Electronic patient data drives healthcare security concerns
It’s undeniable that the increasing use of digital technologies has transformed the way the healthcare industry operates and cares for patients. The adoption of electronic health records has digitized patient data and greatly increased its accessibility. Physicians can now access lab results, patient histories and more from virtually anywhere in the world.
Unfortunately, so can cybercriminals. In 2014, Reuters reported that medical information is worth 10 times more than financial data on the black market. And, as security professionals know, cyber criminals follow the money — and the data.
There are many healthcare security concerns that accompany the exciting innovation and new technology in medicine. The following are five cyber risks organizations need to consider as they continue their digital transformation:
1. Mobile devices
In addition to servers and desktops, healthcare data now resides on laptops, smartphones and tablets. Physicians themselves are highly mobile, moving between exam rooms, hospitals and their own offices. Mobile devices allow them to access health data regardless of where they happen to be, which can mean faster and more accurate diagnoses. However, it also means the data is at greater risk of theft or loss. Mobile devices must be secure and data must be protected in case it falls into the wrong hands.
2. Malicious insiders
Most industries focus on limiting data access, but in healthcare, the focus is on increasing data availability across workflows. These workflows can touch a variety of organizations, such as physicians’ offices, insurance companies and health information exchanges. Even within the healthcare organization itself, controlling and monitoring access is a challenge. In case of an emergency, physicians need immediate access to every patient record. This makes it difficult to monitor access and identify anomalous activity, be it malicious or accidental.
3. Compromised user credentials
Phishing attacks are growing increasingly sophisticated, according to HealthITSecurity. Typos and spelling errors are becoming less commonplace, and the messages look and sound legitimate. As a result, it’s becoming more difficult to spot a phony message, especially when healthcare providers are working quickly to maximize their time with patients. And it doesn’t take much — according to BankInfoSecurity, the 2014/2015 attack on a health insurer that compromised up to 80 million individuals’ personally identifiable information was believed to begin with phishing emails to a handful of employees.
Cybercriminals aren’t the only ones willing to pay for healthcare data. Healthcare organizations themselves will also pay a hefty price if it means regaining access to encrypted files that could otherwise be lost. Healthcare organizations are increasingly being targeted with ransomware, malicious software that blocks access to data or services until the victim pays a ransom. In fact, Becker’s Health IT & CIO Review found that 88 percent of ransomware attacks hit hospitals.
5. Device tampering
As more and more medical devices go online, the risk of a service disruption or compromised device increases, and the results could be devastating. In 2015, for example, Health IT Outcomes reported that the Food and Drug Administration issued an alert regarding vulnerabilities in an infusion pump that could allow cybercriminals to override medication delivery controls. In additional to causing physical harm, the hacked devices could serve as a backdoor into hospital networks.
Though patients and healthcare providers alike can benefit from digitization, healthcare organizations face their fair share of security issues. As an industry, healthcare is often much slower than others to adapt to technology trends, and when it comes to healthcare security, organizations may have some catching up to do.