FILE – A Feb. 5, 2015 photo shows the Anthem logo at the health insurer’s corporate headquarters in Indianapolis, Indiana. A lawsuit filed against Anthem over its massive database breach in 2015 rips the insurer’s cybersecurity and casts a spotlight on the vulnerability of health care information. (AP)
Health care providers – repositories of critical patient data – have relinquished millions of sensitive records and billions of dollars to hackers in the past few years. And there is no end in sight as the industry expands to largely-unsecured mobile and Internet of Things (IoT) platforms.
Your personal information is the main reason why health care organizations are a coveted hacking target. The wealth of data that heath care providers store – irreplaceable social security numbers, dates of birth, insurance, medical and billing records – are all profiles worth more to hackers than credit card heists because, piece by piece, they enable them to assume the victims’ identities.
“Simply put, our personal data has a value, so it will be attractive to cybercriminals and hackers,” said Steve Durbin, Managing Director of Britain’s Information Security Forum Limited, a non-profit cybersecurity organization.
The other reason health care organizations are a prime target for cybercriminals is that many of them have terrible cybersecurity track records, even if the frequent cyberattacks are forcing a change in the old-school mindset.
“Traditionally, security has been an afterthought at healthcare organizations,” said Amit Saha, Chief Operating Officer of cloud security firm Saviynt, in an email. While that mindset is changing, many health care organizations are now adopting Electronic Health Records (EHR) platforms despite lacking “appropriate security controls to detect and respond to data breaches,” thereby creating new opportunities for hackers.
Against this backdrop, adding mobile and IoT platforms to the mix hardly inspires confidence because security is also “an afterthought” in the consumer electronics world where smartphones and tablets exist, said Durbin in an email.
The move to mobile is one of “convenience,” he said. “It is where we are migrating most apps and will increasingly become the de facto access method for many people to a range of data.”
But that entails making critical data available “on devices that were not designed to be ruggedly secure – mobile devices.” he said. “So they’ll become increasingly attractive targets for cybercriminals.”
Another problem is that developers all too often are sacrificing security in favor of “speed of delivery and low cost” when it comes to mobile apps. Durbin said that then shifts the responsibility to the user “to preserve the integrity, confidentiality, availability, and ultimately, security of the data.”
Despite some positive change, Saha stressed that the security discussion must be elevated to the highest organizational levels to allow for better risk reduction and threat mitigation.
“Information security must be considered as the cornerstone to survival and success of the organization,” he said. And one of the foremost things they should do to mitigate the business-as-usual approach to cybersecurity is to “ingrain security practices and controls in all the business and technology processes.”
He believes it is “critical” that health care organizations invest in initiatives that align with their strategy and risk profile, and put in place processes to quickly detect unauthorized use of patient data and limit its impact.
The Hollywood Presbyterian Medical Center in Los Angeles, California, was locked out of its computer systems following a cyberattack, Feb. 16, 2016. Hackers demanded a ransom for decrypting the hospital’s hijacked files. The hospital eventually paid the ransom. (Reuters)
Durbin agreed, saying additional security layers should include a review of user access protocols, identifying critical assets, and finding ways to protect them and store them “in a virtual, secure cloud environment vs. on a mobile device.”
Also key is educating the workforce for better security practices and due care when dealing with other people’s sensitive information, not to mention their own.
“User education and training, along with security hygiene reinforcement, are not optional extras,” stressed Durbin. “They are fundamental to increasing our security readiness to deal with potential attacks.”
There will always be weak links and risk that data may fall into the wrong hands, particularly in an always-on mobile environment. But Durbin said “if we recognize that the environment is inherently insecure, then we can address that issue head on.”
But he acknowledged that “it will take significant legislative change … to bring about a significant change in the sector,” similar to the European Union’s General Data Protection Regulation – a piece of legislation that penalizes companies if they fail to take stored customer data seriously.
