October 8, 2015 By Douglas Bonderud 4 min read

Health care technology is rapidly evolving, with wearables and smart devices finally making progress toward pushing out paper charts and faxed documents. Despite the backing of many clinics, hospitals and even government agencies, however, the electronic personal health information (ePHI) market isn’t without issue.

Cybercriminals now realize the value in these records, and as recent data breaches demonstrate, health agencies aren’t always up to the security challenge. The situation demands a second opinion: What should health care companies expect for cybersecurity now and in the future?

Chronic Issues With Health Care Technology?

When it comes to high-value data, ePHI tops the list. As noted by CSO Online, in fact, health care companies are three times more likely to experience data theft. Why? Because the kind of information collected by health agencies is not only personal but in large measure immutable. While criminals are happy to run across financial information such as credit card or bank account numbers, they know accounts are easily closed and credit agencies quickly alerted. Things like Social Security numbers, permanent addresses and dates of birth are much harder — if not impossible — to change, giving malicious actors the ability to cause more than just superficial harm.

What’s more, evolving health care technology has spawned a myriad of attack vectors. Consider the recent warning issued by Molina Healthcare when it was discovered that one of its former employees stole more than 54,000 pieces of PHI to exploit for over-the-counter products. Or the $750,000 settlement reached by the Department of Health and Human Services Office of Civil Rights with a health care firm whose employee had a corporate laptop and server backup stolen from a personal vehicle.

There’s more: According to Tech Times, a recent federal audit found cybersecurity measures at Healthcare.gov severely lacking. Issues ranged from the government’s MIDAS storage system not encrypting user sessions to not conducting automated vulnerability checks.

The bottom line? Patients and health care professionals have high expectations for cybersecurity both now and in a device-enabled future, but current methods simply aren’t up to the task. Instead, data breaches and accidental data loss are chronic, painful issues for both stakeholders and government legislators.

Managing Meds

If current methods aren’t effective, what’s the next course of treatment? A recent KPMG study found that part of the problem may stem from closed corporate pocketbooks: Just 53 percent of companies say they’re ready to defend against an attack thanks to consistent underspending on cybersecurity. Even worse, 25 percent of survey respondents said they either “don’t have or don’t know their capabilities” when it comes to cyberdefense. Simply put, more spending won’t go to waste; health agencies must be willing to budget for more than bare-bones security.

Healthcare IT News also had some suggestions. While some of the “most wired” health companies have already rolled out measures like high-performing intrusion detection systems and incident response drills, there’s still room for improvement. For example, the use of end-to-end data encryption along with comprehensive access management controls such as two-factor authentication could significantly reduce the chances of data loss or breach.

Current health security also gets a boost from broadly applying even simple tech policies such as updating machines when new patches or security fixes are released. Some companies don’t bother with automatic updates on the grounds that system performance slows down, while others worry about new versions compromising the functionality of older applications and software. The problem? Known vulnerabilities are often used by attackers to gain access.

According to The Register, in fact, tens of thousands of medical devices are “directly hackable” thanks to bugs that were reported to companies months ago. Regularly updating is an easy fix for apps designed by reputable third-parties since they have a vested interest in keeping their code clean.

Symptomatic Security

So what does the future hold for health care technology and cybersecurity? Wireless connectivity of mobile and wearable devices is now everywhere, and it includes everything from sensors and trackers to drug pumps and artificial hearts. But just like the auto industry before it, health care is struggling to understand the implications of always-on technology and its potential for exploitation. As noted by the Becker Hospital Review, there’s no silver bullet to cure health care IT threats; instead, companies need to develop an organic strategy that both supports their existing network and allows for expansion along multiple paths.

When it comes to devices connected to the Internet of Things, for example, companies must focus on common symptoms of compromise, which could help inform IT security as a whole. While device types may differ, attackers often focus on particular exploits or groups of exploits over a given time period to break through defenses. By creating a symptomatic model of detection and response, health care providers can focus on stopping what comes after common precursors rather than diagnosing the same problem time after time.

Managing future risk, meanwhile, speaks to a need for improved patient/caregiver dialogue. As intelligent applications and wearable devices become the norm, patients gain a more active role in their own treatment and therefore greater ownership of their own data. Without training in how to effectively manage that data, however, patients may become the weakest link, breaking the chain and leaving health care companies on the hook for cleaning up the mess. By taking a collaborative approach to data security and defense, it’s possible to form a united front against malicious actors rather than present what amounts to a broken immune system.

Health care security isn’t on life support, but a second opinion is worthwhile. By handling chronic issues, managing current pain points and addressing future symptoms, there’s hope for a full recovery.

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today