It has become increasingly clear that cybersecurity is a risk factor in health care data. Data breaches cost the health care industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.
In a whitepaper entitled The Rampant Growth of Cybercrime in Healthcare, health IT advisor organization Workgroup for Electronic Data Interchange (WEDI) reported that these attacks are becoming increasingly difficult to identify, prevent and mitigate.
“Chronic underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” the report stressed. “While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.”
As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in health care is on the rise.
Cybersecurity challenges in health care
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Verizon’s 2016 Data Breach Investigations Report found that most breaches are about money and attackers usually take the easiest route to obtain the information they need. Consequently, many common threats continue to be problematic in health care, including:
- Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
- Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of health care organizations.
- Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
- Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users.
- Encryption blind spots: While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
- Employee error: Employees can leave health care organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.
Another growing threat in health care security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems. To ensure patient safety, the U.S. Food & Drug Administration recommended that both the manufacturer that creates the device and the health care facility that implants it take preventive security measures.
Strategies for improving cybersecurity
Due to the significant financial impact of data breaches in health care, health informatics and other professionals are playing an important role in ensuring that medical organizations remain secure.
According to HealthIT.gov, individual health care organizations can improve their cyber security by implementing the following practices:
1. Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
2. Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
3. Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.
4. Use a firewall: Anything connected to the internet should have a firewall.
5. Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
6. Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible.
7. Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
8. Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Health care employees should not only use strong passwords, but ensure they are changed regularly.
9. Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
10. Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.
In addition to these recommendations, health data professionals are continually developing new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.