Electronic health records (EHR) were designed to revolutionize healthcare IT. They make medicine safer, empower patients and incite quality care. But what started as a means to harness big data to reveal the most effective treatments for disease and cut down on medical errors has contributed to a multifaceted problem: Healthcare remains one of the top industries most impacted by digital security breaches.
Spoiler alert: healthcare security breaches are most often caused by insider threats. According to Verizon’s 2019 Data Breach Investigations, of the breaches reported, an alarming 59% came from internal threat factors.
The real enemy here seems to be access management. Mobility and multiple access points make EHR especially vulnerable to hacking, and a single outdated or compromised system can lead to a major breach.
When it comes to making a compliance plan for the coming year, it’s important to assess where your organization stacks up against current challenges and how adjusting your strategy can close the most critical security gaps.
The phrase that “identity is the new perimeter” is truer in healthcare than anywhere else. … The more applications you have, the more data you have, the more risks there are.
–Vik Nagjee, Sirius director of healthcare and managed services
Healthcare Security Challenges
The healthcare ecosystem encompasses a highly distributed architecture serving the needs of hospitals, treatment centers, clinicians and administrators working in a variety of onsite and remote care facilities. Protecting patient privacy and personal data across this dispersed environment is an increasingly complex challenge, compounded by the exploding number of mobile devices, virtual systems and cloud services used by today’s healthcare practitioners and consumers.
The top challenges healthcare organizations face when dealing with patient privacy include:
- Modern Asset Adoption: Modern assets like EHR applications and IoT devices present a double-edged sword. One side of the weapon is revolutionizing the industry in terms of accessibility and scalability, enabling unprecedented life-saving advances in patient care. The other side of the sword continuously exposes sensitive data to potential theft and misuse. Widespread adoption of these unprotected apps and devices poses significant cybersecurity challenges.
- Legacy Devices: Clinicians are often reluctant to upgrade to newer devices since the process typically involves downtime and interruptions in care delivery. Devices are mandatory for instant access to patient data during office visits and medical procedures to meet federal regulations. Adding to the risk is the FDA approval process for third-party suppliers of clinical medical equipment. These suppliers frequently operate with outdated software and security tools on devices that are highly vulnerable to compromise.
- Protection of Critical Data: Patient data access and integrity are often a matter of life or death. Healthcare companies are particularly susceptible to malware/ransomware attacks, and they are more likely than organizations in other sectors to be forced to pay hackers to get their data back quickly.
- Continuous Compliance: Healthcare administrators responsible for cybersecurity in one of the most heavily-regulated industries face the daunting task of securing protected health information (PHI), personal information, and financial and payment data in compliance with numerous regulatory requirements including HIPAA, HITECH and PCI.
Read the full report to learn more about the security practices of today’s healthcare leaders.
6 Critical Healthcare Security Questions
In this digital era of healthcare IT, more data is generated and shared electronically than ever before, dramatically increasing opportunities for theft and accidental disclosure of sensitive information. Here are the key questions to consider when building out a compliance plan:
- Have all staff members received security awareness training?
- Have you developed a contingency plan for emergencies?
- Do you create and monitor ePHI access logs?
- Is your organization prepared to respond to sophisticated, mass-produced cyberthreats?
- Does your organization have the operational visibility to assess the vulnerability to mission- and life-critical applications on your network?
- Is your current security infrastructure able to detect an intrusion or data-leakage events?
The Secure Approach to Healthcare
Technology is transforming healthcare, and the rapid proliferation of connected devices is at the forefront. This includes smart, connected medical devices, Internet of Medical Things devices, and personal mobile devices of staff, patients and visitors. All of these greatly expand an organization’s attack surface and multiply the odds of one or more devices being noncompliant with security requirements.
With the current highly distributed and ever-expanding digital footprint, we consistently hear from customers about the challenges of network cyber-resilience and exponential expansion of assets in the enterprise environment. Business drivers of this growth are increased telemedicine services and heavy merger and acquisition activity. In order to estimate program changes needed and technology investment for monitoring and control, information security and network teams must work together and use all data available to assess the areas of risk and be innovative about remediation tactics.
• Sonia Arista, national director of healthcare for Fortinet and a former CISO of a large hospital system
Do you have complete visibility into every endpoint on your network? Make sure your security strategy is up to the challenge of safeguarding your critical data by asking critical questions and performing a thorough risk assessment.
Reduce Exposure and Risk
With more and more caregivers, administrators, patients and family members accessing the online resources of healthcare systems, security is more important—and more difficult—than ever. Sirius Director of Healthcare Vik Nagjee is featured in an informative video about the security challenges posed by healthcare provider networks’ ever-expanding attack surface, and what can be done to reduce exposure and risk. Watch the video now.