The question of data security has become especially critical today. Users have been actively educating themselves on these matters, governments have been strengthening their regulations related to data privacy, and enterprises have been investing in their security more than ever before.
In January 2021, the EU’s lead data regulator started an investigation of the European Parliament’s COVID-19 testing website as privacy activists filed a complaint with concerns that the site might illegally transfer the data of EU members to the US. This case vividly illustrates that even big institutions are not fully protected from security breaches, so smaller institutions, like healthcare facilities, should take security matters very seriously.
Cybersecurity is especially important in healthcare, considering the fact that hackers value medical records even more than credit cards or social security numbers. Did you know that 9.7 million healthcare records were compromised in September 2020 alone?
So how can you keep your data safe? That’s what this article is for. After reading it, you will know the basics of cybersecurity in healthcare, what data needs to be protected, and how to protect your healthcare facility from any data breaches. This full guide to cybersecurity in healthcare will familiarize you with the topic but doesn’t require prior knowledge of cybersecurity or IT.
What Is Healthcare Cybersecurity?
Cybersecurity in healthcare is about protecting electronic information from breaches, unauthorized use, and disclosure. Nowadays, technology is taking over administrative tasks and even treatment: facilities have electronic medical records (EMR), e-prescriptions, and employee and patient management systems. Even smart elevators, heating systems, and systems for remote patient monitoring are backed up by technology. All these different types of technology keep data that hackers might be interested in and therefore must be protected.
Healthcare information security is one of the trickiest industries out there. Here’s the list of main reasons that hackers target healthcare facilities:
Patient Information Must Be Accessible and Shareable
Easy access to patient information by healthcare providers is the only way to make decisions quickly and precisely. Shareability means there’s consistency of information when a patient is changing their healthcare facility or department. At the same time, shareability and accessibility are exactly what threatens patient data security, as they make healthcare data an easy target.
Healthcare Information Makes Good Money on the Dark Web
While credit card numbers are worth 25 cents and Social Security numbers are worth10 cents, patient information from EMR can fetch up to $1000. Medical history cannot be changed, and hackers may blackmail the person about their STDs or psychological conditions for life. That is one of the reasons that healthcare records are so attractive for hackers.
Medical Devices Are Easy for Hackers to Access
It does not make much sense to protect heart rate monitors: who cares how often the heart contracts? And that’s correct: hackers do not care about the heart . . . but they do care where the monitor can take them. By getting access to the monitor, they may go further into the system and gain access to medical records.
Remote Access for Staff Means Vulnerabilities
Patient care involves many people; teamwork requires communication, which does not necessarily happen at a desk. Cloud services have made it possible for healthcare workers to access information from any device, and while this has had many benefits, it creates some risks, too. If an employee logs into the system from a compromised personal device, attackers can soon have access to any information they need.
More Devices Means More Security Threats
It is hardly possible for the IT department to control every single device that is used in the hospital: there are too many. And employees are usually not being educated on the matter of cybersecurity, or they are too busy with other tasks to pay much attention to these sorts of things. Hackers know that and use this vulnerability for their own benefit.
How Will A Hacker Attack a Healthcare Institution?
So now you know some of the reasons why hackers might be interested in your data and some of the reasons why that data might be vulnerable.
So how might a hacker come after you? What should you be worried about in particular? Here are some examples of the most common security threats in healthcare.
It does not matter how good your healthcare cybersecurity strategy is if an employee leaves their laptop or phone unattended, as an attacker will have full access to any record without even trying. They may also perform an evil maid attack: while they have physical access, they alter the device to the point where they can access the device and its data from anywhere at a later time.
A legacy system is a system that is outdated and cannot receive any updates or interact with newer technologies. Legacy systems are widely used in governmental organizations, banks, and even eCommerce. A recent report revealed that 83% of medical imaging devices are operating on legacy software.
Due to the fact that it cannot receive any updates, such a system cannot get security tools against the newest malware (malicious software) and other threats. Hackers can easily overcome healthcare industry cybersecurity strategies that have remained unchanged for years.
Email is the ultimate communication channel for healthcare facilities; the downside of this is that one can find patient data, financial information, and other sensitive data in the mailing system. Hackers actively use phishing to gain access to the information: they send emails as if they were doctors or governmental structures that need patient information or send malicious links or attachments. One infected device may also infect other devices and gain control over the whole system.
According to a recent survey conducted by the Healthcare Information and Management Systems Society, phishing emails are the initial point of compromise in 69% of all data breaches in hospitals.
Hospitals have to worry not only about themselves but also about everyone who works with them. For example, supply chains, vendors, and the pharmacy may cause data breaches, intentionally or not. In 2018, third-party vendors offering various services to healthcare providers accounted for over 20% of all data breaches in the industry.
The infographic with the recent statistics illustrates the important of data protection in healthcare:
9 Steps Towards Data Protection in Healthcare
So now we know where some of the vulnerabilities are in healthcare systems and institutions; now the question is how we can protect healthcare facilities from data breaches caused by cyberattacks. Data protection in healthcare is a complex process that involves more than just the IT department. Here are 9 steps that a healthcare facility should take to ensure secure data storage.
Educate Medical Staff
The biggest threat for data security in healthcare is not weak security systems; rather, it’s employees’ neglect and lack of knowledge about cybersecurity. In fact, 21% of data breaches are the result of human negligence, followed by malware (17%), software failure (17%), and third-party malice and negligence.
Therefore, it makes sense to develop a comprehensive staff education program covering the following areas:
- Security of personal devices
- Ways of detection phishing attacks per email or SMS
- Reactions to data breach
Restrict Access to Data and Applications
Data can be accessible and secure at the same time if you give access to the right people only. Accessibility does not mean giving access to everyone and keeping resources open; it is about ensuring that those who need access actually have it.
To achieve privacy and security in healthcare while having accessible data, hospitals can utilize modern software that controls access and monitors who has entered the system and when. Do not forget to restrict access for those who have been fired: ex-employees may do a lot of harm out of spite.
Encrypt Data During Storage and Share
Data encryption is the process of translating data into code. The code is unreadable by humans and only devices that have encryption keys may decipher the data back to a readable format.
Encryption is one of the safest ways to secure data: even if hackers gain access to information, they will not be able to read it. HIPAA, for instance, does not demand encryption but it does give some recommendations; in particular, it suggests that facilities define what data should be encrypted and how.
In 2019, lack of encryption led a medical center in New York to a US$3 Million HIPAA penalty. A laptop belonging to a hospital employee, containing the ePHI of 43 patients, had been stolen, which caused a disclosure of unencrypted data.
Secure Mobile Devices
According to Verizon’s Mobile Security Index report, 25% of healthcare organizations have admitted that they have suffered from a mobile-related breach.
Medical staff use their personal mobile devices more and more often because it is easier to access information from anywhere; one does not have to search for a computer but can find needed data wherever they are.
At the same time, personal mobile devices are a threat to the privacy and security of health information because the IT department does not have control over them. There are several measures one has to take for mobile device protection:
- Require staff to use strong passwords
- Ensure that lost devices can be locked and data can be deleted remotely
- Encrypt data
- Require staff to use pre-defined secure applications
- Require staff to use security software on the mobile devices
- Utilize biometric authentication
Mitigate Connected Device Risks
As we discussed earlier, common devices such as heart rate monitors, smart elevators, A/C systems, and cameras are a threat to patient information security that no one thinks about. In order to keep such devices secure, try to:
- Create a separate network for such devices
- Monitor their activity and investigate when you see unusual activities
- Disable non-essential features on these devices
- Update and install security patches on such devices as you would do on laptops or tablets
Conduct Regular Risk Assessment
Risk assessment means preventing the breach. The IT team should check the facility’s security systems and assess the security system of chain suppliers to find and eliminate vulnerabilities before they turn into compromised sensitive data. It is the only way to avoid a ruined brand image and fines for compromising patient information records (fines that can that reach up to 10 million euros).
Create Data Backup at an Offsite Location
Data backup at an offsite location has a wide range of advantages: facilities can easily restore data if a natural disaster or system crash occurs, and they will be able to recover from data breaches faster.
However, the offsite location needs to be secure, meaning encrypted data and very restricted access.
Assess Security of Business Associates
It does not matter whether it is the fault of a business associate that patient data was compromised: you will still be held responsible for not taking care of that data. Therefore, it makes sense to check whether your business associates are compliant with data regulations and can ensure the safe handling of sensitive patient data.
Utilize Multiple Levels for Data Security
Security systems usually have several defense layers, including healthcare network security, personal device security, antivirus software, and firewalls. A hacker has to make their way through these layers before they can gain access to the information. The layering gives time for the IT department to notice that the system is being attacked and do something about it.
Langate Case Study
Langate has 17+ years of experience in developing solutions for data protection in healthcare. During that time, we have perfected the process of creating HIPAA- and GDPR-compliant solutions and become experts on the main vulnerabilities of healthcare software.
We used all of this knowledge while developing a Patient Data ETL and Analysis platform for one of our clients. Since the solution is all about data, we had to pay special attention to the security of the platform.
Our stable and highly protected solution has helped the client extend the average duration of cooperation with healthcare facilities up to 6 years and increase the customer base by 45% in comparison with the last year.
Cybersecurity is essential for healthcare since medical records contain far more valuable information than Social Security or credit card numbers.
In the article, we’ve discussed 9 steps that a facility can take to ensure better healthcare data security. Now you know that developing a strong security strategy with a focus on educating personnel and implementing innovative software can significantly minimize the risks of data breaches.
If you need a technical solution for protecting your network, contact Langate. Our vast experience and project managers will take care of all the details.