Health care is under siege from cybersecurity threats. As noted by Healthcare IT News, another large-scale health insurance vendor recently shuttered its patient portal to deal with vulnerabilities that exposed personal data. Meanwhile, Beta News reported that 43 percent of all data breaches in the U.K. come from the health care sector.
Now, the U.S. Department of Health and Human Services (HHS) is taking aim at the “critical condition” of health care cybersecurity with a new set of guidelines and recommendations to improve overall efficacy. Here’s a first look at this new technology treatment plan.
While the total number of leaked health care records fell in 2016 and is expected to decline again in 2017, breaches are on the way up — 328 were reported in 2016, up from 268 the year before, according to The Register. What’s more, the cost of individual records recently topped $400, making these attacks both expensive and time consuming for health agencies to handle.
According to CSO Online, emerging threats such as the WannaCry ransomware only make matters worse. Doctors have been blocked from accessing critical files, and emergency rooms have been forced to send away injured patients.
Part of the problem is a lack of solid email authentication practices, making it possible for a single user to accidentally infect health care networks and take critical services offline. Combine these risks with increased patient demand for anytime, anywhere access to data, and it’s no surprise that health care remains a top target for fraudsters.
Cracking Down on Health Care Cybersecurity
Two years ago, the Cybersecurity Act of 2015 passed as the U.S. government rolled out massive omnibus legislation. Section 405D tackled the issue of “aligning health care industry security approaches” and mandated the HHS secretary lead a task force to establish best practices for cybersecurity in health care.
As noted by Cyber Scoop, this initiative got off the ground in late May with an “information day” to start putting together the group and defining key strategies — which, according to the legislation, must be consistent with the NIST Cybersecurity Framework and all security provisions of HIPAA. It’s a critical task, since “the sector is looking to HHS,” as Julie Anne Chua, from the department’s chief information officer’s office, pointed out. Given the massive impact of WannaCry on Great Britain’s own National Health Service (NHS), health care cybersecurity is now a hot-button issue worldwide.
According to Health IT Security, the new task force has already drafted its first report to Congress, which includes six key recommendations:
- Define and streamine leadership, governance and expectations. With cyberattacks growing increasingly sophisticated and HIPAA legislation becoming more complex, it’s critical for health care companies to have clear reference points for leadership, governance and compliance best practices.
- Increase the security and resilience of medical devices and health IT. As noted by HIT Consultant, there’s a huge market for medical wearables — almost 50 percent of Americans over 65 would wear mobile medical devices to track vital signs. Health care needs a way to proactively secure these devices against accidental compromise or malicious attacks.
- Develop the health care workforce’s capacity to meet new challenges. Much like cybersecurity as a whole, health care IT is facing a skills gap. The report recommended developing the capacity to both increase cybersecurity awareness and improve technical capabilities.
- Increase health care industry readiness for cybersecurity challenges Here, the emphasis is on education to address the risk of employees accidentally opening malware-laden emails or clicking infected links.
- Protect research and development efforts as well as intellectual property. As cloud and big data technology becomes paramount for health care industry success, organizations need effective ways to safeguard new projects and ensure that new solutions aren’t compromised before they go live.
- Improve information sharing across the industry. Health care firms are understandably reticent to share their security weaknesses or disclose breach details, but the report argued that increased sharing among private companies and public agencies will help shore up cybersecurity defense.
Of course, this is just a starting point for health care companies. What comes next in an effective technology treatment plan? Harvard Business Review offered several suggestions, starting with a focus on basic housekeeping tasks. Is all data encrypted? Are monitoring systems in place to track large data transfers and website searches?
It’s also a good idea to consider purchasing health care IT insurance. As a relatively new concept in the health care space, there’s no standardized version, but it can help offset the cost of data breach recovery or patient compensation.
HBR also suggested a number of forward-thinking approaches, such as tokenization — substituting sensitive data for unique but nonsensitive data — combined with health care-specific versions of the chip-and-PIN cards now used in many credit transactions. The result is better protection for patients and easier cybersecurity management for health care companies.
Other ideas include the use of blockchain technology, which is already used in the financial industry to create permanent and verifiable transaction records. Meanwhile, advances in biometric security could add another level of authentication to medical services without placing the onus on patients to carry around cards, USB tokens or other devices. Instead, fingerprints, retina scans or facial features could be used to confirm identity in combination with more traditional factors such as usernames and passwords.
As noted by The Hill, meanwhile, health care companies must also deal with the problem of aging devices, since it’s often easier for organizations to keep using what works — even if it poses security risks — rather than spending on new hardware. HHS task force member Josh Corman pointed to options such as “cash for clunkers” programs, which would encourage companies to ditch legacy systems that can’t be updated with new security features. He noted, however that “a number of solutions may be required” to effectively manage the vast array of hardware in use.
No discussion of health care cybersecurity would be complete without mentioning the role of end users — both medical personnel and patients — in the uptick of technology risk. In the vast majority of cases, human-caused data breaches stem from accidental misuse of medical systems rather than malicious intent, but they still result in compromised records and potential network failure. No matter how much companies spend on new technology, expert IT staff and cloud-based defense mechanisms, true headway will be made only when human factors are addressed with the same investment and interest as technology.
A Healthy Outlook?
So what’s the outlook for health care cybersecurity? Untreated, the condition will only worsen as more sophisticated malware sneaks past corporate defenses, users accidentally compromise systems and legacy hardware makes it impossible to address security upgrades.
The new HHS report is a solid starting point. Combined with new solutions such as biometric authentication and finance-based identification tools, this technology treatment plan could mitigate the worst symptoms of rampant cybercrime and help address underlying root causes.