The healthcare industry has been transforming radically over the past decade under digital technologies. The global pandemic has accelerated data and processes, challenging the world to change. However, healthcare's ability to protect patient privacy becomes questionable.
An extremely sensitive ePHI (electronic protected health information) is at risk. It is handled by almost every clinic and hospital in various digital systems. Providers such as physicians and pharmacists use EHRs (electronic health records) and other software working with medical information. And this data is a very tempting target for cybercriminals.
There are more and more attacks being carried out on medical infrastructure, and the damage from ransomware is growing fast. This article will look at what healthcare providers should be wary of and how to protect patient data from cybercriminals.
What Cyberattacks Are The Biggest Concern For Healthcare?
Due to the nature of medical data, cybersecurity in healthcare has become a unique challenge. For example, you can block a stolen bank card and get a new one. But if information about laboratory tests or diseases is leaked, it is impossible to “cancel” it. In addition, failures in clinical electronic systems endanger a patient's health and potentially even their life.
The difficulty lies in the fact that there are many networks and digital complexes in any clinic or hospital: EHRs, e-prescribing and decision support systems, intelligent heating, ventilation, and air conditioning (HVAC), infusion pumps, medical internet of things (IoMT) devices, etc. All of them can be threatened by cybercriminals.
Healthcare providers and their business partners also have to balance protecting patient privacy, providing quality care and complying with HIPAA, GDPR and other regulations. It makes it harder to implement security measures, and cybercriminals rush to take advantage of it.
According to Deloitte experts and other cybersecurity consultants, the following threats are primary concerns for healthcare facilities:
• Phishing: Links or attachments in phishing emails, social media or text messages infect computer systems with malware that often spreads over the clinical network.
• Man-in-the-middle (MITM) attacks. Cybercriminals inject themselves in conversations or data transfers and steal confidential (and very valuable) user info, causing severe losses and penalties for a confidentiality breach.
• Attacks to network vulnerabilities: Address resolution protocol cache poisoning (ARP), HTTPS spoofing and other cybercrimes target the vital bastion of medical centers — wired and wireless networks, which provide access to patient information.
• Ransomware. Criminals not only encrypt data and extort money for decryption but also block access to the entire clinical system, paralyzing the work of equipment for surgical operations and life support.
What Healthcare Can Do To Prioritize Cyber Threat Prevention
Here are some safety measures that can be taken in the medical sphere that are aimed to secure ePHI by protecting devices, digital systems, networks and data from attacks:
1. Personnel training
The lack of IT security skills poses major threats to healthcare. According to an IONOS Cloud study, 40% of employees do not have cybersecurity expertise or knowledge of data protection. Therefore, professional and regular training on cybersecurity is essential. Employees should:
• Be able to recognize phishing emails — including those intended for targeted recipients (they are directed to specific persons and are usually more effective).
• Back-up data. Cyberattacks can damage and delete valuable patient information, so employees must regularly create backups with strict controls on data encryption.
• Use digital hygiene practices — create strong passwords, don't click on the unknown, suspicious links, etc.
2. Data usage control
Clinics should control and monitor malicious file activity. They can do this by implementing systems that block unauthorized actions with data, prevent the sharing of unauthorized emails, probit the ability to copy to external sources, etc. It is also essential to:
• Record data to quickly identify unauthorized actions with patient files. In a cyberattack, logs will help a clinic establish the breach swiftly and eliminate it.
• Implement strict access rights: They protect patient data from unauthorized operations, so password/PIN, cards and keys, face, fingerprint or retina recognition are necessary.
• Use advanced cryptography for data encryption during transmission and storage. It can be homomorphic encryption, secure multiparty computation or distributed ledger technologies.
• Leverage bring your own key (BYOK) techniques for the cloud and other intelligent environments.
When introducing data control, medical organizations must comply with protecting sensitive information. According to HHS HIPAA guidelines, ePHI for encryption and decryption must be predefined. Cryptographic techniques have to be selected based on reasonable necessity and appropriateness to prevent unauthorized access to data.
3. Monitoring of mobile and connected devices
Mobile phones, apps and IoMT devices have become standard practice for doctors and administrative personnel. However, this is another disturbing vulnerability. Attackers steal information, passwords and smartphones themselves, hack connected devices, eavesdrop and even reconfigure them.
To protect remote monitoring services, mobile data and IoT systems, clinics should:
• Create a separate network for IoMT devices, monitor them for sudden changes in activity levels and disable (or remove) nonessential ones.
• Use multi-factor authentication, application data encryption and remote locking of lost or stolen phones.
• Regularly update software, including safety applications and medical sensor control systems.
How To Maintain Protection Against Cyber Threats
HIPAA and similar regulations require healthcare providers to have a workable data protection strategy. But creating a “Doomsday Action Plan” and regularly assessing risks is not a concession to requirements but the only reasonable choice.
A proactive approach to privacy and information protection is expressed in creating an incident response plan with clear roles and responsibilities, regular risk assessments and the implementation of so-called cybersecurity frameworks (CSFs). They are guides that help healthcare reduce cybersecurity risks and maintain the data management process. A vivid example of such a guide is NIST Framework.
Working as road maps for securing IT systems, CSFs help clinics detect, respond, identify and prevent threats and consequences. These frameworks focus on:
• The description of the security situation, target posture and communication risks.
• The definition of methods for fighting cyberthreats.
• A plan of constant improvements.
Naturally, a framework is a living document that needs updates and staff learning through the adoption. However, by introducing cybersecurity as a value proposition and formulating clear action plans, healthcare organizations can meet cybercriminals fully armed — and give them a worthy response.
The post, Cybersecurity And Data Protection In Healthcare appeared on Forbes Technology Council and was authored by Evgeniy Altynpara, Forbes Councils Member.