It’s getting to be an all too familiar story: Hackers break into a hospital’s computer systems, steal personal information. Earlier this month, Banner Health, reported that hackers accessed payment data for 3.7 million individuals through point-of-sale systems at food and beverage vendors serving its facilities, as well as personal information on some of the system’s servers. The breach wasn’t discovered until July 7, nearly three weeks after it occurred.
The Banner Health breach is only the latest in a string of cybersecurity failures this year. In February, Hospital Presbyterian Medical Center paid $17,000 to regain control of its systems from hackers. Then in March, a cyberattack forced MedStar Health to shut down its computer network for several days. And in June, a hacker put 9.3 million health records up for sale on the internet.
With the digitization of healthcare, hospitals and health systems have become lucrative targets for hackers. “They’re naturally attracted to healthcare because it’s money at their fingertips,” says security expert Aaron Miri, adding a single medical record can sell for more than $300 on the dark net.
Contributing to the problem is a lack of awareness and understanding of how big the problem is and a lack of guidance on how to secure systems. “There’s really no governance in terms of legislation that mandates a specific look, feel and way to operate a security model for healthcare. It’s the wild, wild west,” says Miri, CIO and vice president of government relations at Imprivata.
Shoring up security
So what can organizations do to reduce their risk of attack?
Experts agree that two-factor authentication is key to securing systems because it requires not just a username and password, but some device or piece of information only the user has.
“Relying on just a password today for securing an account, let alone online health services, is no longer acceptable,” says Marc Boroditsky, vice president of Authy, a Twilio service. “2FA adds another element to the login process; even if an attacker succeeds at obtaining a username and password, the 2FA aspect renders that information practically useless without the account holder’s device.”
But security shouldn’t stop there. Once a user gains access, there needs to be “established, additional security for high-risk activities” performed within the system, Boroditsky says.
Such added verification should be required, for example, if a user attempts to change the delivery address for a medication or attempts to view health records. A phone call, push notification to the user’s registered device, an authenticator app or SMS could do the trick. Essentially, “this prevents an attacker from ransacking your house once they get the door open,” he says.
With so many patients attached to medical devices, it’s also important to adopt technology that will protect them from attack, Miri says.
Organizations also need to configure firewalls to protect the perimeter of the system and segment the DMZ, or subnetwork, from the rest of the internal network, says Clyde Hewitt, vice president of security strategy at CynergisTek.
“Require VPNs to manage all external connections to internal devices. Deploy both intrusion detection/intrusion prevention systems on critical systems connected to internal networks,” he tells Healthcare Dive. “Finally, security managers should … perform vulnerability scans, conduct simulated phishing and social engineering exercises and perform periodic technical and compliance assessments to validate the effectiveness of the security controls and report the status to senior management.”
Hospitals also need to erect firewalls between personal and payment data systems and monitor to reduce vulnerability if either is attacked. Point-of-sale systems “are often treated as somebody else’s stuff,” Chris Ensey, chief operating officer of Dunbar Security Solutions, told Modern Healthcare. But each POS is yet another potential entry point for hackers, he said.
Have everyone on board
It’s not enough to have the latest technology. Organizations need a coordinated approach to tackling cyber break-ins. At the strategic level, hospital boards and C-suite teams should strive for a holistic security management program that ensures speedy remediation of all identified risks, continuous improvement of controls to respond to changing threats and accountability when lapses occur, Hewitt says.
“Your weakest link is always your people,” says Miri. “Unless you’re continually improving that and helping to shape and guide them, that is always going to be an issue.”
Organizations also need to be more transparent about cybersecurity risks and breaches, so that the same mistakes don’t repeat themselves, Miri says. “There’s not a quick way to share, hey, I’m under attack or, by the way, there’s a vulnerability here.”
Ongoing costs
No one’s prepared to put a dollar figure on cybersecurity, but keeping up with the changing landscape and growing number of threats will take constant investment, research, and application of new technologies to mitigate the risks.
“As the pace of security attacks increases, organizations can be expected to invest in early detection and prevention tools, but these often require higher-level security skills to optimally configure,” says Hewitt. Hospitals should have staff trained and available to operate such systems before buying them.
Return on investment can vary depending on the type of enhancement that’s made. Network segmentation and upgrades to access management, which are relatively low-cost investments, tend to have a high ROI, Hewitt says. Other technologies, such as advanced malware protection, carry a heftier price tag, but can pay off by allowing smaller IT departments to block malware infections, hence preventing a widespread breach.
As the digital environment evolves and more data is stored outside of traditional networks, new skills and technologies will also be required for end-user device, database encryption and active real-time monitoring, Hewitt notes. This will drive the need for dedicated security teams to manage threats, rather than assigning security responsibilities across IT operations teams, he says.