An IBM report claimed that the healthcare sector was the most frequently attacked sector, as more than 100 million health records were compromised and the report referred to 2015 as “the year of the healthcare breach.” In this guest post, Neil Hartley, head of North American operations for an enterprise legacy-to-cloud software company, details why the healthcare industry is such a prime target for hackers and how hospitals can protect themselves.
Data breaches and other cyberattacks don’t appear to be going away any time soon. Not only are breaches becoming more frequent, they’re becoming more severe, as well. In just the past few years, we have witnessed some noteworthy cyberattacks on the healthcare industry.
Anthem, the nation’s second largest health insurance company, reported in February 2015 that the protected health information (PHI) of nearly 80 million patients was leaked during a massive cyberattack. The very next month, Premera Blue Cross, another of the nation’s leading insurance providers, reported another sizable breach affecting 11 million patients. Both of these breaches originated with cyber criminals hacking network servers and illustrate the increasing severity of data breaches in the healthcare industry.
Focus on healthcare
Why the increased attention on healthcare organizations?
Hackers are beginning to turn to the healthcare sector because its systems tend to contain more lucrative information than other data sources, like credit or debit card records. Furthermore, the information contained in personal health records – like someone’s legal name, Social Security number or date of birth – isn’t easily changeable. The medical industry is also appealing because it typically takes victims longer to realize the information has been stolen and report it.
Government regulations are threatening healthcare security, as well. A number of regulatory statutes aimed at protecting healthcare operations have emerged. Hospitals, health insurance companies, clinics, nursing homes and other healthcare organizations must comply with their own and HIPAA requirements in order to protect the privacy and security of patient information. These types of regulations aren’t proving to be effective and the penalties levied against healthcare organizations tend to punish them rather than reward them for being proactive.
In 2009, The American Recovery and Reinvestment Act (ARRA) passed, mandating the use of electronic health records. The data found in electronic health records not only determines how a patient is treated, but also how a healthcare provider is paid under the Patient Protection and Affordable Care Act (ACA), also known as “Obamacare.” The statute’s increased focus on digitized data has fueled a rapidly expanding healthcare technology marketplace.
The ACA was signed into law on March 23, 2010 and requires providers to adopt mandated electronic health records whether or not they were financially prepared to invest in cybersecurity. As a result, many healthcare providers have turned to outdated software systems as an inexpensive solution to storing patient records.
Growing attraction for cyber thieves
In an equally troubling development, HealthCare.gov, the government online portal used by millions to purchase health insurance under “Obamacare,” logged over 300 cybersecurity incidents from October 2013 to March 2015, according to a report by the Government Accountability Office. Furthermore, the report found that the HealthCare.gov portal remains vulnerable to hackers.
The reason that healthcare systems and databases are growing increasingly attractive to cyber thieves attempting to steal personal information, is because they frequently utilize outdated and complex legacy systems. Frequently, these older platforms aren’t agile and are unable to meet the increasing and specific demands of modern health care. These systems are also far more prone to breaches than modern systems are, leaving patients at increased risk.
As healthcare organizations struggle to adhere to government requirements like HIPAA and the Affordable Care Act, compliance has become the focus while information security has remained an afterthought for the most part. Failure to comply with the Affordable Care Act will result in financial penalties, thus, a number of organizations are hesitant to report breaches for fear of being strictly penalized.
Implement multilayer security programs
Unfortunately, updating outdated legacy systems takes valuable time and can be an expensive endeavor. In order to better protect themselves and their patients, healthcare organizations need to begin to immediately develop and implement multilayer security programs to protect their systems, employees and patients.
A comprehensive multilayer security program begins with an experienced and dedicated internal IT department. Many healthcare organizations, rightfully so, place positive patient outcomes over cybersecurity, but training the IT team to be able to recognize and respond to a cyberattack is becoming more important every day.
An experienced IT team will likely centralize system security governance in a systems operation center in order to assess, monitor and defend other enterprise systems more easily. Strengthening the internal IT department is a good first step for vulnerable healthcare organizations.
Access to systems needs to be controlled through authentication and identification to increase security. In fact, both Anthem and Premera were compromised with stolen credentials alone. System users should enable multi-factor authentication where possible, as well.
Another way healthcare organizations can protect themselves without completely modernizing is by encrypting their data. According to a survey conducted by Sophos, a security software and hardware company, healthcare IT decision-makers could be doing more to protect sensitive patient data. The survey showed that IT decision-makers in the healthcare industry are shockingly irresponsible when it comes to data encryption. Only 31% of the healthcare organizations surveyed use extensive data encryption to protect sensitive information while a substantial 20% of organizations don’t use any encryption at all.
Create comprehensive security programs
Another common pitfall that jeopardizes healthcare information security is the focus on meeting requirements set by HIPAA and the ACA, instead of creating detailed and comprehensive security programs. Oftentimes these regulatory requirements are the bare minimum and organizations would be better served and better protected by exceeding these regulatory security requirements.
In the end, while the ACA has pushed for more integrated care, it has jeopardized patient security in turn. Both healthcare organizations and government agencies need to put a greater emphasis on cybersecurity in order to protect not only their patients, but themselves as well. With this push has come increased access to patient records and while the connected healthcare environment can be good for overall patient care, it’s detrimental to healthcare security.
Healthcare security is vital. A healthcare breach isn’t only dangerous but expensive. Finding a solution to cybersecurity in the healthcare sector can no longer be viewed as an afterthought, it must become a priority. A fundamental starting point is the modernization of those outdated and complex legacy systems.
Neil Hartley is the head of North American operations for Morphis, an enterprise legacy-to-cloud software company based in Portugal with offices in the U.S., U.K., Spain and Brazil.