As cybersecurity threats change, so must hospitals
Never before has the healthcare industry been so vulnerable on so many fronts. As consumers interact with online health data and even create their own, hospitals both need to cater to a larger connected presence as well as provide a larger attack surface on the internet.
Many machines run legacy software, including operating systems that are at or near the end of their lives. And even as consumers directly acknowledge these fears and claim some responsibility in protecting their data, they admit to knowing little about the state of their health data or their rights to it.
All of these scenarios and more are outlined in a new threat assessment from Morphisec, a cybersecurity firm.
Why it matters?
The report finds that the number of consumers accessing their health data online has grown to 42 percent, a significant jump from the previous year. Additionally, patients are using their smartphones and other devices to generate their own health data, which can be shared with a practitioner.
Internet of Things connected devices often can’t operate within the same security parameters that other devices do. As they continue to explode as a device class in healthcare settings, they present new vulnerabilities as well. These new forms of digital connection between patient and provider create new attack surfaces in a network, as well as enlarge ones that already exist.
While many consumers responded that they felt they had a shared responsibility to protect their data, the report notes that it still is the responsibility of the provider to secure data. Many consumers struggle with this, with nearly half responding that they felt their smartphones were “nearly as secure” as hospital data networks.
Consumers still have a hard time being engaged on their health data safety and while over half of the U.S. population has been exposed to some form of data breach, close to the same amount polled did not know whether their data had ever been compromised.
What is the trend?
Hospitals need to go above and beyond in their preparedness and response to cyber threats.
Large data breaches are becoming the norm and when targets include large national companies, the effects of an attack can be felt everywhere. Furthermore, every player in the security ecosystem – from vendor to practitioner to patient – needs to have a stake in maintaining the security of healthcare data.
On the record
“With nearly 90 percent of health organization CIOs indicating they purchase cybersecurity software to comply with HIPAA, rather than to reduce threat risk, consumers have a right to be worried about the cyber defenses protecting their health data,” said Tom Bain, vice president of security strategy at Morphisec. “Merely checking the box that cybersecurity defenses meet HIPAA requirements isn’t enough to protect healthcare organizations today from advanced and zero-day attacks from FIN6 and other sophisticated attackers.”
Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media.