Healthcare's worst security weakness?
It seems like health data breaches will never stop. In the first half of 2016 alone, the healthcare industry experienced 263 incidents, comprising 27 percent of the total breaches in all industries, according to a report from digital security firm Gemalto.
What’s more, the number of breaches in the third quarter of 2016 outpaces those in the first two, the Protenus Breach Barometer found. And research from Ponemon Institute and Trend Micro rank healthcare as the sector with more breaches than all others.
Does that mean that the industry’s greatest weakness is inadequate information security practices and technologies to protect those records?
Not so fast. Healthcare’s biggest vulnerability, rather, is its very dependance on the data it must protect, asserted Pam Hepp, a healthcare attorney for Buchanan, Ingersoll & Rooney, who specializes in privacy and HIPAA law.
Security vs. dependence
Many people within an organization need access to that data just to do their jobs. Sounds simple enough, but that reality actually gives hackers the ability to perform phishing expeditions or even ransomware attacks, targeting not only people but also the EHRs housing patient data, Hepp explained.
“Providers are very much dependent on these records, but also other technologies like medical devices and apps that provide different avenues for hackers to gain access into their system,” Hepp said. “There’s also the added issue of vendors or other third-parties these providers don’t have complete control over.”
Right now, the challenge is critical, and it will only get more complex as providers focus on interoperability and health information exchange with outside organizations. Applying emerging Big Data, informatics and machine learning to cybersecurity and population health could lead to what Protenus co-founder Robert Lord described as “a precarious security and privacy posture, or a slowdown in our ability to manage and treat patients,” if it is not handled with great care.
“As we expand the collection and use of data in healthcare, we are often increasing the sophistication of systems that are accessing and analyzing data at a much greater pace than systems that are used to protect these same data,” Lord said.
Hackers overtake human error as greatest threat
A number of years ago the biggest healthcare vulnerability was a combination of human error, like inadvertently sending information to the wrong place, or just negligence. Hacking was only a small vulnerability at that time, Hepp said.
Here’s the rub: Those statistics have changed dramatically, Hepp said, to the point where hacking is an equal threat to human error.
Globally, 974 data breaches were reported so far this year, compared to 844 breaches and 424 million compromised records in the previous six months. Further, 52 percent of this year’s breaches didn’t disclose the number of compromised records when the breach was reported.
Identity theft lead the breach type for the first six months of 2016, which accounted for 64 percent of all incidents, up from 53 in the previous six months. The report also showed malicious outsiders as the main source for breaches, accounting for 69 percent, which is up 56 percent from six months ago.
“Ransomware attacks are becoming more frequent, hackers are gaining access through phishing mechanisms,” Hepp said.
And ransomware is bound to get worse — at least if the dropping price of medical records on the black market is any indication. World Privacy Forum executive director Pam Dixon said that lower dark web prices for EHRs and other medical records that the long-profitable crime of identity theft will continue as a predominant threat to healthcare organizations.
“The hideous problem of ransomware will crop up,” Dixon said. “Cybercriminals will shut down the system to make money.”
Embrace uber-trends in lockstep
Preparing for future cyberattacks will invariably necessitate considerable infrastructure work.
“As the hackers come up with new ways of getting access into a system, they’re one step ahead of the organization, and that poses a bit of a challenge,” Hepp added. “It means organizations need to make sure systems are up-to-date and monitor those for outside attacks.”
Dixon said that healthcare executives and organizations, IT shops, infosec teams, all need to get ahead of the growing problem now.
“What's needed,” Lord said, “is more of an orientation to thinking about how we can apply cutting-edge techniques, including Big Data and machine learning, on the privacy and security side, just as we apply them to the clinical side.”
If only because healthcare professionals of all sorts are so dependent on data that hospitals, IT shops, and information security specialists will continue walking the tightrope of giving them access while keeping hackers at bay.
Learn more at the Privacy & Security Forum in Boston, Dec. 5-7, 2016
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ Security budgets grow but breaches continue unless hospitals adopt best practices
⇒ Think offshoring PHI is safe? You may not be covered if a business associate breaches data