Cybersecurity incidents are a threat to the healthcare industry as hospitals continue to be valuable targets for attacks. Despite being one of the few industries facing heavy-duty federal privacy regulations (HIPAA), hospitals lag behind other industries, like finance, in protecting patients’ privacy and security.
With data breaches costing the industry $5.6 billion a year and impacting 27 million patient records a year, hospitals have an increasingly urgent need to invest in cybersecurity. Unfortunately, this is easier said than done because healthcare services are complex organizations with an extraordinary level of technology saturation and a long list of internal and regulatory pressures to meet.
Why is cybersecurity such a pressure point for healthcare? It starts because hospitals are such lucrative targets for attackers.
Related: The NFL’s New Cybersecurity Strategy
What Makes Hospitals Such Big Targets?
Hospitals are huge targets for hackers for many reasons. First and foremost, they rely heavily on internet-enabled technology for everything from elevators to electronic health records to research, which exposes them to hackers and means providers are cut off at the knees if disconnected. Doctors and nurses who can’t log on physically can’t do their jobs.
As a result, healthcare teams have an urgent financial and ethical need to get back online – in the battle between paying the ransom and saving patients, the patients win. This assumes that the attackers just hold records ransom. Consider Computer-Aided Design (CAD) use in medical research. The programing is being used for 3D imaging. In 2019, a group of researchers out of Cornell University found it was possible to create malware that attacked 3D medical imaging to trick doctors and specifically said, “an attacker with access to medical records can do much more than hold the data for ransom or sell it on the black market.”
The impact of these breaches is staggering. For patients, it contributes to the potential exposure of their personal data, which can result in medical identity theft and cost an average of $13,500 to resolve. More sophisticated malware attacks, however, also directly impact their personal health and their treatment. If a hacker tampers with all MRI imaging and results in a patient undergoing a surgery they don’t need, then it impacts their physical safety. It also makes the care itself more expensive by costing the industry billions a year in unnecessary spending.
What Are Hospitals Doing to Stop It?
Hospitals and healthcare organizations have minimum security obligations to meet under HIPAA and other federal regulations. The HIPAA Security Rule sets national standards for protecting personal health information. It’s prescriptive, but it also only requires “reasonable and appropriate administrative, technical, and physical safeguards.” In other words, it gives healthcare organizations a fair amount of leeway, even in the face of substantive HIPAA fines.
Hospitals and other covered entities have an obligation under HIPAA to protect personal information.
Given the HIPAA Security Rule came out in 2003, you might think hospitals should be leaders in cybersecurity, but hospitals in particular only dedicate 2-4 percent of their operating budget to IT, which actually represents an increase in IT spending. Healthcare facilities do tend to invest in the latest security measures, but they often take longer to take the leap, and while they should invest in a more holistic approach to cybersecurity, they can be slow to it.
What’s more, a new cybersecurity report found that a staggering amount of damage comes within the facility itself. It found that healthcare is the only industry (according to its data) where the people inside it are the biggest threats: healthcare workers play fast and loose with protected information either for financial gain or convenience. And this is possible not because staff are criminal masterminds but because they don’t use passwords correctly and fail to erase data according to protocol. Employees could even click on potentially malicious emails and links.
Hospitals Need to Improve Their Cybersecurity Infrastructure – Yesterday
The healthcare sector has an enormous duty of care to protect both patients and their identities. While HIPAA makes some demands, it doesn’t go far enough in keeping data and infrastructure secure.
What is known about the issue means that not all remedies need to be technology-based. One place to start could be ensuring that all stakeholders get cybersecurity training. One-third of people in the industry never got any training to teach them how to enforce the HIPAA Security Rule. Training can stop the internal threats – both malicious and negligent.
Additionally, organizations can make more immediate jumps to the latest technology. Tech like blockchain offers promising applications from the top down. Investing in more cloud applications can also mitigate security threats and open up new opportunities for more secure practices. Whatever they choose, healthcare organizations need to step up their security practices, and they needed to do it yesterday.