Data theft within the healthcare sector continues to skyrocket, led by third-party data breaches and phishing attacks. Halfway through 2019, the number of patient records breached already exceeds the 2018 number by more than 10 million. Perhaps most concerning, many of the breaches lasted weeks or months before they were discovered.
Many health executives lack direct technology experience relevant to the healthcare industry, according to a Black Book Research survey of 308 executives. In fact, the survey found that many do not have a thorough understanding of the challenges and risks associated with security breaches or the far-reaching impacts of a large-scale breach.
In the face of this daunting problem, many healthcare professionals adopt a one-at-a-time approach to addressing security challenges. When a problem arises, companies hire IT, consultants, to address the breach and safeguard the system before returning to business as usual. Because these consultants take a narrow approach to cybersecurity, they often lack a thorough understanding of the unique vulnerabilities facing a particular healthcare system. Unlike dedicated IT professionals, consultants typically have broad-scale organizational knowledge to detect gaps in security and address cybersecurity threats on an ongoing basis.
Moving forward, the healthcare sector must mature its approach to security in order to keep pace with hackers. Dedicating the needed financial resources is an important first step, but it won’t be enough as wrong-doers are increasingly adept at exploiting gaps in protection. Consider that a shocking 31 million patient records were breached in the first half of 2019, more than doubling the total for the entirety of 2018.
The reality is that many cybersecurity experts believe breaches are a foregone conclusion for most healthcare organizations, and the C-suite should prepare accordingly by addressing the most common gaps including:
Phishing scams: Exploiting unsuspecting employees
Phishing scams rely on email communications that seek to gather personal user information, gather valuable credentials or direct users to malicious websites. A single user who falls for the scam can put an entire organization at risk, which places humans in a contradictory position: they can be the weakest link in the system or the greatest security tool in the arsenal.
Phishing scams have become quite elaborate, making it difficult for employees to detect dangerous requests. To combat the problem, healthcare organizations must continually educate their employees about the newest developments, understanding that a one-off effort to train employees will never be sufficient.
Third-party risk: The need for greater oversight
Healthcare organizations interact with countless third-party vendors, each of which represents another point of vulnerability for patient data. When a client, vendor, or consultant for an organization suffers a breach of its own, data belonging to the connected entities are also exposed. Statistics suggest that when Target suffered a major data breach in 2013, this kind of attack — compromising a single vendor in order to gain access to a larger company — increased in frequency.
A 2019 study reports that 56 percent of healthcare organizations have experienced a security breach as a result of a third-party vendor. In the same study, about 80 percent of respondents indicated the need to assess vendor risk, while only 36 percent believed their companies were successfully doing it.
Awareness offers the best possible safeguard against this kind of breach. In the case of the Target attack, the company’s HVAC vendor had access to more information than it required. Begin by assessing which vendors are mission-critical to your process, and then assess what kind of data each is handling. Organizations that have a clear picture of vendor involvement will be better positioned to address risks and protect against attacks.
Internet of Health Things: Expanding threats
Internet of Health Things (IoHT) allows healthcare professionals to connect ordinary devices like wearables to the internet for purposes of collecting data, gaining insights into trends, enabling remote care, and empowering patients to manage their own health. Devices like continuous glucose monitors, smart inhalers, and even ingestible sensors allow providers to monitor patient care virtually through the use of internet connectivity.
The challenge, of course, is the threat to privacy and security posed by these kinds of devices. In one widely-known security breach, a flaw in implanted pacemakers allowed affected devices to have their batteries drained by remote attackers.
Because the growing number of devices increases the surface area susceptible to attacks, organizations must build powerful partnerships that help them identify effective solutions. They must engage with organizations that can help them understand where data will be stored, how those devices will connect to the network and who will have access to the data.
Moving toward optimal oversight
The Black Book survey reported that 88 percent of respondents had no knowledge of healthcare cybersecurity risks, and none were prepared to handle a large-scale breach. It’s notable that although companies report dedicating more resources to cybersecurity, many of those same organizations acknowledge that they won’t know how to respond when an actual breach happens.
Protection begins with healthcare executives who must understand the importance of cybersecurity. A 2016 Ponemon study reported a healthcare data breach can cost about $1,000 per stolen record as a result of regulatory fines, customer notification costs, business downtime, and customer turnover.
One-size-fits-all solutions won’t protect from data breaches because the gaps in each organization vary according to a number of factors. Companies that seek right-sized solutions will better address their specific challenges without paying for protections they don’t require.
About Sean Nobles
Sean Nobles is president of NaviSec, a veteran-owned IT security firm. He holds OSCP, NSE4 and CCNP certifications in network security and has spent more than 20 years in the service provider, military, financial services, value-added reseller and call center industries. He is a combat veteran of the U.S. Marine Corps.