A perfect storm is raining down on healthcare cybersecurity. The industry is vast and complex, has tremendous amounts of patient data, and it’s not equipped to protect it.
The result is a bonanza for cybercrime. From the WannaCry ransomware attacks in the U.K., to the ongoing healthcare data breaches across the U.S.
The U.S. Congress established the Health Care Industry Cybersecurity (HCIC) Task Force to help address the problem. The 21 members of the task force set out to research cybersecurity in healthcare and make recommendations.
The result, published last week, is the Report on Improving Cybersecurity in the Health Care Industry. The 88-page document has dozens of recommendations for health organizations and the companies who serve them.
The problems in healthcare IT security are massive. They are highlighted throughout the document. Below are 5 we highlighted.
Problem #1. Healthcare’s attack surface is growing
Healthcare transformed with the adoption of electronic health records (EHRs). Compared to paper, the digital documents yielded huge in efficiency and the quality of patient care.
The U.S. federal government set aside billions of dollars to incentivize the rapid adoption of EHRs. For example, an average physician with at least 30% of patients covered by Medicaid could receive up to $63,750, according to The Commonwealth Fund.
“With this adoption and widespread use of EHRs, effort was originally placed on installing hardware and software required to earn the incentives. Unfortunately, a majority of the healthcare sector made financial investments in cybersecurity only in the last five years,” according to the HCIC Task Force report.
In short: the healthcare industry found a new and powerful way to store its health records, but no one remembered to lock the door.
Problem #2. Legacy Medical Hardware and Software
Medical equipment is expensive. A state-of-the-art MRI machine can cost $3 million. Want a wireless digital radiography detector panel? That may cost $35,000.
Healthcare organizations must constantly balance the need for advanced equipment with the need for everything else – everything from magazines in the waiting room to a network security firewall.
Many healthcare practices cannot afford to replace medical systems every year or even every other year. This causes healthcare practices to hang on to their aging equipment for several years, even decades in some instances. In many cases the aging equipment uses software that is no longer supported by the device manufacturer.
The same goes for computer systems. Last year, at least three hospitals were infected with malware that entered through legacy systems.
“Researchers discovered ‘a multitude of backdoors and botnet connections,’ that had been installed using ancient exploits of the unsupported Windows XP platform,” according to reporting by HIPAA Journal.
Problem #3. Healthcare Cybersecurity Risks are IGNORED
It’s difficult to convince non-believers that cyberattacks on their computers and servers could cripple their organization. It’s even harder to convince them that healthcare cybersecurity attacks are inevitable.
Without experiencing a breach or data loss, many healthcare professionals have difficulty realizing the importance of cybersecurity and how taking a proactive risk management approach can save them money and protect their practice, reputation, and most importantly – protect their patients.
This problem is likely to fade for large institutions. The wave of medical data breaches is hard to ignore year after year. Healthcare exposed more social security numbers than any other industry in 2016, according to the Identity Theft Resource Center.
For smaller organizations, however, the problem may persist.
Problem #4. Lack of Cybersecurity Knowledge
Cybersecurity is largely considered an IT problem, including in healthcare.
Other staff members – such as nurses, doctors, and administrators – often don’t understand the risk of a data breach. They also don’t realize everyone, not just healthcare IT staff, plays a role in keeping an organization secure.
This is partly due to a failure to educate staff members and raise the awareness of cyber threats and the harm they can pose to organizations, and more importantly, to patients.
“Data collected for the good of patients and used to develop new treatments can be used for nefarious purposes such as fraud, identity theft, supply chain disruptions, the theft of research and development, and stock manipulation. Most importantly, cybersecurity attacks disrupt patient care,” according to the report.
Problem #5. No One is in Charge of Cybersecurity
Responsibility for healthcare cybersecurity is often poorly defined. No one is accountable, so no one pushes hard to demand the changes necessary to secure the network and systems against attacks.
Nearly three out of four U.S. hospitals have no designated IT security professional, and some small and medium organizations lack even a single IT person, according to reporting from Healthcare IT News.
Even at small organizations, it’s important to designate a single person to lead and prioritize cybersecurity risks. The person needs the authority and expertise necessary to ensure cybersecurity requirements are identified, prioritized, fulfilled, and maintained.