New tools and technologies are driving healthcare change. The rapid adoption of mobile applications, cloud solutions and wearable devices makes it possible for care professionals to better connect with patients and directly address their concerns.
As the rate of technology adoption increases, however, so do the risks of a cybersecurity attack. According to recent research data, the number of ransomware attacks on U.S. healthcare delivery organizations more than doubled from 2016 to 2021 — and shows no signs of slowing down.
Here’s a look at the impact of technology and cybersecurity in the healthcare industry, and what companies can do to stay safe.
How Digital Solutions Are Driving Healthcare Change
Digital solutions have changed healthcare delivery. Consider the rapid uptake of remote communications platforms over the past three years. Thanks to innovation and experimentation, doctors can now meet with patients on demand to provide medical advice and recommendations. Patients can stay in the comfort of their homes, and doctors can streamline their schedules.
Medical devices, meanwhile, now make it possible for patients and healthcare professionals to track and capture health data on demand. Wearable and implantable technology allow constant monitoring of key patient data. Patients and doctors can be notified if there’s a potential problem.
There’s also a growing market for software as a medical device . These solutions enable specific healthcare functions, such as viewing MRI images or processing image data to detect disease or illness. These tools often interface with other wearable and on-site medical devices to help provide a holistic picture of patient health.
Risk and Reward: The Technology Paradox
While technology offers significant benefits for healthcare organizations, it also introduces potential cybersecurity risks.
Three common areas of concern include: Compromised data, compliance challenges, connected device attacks, and creating a technology treatment plan.
Compromised Data
Healthcare organizations now collect massive amounts of patient, clinical and operational data. Some of this data is stored on-site in storage databases, some is kept in the cloud, and some exists on patient and provider devices.
The sheer volume of data makes it an attractive target for cyberattackers. If they can infiltrate storage systems or user devices, they can steal, ransom or destroy protected health information (PHI). This data may include everything from basic personal information to treatment records to financial statements.
Compliance Challenges
The growing impact of digital tools also creates compliance challenges for organizations. Under HIPAA, providers of healthcare services and collectors of healthcare data have a responsibility to ensure its security. Responsibility for compliance always rests with the agency requests and uses data. This means that even if organizations are using third-party services to collect and analyze patient data, these organizations remain responsible for compliance.
If data is not secured properly, health care providers may find themselves facing operational audits, monetary fines and possible sanctions.
Connected Device Attacks
Connected, Internet of Things (IoT) devices also represent a cyber risk. For example, if attackers can compromise devices such as pacemakers or blood glucose monitors, they may be able to steal patient data or create false device readings. At best, this type of compromise puts patient data at risk. At worst, it could lead to actual, physical harm.
Creating a Technology Treatment Plan
Treating symptoms doesn’t solve the underlying issue. This is the case for healthcare practice and cybersecurity operations. For example, while improving ransomware detection and response times can help mitigate the damage caused, these practices are a bandage at best.
To effectively address evolving issues such as malware attacks, healthcare companies need tools capable of intelligent analysis and prediction that help them avoid attacks entirely. While this isn’t a panacea, it’s a solid starting point for organizations looking to shore up cybersecurity efforts.
Bottom line? Healthcare providers need a cybersecurity plan that treats immediate issues and manages ongoing concerns to provide consistent, protective outcomes.
This Guest Blog was written by Lauren White, MBA, CISSP. She is Director of IT and Security at MCRA , a medical device, diagnostics, and biologics CRO and consulting advisory firm. White has over a decade of experience in information technology and security and prides herself in an ability to bridge the gap between business and technical communication.
Overview
The document discusses significant cybersecurity issues in the healthcare sector, focusing on recent data breaches and the implications for patient privacy and organizational integrity. It highlights two notable incidents: the myCare Integrity system breach on December 25, 2021, which affected 16 organizations and individuals, resulting in the unauthorized access of names, dates of birth, and Social Security numbers. Information was eventually returned after negotiations, and affected individuals were offered identity theft protection and credit monitoring. The second incident involved the Allegheny Health Network, where a phishing email led to unauthorized access to protected health information (PHI) of approximately 8,000 patients on June 1, 2022, also resulting in offers of identity theft protection.
The document outlines various types of social engineering scams, including phishing, vishing, smishing, whaling, and spear phishing, as well as ransomware tactics and the risks associated with stolen or lost equipment containing PHI. It emphasizes the importance of having robust policies and procedures in place, including access controls, audit and monitoring, physical security, emergency preparedness plans, business continuity, and workforce education and training.
In terms of regulatory compliance, the document details the requirements for reporting HIPAA breaches. Organizations must notify impacted individuals within 60 days of discovering a breach. If the breach affects more than 500 individuals, media and the Department of Health and Human Services (DHHS) must also be notified within the same timeframe. For breaches involving fewer than 500 individuals, annual notification to DHHS is required.
The financial impact of data breaches is significant, with the average cost of a breach estimated at $4.35 million. Ransomware attacks account for 11% of breaches, costing an average of $4.54 million, while 19% of breaches are linked to business partner compromises. Stolen or compromised credentials are the most common cause of breaches, taking an average of 243 days to identify, with phishing being the second most prevalent breach type. The healthcare sector has the highest average cost for data breaches, averaging $10.10 million in 2021, and has experienced a notable increase in ransomware incidents compared to other sectors.
Overall, the document underscores the critical need for enhanced cybersecurity measures in healthcare to protect sensitive patient information and maintain trust.
