The why & how of Cybersecurity in Healthcare

31 March 2021

Why cybersecurity is critical to the healthcare business, especially now!

In today’s electronic world, protecting information from hackers and fraudsters is critical.
Due to the nature of data stored in EHR, decision-support, radiology information systems and many others, as well as in clinical laboratories, hackers are targeting healthcare providers in an attempt to steal the data and sell it on the dark web and to bring down systems using ransomware attacks. These data breaches are costing the healthcare industry billions every year.

cybersecurity in healthcare

One challenge for cybersecurity in healthcare is that many health entities still use legacy systems that are no longer supported by the vendor, thus exposing them to security vulnerabilities. Right now, it is crucial for healthcare organisations to invest in strong cybersecurity technologies and secure data stores, and establish a security culture.

The Why

During COVID times, every stakeholder in the healthcare system felt the need to share and receive critical patient information in real time. But they were unable to do so due to the many inadequacies in the healthcare system and bad practices of information blocking.
A patch and go mindset has been applied to most of the legacy systems, with features being built on top of existing architecture in which security and secure data-sharing was always an afterthought.

The cost of healthcare data breaches was over $4 billion in 2019 according to Black Book Market Research; in the year 2020, the total costs of such breaches rose to more than $13 billion.
In that same year, the average cost of a single data breach for the healthcare industry was $7.13 million. Healthcare data sold on the dark web costs anywhere between a few cents to a couple of thousand dollars per piece of data per patient and is more expensive than credit card numbers.

According to HIPAA Journal, 2020 was the worst ever year for healthcare industry data breaches, with 616 data breaches of 500 or more records reported to the U.S.
Department of Health and Human Services’ Office for Civil Rights. Some 28,756,445 healthcare records were exposed in those breaches, making 2020 the third worst year ever in terms of the number of breached healthcare records.
One high-profile example was the massive data breach experienced in 2020 by the cloud service provider Blackbaud Inc. Hackers gained access to the provider’s systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be published if the ransom were not paid.
 

Below is a list of 2020’s largest healthcare data breaches:
 

  • Trinity Health – 3,320,726 individuals
  • MEDNAX Services, Inc. – 1,290,670 individuals
  • Inova Health System – 1,045,270 individuals
  • Magellan Health Inc. – 1,013,956 individuals
  • Dental Care Alliance – 1,004,304 individuals
  • Luxottica of America Inc. – 829,454 individuals
  • Northern Light Health – 657,392 individuals
  • Health Share of Oregon – 654,362 individuals
  • Florida Orthopaedic Institute – 640,000 individuals
  • Emergency Physicians – 550,000 individuals
  • Aetna ACE – 484,157 individuals
  • Saint Luke’s Foundation – 360,212 individuals
  • NorthShore University Health System – 348,746 individuals
  • SCL Health Colorado – 343,493 individuals
  • AdventHealth – 315,811 individuals
  • Nuvance Health – 314,829 individuals
  • Magellan Rx Management – 314,704 individuals
  • The Baton Rouge Clinic – 308,169 individuals

The poor state of healthcare cybersecurity was highlighted by a survey of healthcare security professionals conducted in late 2019 by Black Book Market Research.

Some of the key findings of the survey were as follows:

  • 96% of IT professionals said threat actors are outpacing medical enterprises.
  • 35% of healthcare organisations did not scan for vulnerabilities before an attack.
  • 87% of healthcare organisations have not had a cybersecurity drill with an incident response process.
  • 40% of providers surveyed do not carry out measurable assessments of their cybersecurity status.
  • 26% of hospital respondents and 93% of physician organisations currently report that they do not have an adequate solution to instantly detect and respond to an organisational attack.
  • 94% of hospitals have not augmented their cybersecurity protection since their last breach.
  • More money is being spent on marketing to repair damaged reputations after a breach than is spent on combating the consequences of data breaches.

The top cybersecurity threats identified in 2020 were:

 

Ransomware attacks

IoT attacks

Cloud attacks

Phishing attacks

Blockchain and cryptocurrency attacks

 

Software vulnerabilities

Machine learning and AI attacks

BYOD policies

Insider attacks

Outdated hardware

The How.!

We have seen how big an impact a data breach can have on businesses. Mitigating this risk calls for a holistic and phased cybersecurity approach, which includes:

Immediate actions

  • Assessing the current state of security.
  • Setting up security check and controls to secure from immediate threats.
  • Setting up a monitoring system.

Short-term goals

  • Identifying security use cases and establishing a cybersecurity framework based on existing industry guidelines and best practices to manage and reduce cybersecurity risks.
    • ISO 27001/27002 and 27110
    • CIS Critical Security Controls
    • NIST Framework
  • User Anomaly Detection with industry-leading tools like Exabeam, Securonix, Splunk, etc.
  • Setting up stronger and proactive data leak, storage and access monitoring with 360-degree visibility is crucial.
  • Ensuring that security policies and standards are current/up to date and enforced within the organisation.
  • Compliance with privacy, audit needs and regulations like HIPAA to protect member data.
  • Disaster recovery planning.

This blog is written by Gaurav Tiwari, at Decos. He is Program manager at Decos. With 15+ years in healthcare, he is driven to enhance accessibility of healthcare systems.

Decos is a cutting-edge technology services partner ready to meet your software needs in the medical domain. If you have a question on one of our projects or would like advice on your project or a POC, just contact Devesh Agarwal. We’d love to get in touch with you!
 

Send an email

Gaurav Tiwari

Discover more

portable medical device
Role of Human Factors Engineering in Design of Portable Medical Devices
Introduction Portable medical devices are essential in contemporary healthcare, designed to be used in various environments, whether indoors or outdoors. These devices can vary in...
Read more
Application containerization
Deploying Applications with Ease: A Guide to Containerization
What are Containers? Applications that run in isolated runtime environments are called containerised applications. Containers encapsulate an application with all its dependencies, including system libraries...
Read more
medical device usability
A User-Focused Approach to Medical Device Development: Identifying Usability Challenges and Prioritizing Solutions
Introduction Users play a crucial role in the user-interface development process. They contribute at different stages of device development. User involvement during the initial stages...
Read more