This past July was the worst month on record for healthcare data breaches, according to the Department of Health and Human Services’ Office for Civil Rights. Records show that data breaches put 858,411 individuals at risk.
These numbers follow unsettling figures from the first half of 2018—Protenus Breach Barometer reported 3.15 million patient records were compromised in breaches during the second quarter alone. While certainly unwelcome, this news doesn’t come as a shock to the healthcare industry.
However, it does serve to raise the anxiety level, especially for provider organizations that hold troves of sensitive, personal data, such as Social Security numbers, addresses, credit cards and personal health information (PHI). A single breach can expose thousands of patient records, which puts individuals at risk of having their personal information exposed or used fraudulently. It also results in significant financial and reputational consequences for providers.
The continued rise in data breaches should remind us of the importance of remaining vigilant. With so much valuable data on the line, the “bad guys” will continue to strengthen their capabilities to hack on a progressively sophisticated scale. This means it’s critical for providers to use standard, best practices to establish its security framework, including NIST Cybersecurity Framework, HIPAA, ISO 27001, HITECH and GDPR.
In the security realm, there are many interchangeable terms, and that can create confusion regarding the security challenges we face and how to address them. To be clear, vulnerabilities are incidents that could happen to your data. Intrusions are actual breaches or attacks that have happened. Intrusions may, or may not, put data at risk.
For providers, ransomware attacks, which block access to a system until a sum of money is paid, are typically the greatest concern. This type of systems intrusion may not affect physicians and their patients directly, but it will disrupt service for other functions, such as the supply chain, which can have a negative impact on patient care. There are other types of attacks that put the organization at risk as well, including phishing emails, social engineering attacks, SQL injections, DDoS attacks, among others.
When it comes to security, the primary concerns of healthcare provider CIOs are:
- Keeping patient data protected
- Keeping business data protected
- Keeping systems up and running
When an intrusion does occur and an organization’s data is exposed or lost, it can affect not only patients (PHI and PCI), but the business as well. Exposure of data, such as purchase history and pricing, can be damaging to the hospital and the industry as consumers lose faith in the industry’s ability to keep their data safe.
With this in mind, healthcare CIOs should focus on mitigating vulnerabilities:
- Getting hacked—identify thieves, employees, phishing/spamming, hacktivist, cyber-terrorism
- Exposing data—either to public or to competitors; ransoming, stealing data, looting bank accounts
- Losing data—theft, exposure, corruption, disaster recovery
- Service availability—ransomware, virus, DDOS, corruption and the like.
CIOs should ask a few strategic questions as they develop their security strategy and framework.
Am I keeping up with potential threats?
Take a full view of technology and understand whether or not all of the right technologies are in place to prevent intrusions. This is not an easy issue to address. The landscape is changing constantly, and it’s a challenge to keep up, let alone get ahead.
Unfortunately, there isn’t a single “set it and forget it” software solution or appliance to keep you safe. Compounding the challenge is the fact that there are so many solutions on the market, and not all are created equal. Thorough due diligence and programmer awareness can help ensure only applications that are securely coded are selected. That said, key software components include anti-virus, anti-malware, vulnerability scan, penetration testing, firewall, patch management, secure source code scanning solutions, among others.
Technology can’t do the heavy lifting alone, however. CIOs must ensure that the appropriate functional, administrative, process, physical and technical controls are also in place to protect all data, systems, processes, customers and employees to the maximum extent possible.
Is the enemy within?
The healthcare industry comprises complex systems that provide access to a lot of people. Often the biggest threat is in our own backyard. The 2018 Data Breach Investigation Report from Verizon found that healthcare is the only industry where threats from the inside are greater than those from the outside. Most internal breaches are unintentional, not malicious, but they can still wreak havoc.
With this in mind, once the technology and controls are in place, CIOs must make a clear-eyed assessment of what their employees understand in terms of their role in the larger cybersecurity picture. Do employees appreciate the significance of their day-to-day actions? Do they know how to identify something suspicious? Will they report it, or instead click on the wrong thing and inadvertently set loose a virus? This is highly variable within provider organizations, for employees, and even business partners.
This same scrutiny must be given to managing relationships with the thousands of vendors and suppliers. More and more vendors touch electronic personal health information (ePHI) than ever before. And, they are often present onsite, walking the halls of the hospital, coming into contact with both staff and patients. This dramatically increases the risk of data breaches and actual incidents. According to a report from Protenus and DataBreaches.net, 4.5 million patients were affected by a breach involving third-party vendors or business associates – in 2016 alone. CIOs can mitigate this vulnerability by implementing a strong vendor management policy and use technology to automate and centralize processes. In doing so, the organization can always know with whom it’s doing business.
Though experience is the best teacher by far, education should be a cornerstone for every provider organization. Provider organizations should properly train staff and business partners on their role in protecting the organization and to be on the lookout for warning signs. Wherever possible CIOs must lobby for and secure budgets that allow for frequent training programs and recertification plans all technologists in the organization.
Are you prepared for when ‘that day’ comes?
After an incident is resolved, too often we all breathe a sign of relief and go back to business as usual, relying on our systems, controls and people. But, preparation is everything.
The healthcare industry needs to put greater focus on conducting a post-mortem of its security incidents: How did it happen? How was it handled? We also need to prepare more thoroughly for the ‘what if’ scenarios. For example, ‘what if’ your organization falls under a relentless attack to get patient information? Can you isolate the data? Is it encrypted at all points that could be hacked? Or, ‘what if’ your organization experiences a ransomware attack? Do you have a Bitcoin account set up? Will you pay the ransom, or are you 100% backed up, allowing you to re-start the system from scratch within 24 hours and resume operations?
The point is to avoid being caught flatfooted should ‘that day’ come. Conduct practice drills to ensure the right protocols and actions are in place in the event of an intrusion, and that they will be effective. This will allow your organization to respond quickly and efficiently to an intrusion.
The thing that keeps most healthcare CIOs up at night is what we don’t know. While we can’t predict the future, we don’t have to be prisoners to our fears. Now that the industry is fully immersed in the digital age, CIOs must ensure that we are taking a more comprehensive approach to cybersecurity. In this way, we can limit vulnerabilities and create a stronger line of defense that protects every stakeholder in the industry.