidance came as the FDA continued to investigate the most high-profile medical device case of 2016, in which St. Jude Medical was accused of leaving its heart devices vulnerable to hacking that could be used to weaponize them against the patients using them, which ultimately resulted in a device recall.
In addition to medical device hacking, ransomware was identified by TrapX Research as the other top trend seen from 2016 and predicted to grow in 2017.
These hacks have taken the healthcare industry by storm with their terrifying hijacking of hospital systems that demand a payment to return system control. Healthcare entities are viewed as ideal targets because it is so critical to them to avoid data or service interruption.
According to a 2016 analysis by Protenus, hacking of all varieties, including ransomware, accounted for 26.8% of all healthcare data breaches. Of the 120 hacking incidents studied, 30 involved ransomware, and another 10 involved other forms of extortion regarding accessed data. Protenus further suggested that the number is likely much higher, given HHS only specified that ransomware had to be reported as a breach in July, and because the agency's breach reporting tool does not specifically code breaches as ransomware.
Ransomware attacks came to prominence last year following those at Hollywood Presbyterian Medical Center, which reportedly paid the ransom, and the Maryland-based MedStar hospital system, which reportedly regained control without paying. Both were said to have spent days reverting back to pen and paper while systems were locked down.
The available guidance does little to help hospitals make that call when it comes down to it, with the risks of caving and fueling the trend, vs. losing control of system data for any amount of time, being difficult to quantify.
Where this leaves hospital administrators is with few concrete answers, but being ready to participate in conversations around forging ahead amid the minefield of threats will likely behoove any hospital administrator.