Healthcare Catching up With Security Practices
With patient data garnering 10X the amount paid for personal identity information on the black market, the healthcare industry is at the forefront of the need for cybersecurity. As bad actors continue to benefit from the value of data held in electronic health records (EHR), healthcare organizations are experiencing increasingly sophisticated attacks, complicated by data conduits unique to their industry. With diagnostic equipment, drug delivery systems, sensors and other medical machines going online to automatically share data, healthcare organizations face an even broader range of threats.
Healthcare organizations are now among those most frequently attacked, according to IBM's 2016 Cyber Security Intelligence Index. In February 2016, the Department of Health and Human Services (HHS) reported nearly 112 million individuals had been affected by protected health information breaches – more than 60 times the 1.8 million impacted in 2014.
In July, HHS sent out a briefing to urge healthcare organizations to reinforce their EHR contingency plans in light of "persistent and evolving threats." Any disruptions would pose "significant safety risks" to patients.
The healthcare industry is hustling to batten down the hatches and squelch these threats. "For a long time there simply wasn't a security culture in healthcare," says Marques Murray, senior security architect at Merlin International. "It really began in earnest some eight years ago when the Defense Department mandated that contracted commercial healthcare vendors implement DoD security standards."
One advantage the industry has is the Health Insurance Portability and Accountability Act (HIPAA). For 20 years, this has required protections to govern the privacy of patient information. At the very least, says Murray, it has set the tone for healthcare security.
When HIPAA was initially enacted, patient data was contained mostly in paper records, which were easier to protect. The growing adoption of digital data – EHRs -changed how healthcare handled security. The number of different digital platforms and systems used by health organizations, customized for each organization's specific security needs, only made the task more difficult. The spread of collaborative care compounded complexity, with data exchanged between various systems and devices, expanding the opportunity for patient data loss.
Most large organizations actually have an adequate layered approach to security, says David LaBrosse, strategic partner manager for NetApp's healthcare data management solutions. However, many smaller ones struggle because of the costs involved, and the need for staff resources.
That scarcity is forcing some changes in attitude, inspiring healthcare organizations to consider new approaches that provide a more efficient path to data protection. Previously, many healthcare organizations tend to avoid cloud service delivery, for example, because of the perceived loss of control of their data, and the security challenges involved. "But now, many seem to be saying they can't afford to maintain the security tools themselves," says LaBrosse, "so we're seeing many of those smaller organizations, in particular, outsourcing such things as network monitoring to the cloud."
Healthcare institutions are embracing "built in" security tools as part of an overall IT infrastructure, leaning on features such as data encryption for both data-at-rest and data-in-flight, as well as multi-factor authentication to prevent unauthorized network access. However, even what seems like the small amount of extra work associated with requiring a doctor or nurse to remember and enter multiple passwords can be a significant threat to both security and prompt delivery of care.
Ultimately though, there may be no alternative, says Murray. There are so many different proprietary systems and tools in healthcare, encryption along with security deployed at the network access level—authorization, access control and monitoring — are likely the way to go now. "At the end of the day, you want to put a gate around that personal information," he says. "And that is by far the biggest driver for security."