In the United States, computer related crimes are a major public health concern. By 2020, it is estimated that there will be more than 1 million cybersecurity job openings and only about “250,000 qualified applicants to fill those positions.” This could lead to as much as a 200 billion dollar loss for American businesses.
A 2013 article in journal Health Affairs reported that “more than three-quarters of the hospitals surveyed had experienced at least one security incident in any given month.” Most breaches were related to theft or loss of devices, but many involved unauthorized access, data tampering or disclosure. The vast majority of these incidents went unreported.
Like other businesses, healthcare organizations are increasingly recognizing the need to upgrade their cybersecurity protections. However, similar to most other non-technical fields where it is difficult for employees to discern between important and unimportant information, healthcare professionals often have a hard time understanding exactly what they should be protecting.
The lack of standards across the healthcare industry makes hospitals particularly vulnerable to cyber-attacks. Because there is such a wide range of industries and technologies in use, it becomes much easier for hackers to find the point of access that they want.
The government has provided numerous incentives for healthcare administrators to invest more in cybersecurity measures; however, these programs often fail due to lack of participation by hospital staff. As a result, these hospitals are often the victims of costly data breaches.
Lack of Cybersecurity Training in Healthcare
The lack of training programs has led directly to poor investment in cybersecurity measures by healthcare organizations. There are currently no federal laws in place to protect patient information, which has led to the rise of medical identity theft. The United States Department of Health and Human Services reported that there were more than 21 million cases of medical record theft in the past 6 years, with only about 1 in 20 instances being investigated by law enforcement.
Cybersecurity has become a major concern in today’s society, where most people rely on technology for various services. However, with the increased use of computers and other digital devices, comes an increased risk of cyber attacks. Many companies have been targeted by these attacks, resulting in financial losses or compromised personal information. Now that healthcare providers are more connected to a network of devices, more providers are being targeted by hackers. While most healthcare facilities have implemented security measures against cyber threats, they have not been successful in thwarting these attacks. Healthcare providers must learn how to identify and protect themselves from potential threats due to the fact that protecting cybersecurity is becoming a requirement by law.
Healthcare providers need to be aware of all potential threats in order to keep cybersecurity intact. One of the biggest threats to healthcare security is spear phishing. Spear phishing is a form of electronic identity theft that targets specific individuals or organizations. Hackers can identify an individual’s email address and use it to send an email containing malware or a link leading to malicious software . This threat has caused the healthcare industry to implement new practices in order to protect themselves from cyber threats.
Healthcare Facilities need to fully embrace cybersecurity training in order to keep patients data protected at all times. Providers should take advantage of the many training programs that are available. Being aware of different types of cyber security threats will help protect providers against these attacks.
High-Risk Networked Medical Devices
Medical devices are more interconnected than ever before, however there are very few standards that creators have to adhere to when developing new products. In addition, many medical devices have been designed with a poor user interface as the focus as opposed to security controls. As a result, it is easier than ever for hackers to gain unauthorized access to this equipment.
High-risk medical devices are at the center of attention for several reasons. On one end, some embedded device manufacturers do not implement adequate security measures to protect these systems against hackers or breaches that may compromise patient safety. Even if the manufacturer takes every possible step to make sure its device is properly protected, an insecure network environment can cause vulnerability.
For instance, consider a hospital that has an infusion pump connected to the local clinical network. This device is used to administer infusions of fluids and medication for patients. Unfortunately, it is configured to allow access from any computer on the same subnet without authentication. An attacker simply needs to connect his system to the subnet and send commands directly to the infusion pump through the network.
The consequences of an attacker compromising an infusion pump are serious. He can set the flow rate to a dangerous level, or he can stop the infusions completely, resulting in loss of blood pressure for the patient and possibly death.
Poor Investment In Cybersecurity Threatens The Health Of Hospitals
According to the 2015 HIMSS Cybersecurity Survey, security risk ranks as a top priority for 63.1 percent of respondents and nearly 65 percent said they were concerned about their organization’s ability to manage and control access to their data. We’ve heard many times now that cybersecurity must be a priority in healthcare. Yet, the survey results indicate that many organizations and professionals are not doing enough.
Survey data also reveals a lack of awareness from IT leaders about their organization’s risk to point-of-sale malware at pharmacies, as well as other security risks, such as account takeover fraud resulting from weak or nonexistent password practices. Only 43 percent of respondents said they have implemented security measures to prevent account takeover fraud resulting from weak or nonexistent password practices.
More emphasis must be placed on security, and a big part of that comes from increased investment. As the saying goes, “a chain is only as strong as its weakest link,” and in this case, that weak link is often cybersecurity.
Even if the risks are high, why aren’t more organizations taking action? According to research from Accenture, small to medium-sized hospitals invest up to 20 percent of their IT budgets in security. Meanwhile, larger organizations often spend less than 10 percent of their budget on security, leaving a budget gap that many smaller entities can’t fill.
The key is to prioritize spending and understand that there is no such thing as 100% secure when it comes to cyber attacks. Big breaches have already occurred and organizations need to be willing to take that into account.
Insecure Medical Networks
Insecure hospital networks have led to cybersecurity being an ongoing concern for healthcare organizations. Studies have shown that cyber security continues to be a widespread problem in hospitals across the United States, Europe and Asia.
The number one challenge is the lack of budget given for cyber security. The second major obstacle is there are many separate networks at hospitals so it’s difficult to centralize the security measures. The third challenge is a lack of trained computer professionals, and finally there’s a basic lack of cybersecurity knowledge among healthcare staff.
According to reports from the UK National Health Service (NHS), hospitals have been victims of cyberattacks where patient records were being held hostage by hackers demanding bitcoin ransom payments that reportedly ranged from $180 to $15,000. Another report from the United States Department of Health and Human Services (HHS) revealed that in 2015 there were 295 health data breaches reported by 251 organizations with a total of 100 million records compromised.
The HHS Office for Civil Rights (OCR) is the federal agency tasked with ensuring compliance by covered entities with the HIPAA Administrative Simplification Rules, which were issued by the HHS Secretary and designed to improve the efficiency and effectiveness of the nation’s healthcare system.
One of the most successful ransomware attacks was at Hollywood Presbyterian Medical Center where hackers were able to infect their systems with a crypto virus, which held their files hostage for $17,000 in bitcoin. This changed when they paid the ransom and removed the infection from all affected devices. Healthcare organizations need to stay vigilant as this cybercrime trend continues to spread.
Breached Hospital Passwords
Cyber-attacks against U.S. hospitals increased 400% in 2015 and first half of 2016; 66 more data breaches were reported by the Department of Health and Human Services Office for Civil Rights (OCR) during this period compared to all of 2014, as AC & SC Magazine reports.
There was a 426% increase in malware attacks against hospitals from 2014 to 2015, according to a report released by OCR. Malware compromises patient privacy and enables unauthorized access to sensitive patient information.
The University of Pittsburgh Medical Center (UPMC) fell victim to two major ransomware attacks within the last 18 months that cost the university $18 Million. Ransomware is a type of malware which locks users and/or their files and data from access until they pay the ransom fee to unlock them; most hospitals that were successfully attacked paid between $10,000 to $50,000.
About 59% of users had internet-connected devices on their hospital networks that could be susceptible to cyber attacks, according to a HIMSS Media survey of healthcare IT professionals conducted last July. These devices include digital dictation machines and cardiology imaging systems as well as more traditional IT systems such as computers and printers.
According to the 2016 National Health IT Collaborative (NHIT) Cybersecurity Survey, smartphones are now more prevalent than laptops or tablets on health care networks; 20% of hospitals reported that mobile devices were the most targeted form of attack in 2015, up from 7% in 2014.
In conclusion, it is clear from this review that cyber security in healthcare continues to be a significant and growing challenge. The fundamental issue is around the balance of patient benefit vs. security. Healthcare processes and systems will not be made risk free, so we must design them with controls that limit exposure to known risks as much as possible. Over time, emerging challenges will need to be addressed through the same risk management methods. Stay in touch with Bayshore Interactive to learn more about cyber security.