The Intersection of Healthcare and Cybersecurity: Protecting Patient Data
As healthcare systems become increasingly dependent on digital platforms to store data, the need to safeguard sensitive patient information has never been more important. While the emergence of telemedicine and digital records has made patient care more efficient and accessible, it also brings with it the added cybersecurity risks.
Why are healthcare organizations targeted?
Healthcare organizations tend to be targeted because they possess exactly what cyber thieves seek - intellectual property along with patient information of high value.
Thieves often will target patients’ financial information (credit cards and bank accounts) along with personal health information and Social Security numbers.
They also will seek intellectual property related to an organization's medical research.
According to the American Hospital Association, health records could sell for up to 10 times or more than stolen credit card numbers on the dark web.
Recent cyberattacks on healthcare providers
● HCA Healthcare - In 2022, a third-party storage breach affected 11 million patients in Nashville, Tenn., and had a nationwide impact.
● Medibank - The major health insurer in Australia was hit by a data breach that affected 9.7 million current and former customers in 2022.
● Change Healthcare - Earlier this year, the subsidiary of UnitedHealth Group was hit by a ransomware attack. The attack has caused major disruptions to healthcare providers across the United States.
● Anthem - In 2015, nearly 79 million people were affected after a series of cyberattacks against Anthem, Inc., the largest U.S. health data breach in history. Anthem later agreed to pay $16 million to the U.S. Department of Health and Human Services and Office for Civil Rights (OCR) to settle potential violations of HIPAA rules.
What kind of cyberattacks could providers face?
According to a report from Maryville University, here are the common threats that healthcare organizations could fall victim to:
Phishing: This occurs when a cyber criminal impersonates a trusted email source to entice users to click on a link. By getting the victim to click on the link, a hacker can obtain personal information, including credit or debit card numbers and passwords.
Malware: In this kind of attack, malicious software is used to cause damage to a network.
Ransomware: This type of malware that uses encryption to block access to systems. Cyber criminals then demand a ransom to release control of the system.
Denial-of-service attacks: Hackers overwhelm healthcare systems with traffic to disrupt operations.
Compromised accounts: An attacker will use stolen passwords to send malicious emails from a real account.
Improving cybersecurity
Here are some ways that healthcare organizations can improve their cybersecurity.
Train Employers on Best Practices: Recurring cybersecurity training is essential to educate all personnel on proper measures and continually reinforce the training. Real-life hacking and phishing examples should be used, and organizations should consider actively phishing employees as a teaching tool. Staff needs to understand the process for reporting suspect behavior.
Implement Access Controls: Restrict access to your patients’ data and applications by requiring user authentication. Only authorized users should have access to protected health information. Also, regularly review and update access privileges, and require multi-factor authentication.
Encrypt Data: Encrypt electronic health information when transmitting across public networks.
Secure Mobile Devices: Organizations should use a mobile device management system to administer and ensure HIPAA compliance of its mobile devices. Consider an enterprise mobility management system that provides secure file-sharing and authentication.
Keep Software Updated: Develop a plan for applying software updates and security patches to all systems, including desktops and mobile devices. Be sure staff members cannot install software without getting approval.
Conduct Regular Risk Assessments: Continually perform ongoing risk assessments to find potential entry points and vulnerabilities.
Implement Firewalls and Anti-Virus: Use firewalls and anti-virus software to identify potential issues
Additional resources
The American Medical Association recently compiled a list of resources for organizations to help protect patient health records and other data from cyberattacks.
Among the resources available is the Security Risk Assessment Tool released by the U.S. Department of Health and Human Services.
The Healthcare Sector Coordinating Council also has released a new cybersecurity video series to help clinicians.
The DHHS has released the Cybersecurity Framework Implementation Guide to help public and private health care sectors prevent cybersecurity attacks. The guide provides specific steps that healthcare organizations can take to manage cyber risks to their IT systems.
The Department of Health and Human Services also has launched a cybersecurity website designed to help healthcare providers protect their computer systems from cyber threats.
FENEX Healthcare Consulting and Cybersecurity
This is where FĒNEX Healthcare Consulting can help! Our goal is to help healthcare organizations maximize their technologies and bandwidth so they can focus on patient care. Our consultants can conduct a security risk assessment and help you implement the latest in cybersecurity.
