Technology has many advantages and brings sophistication and convenience to all aspects of life. However, it has its vulnerabilities as well. For instance, in the healthcare industry, there are growing concerns relating to the security of healthcare data and devices. This calls for more vigilance on all processes in an organization. Healthcare organizations that outsource their medical data entry tasks to professional data entry companies also should ensure that the companies they have partnered with have strict data security policies in place.
The vulnerability of medical devices to new cybersecurity breaches may be due to increased connectivity to existing computer networks. Medical records are a rich source of valuable data. However, their defenses are weak, and this may be the reason why healthcare is one of the biggest targets for cybercriminals. Cybersecurity breaches include stealing health information and ransomware attacks on hospitals, and may also include attacks on implanted medical devices. These types of breaches can reduce patient trust, cripple health systems and threaten human life. Cybersecurity is critical to patient safety and new legislation and regulations are there to facilitate change.
The Department of Health and Human Services (HHS), in collaboration with the Health Sector Coordinating Council (HSSC), published Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients on December 28, 2018. This publication is designed to provide voluntary cybersecurity practices to health care organizations of all types and sizes that range from local clinics to large health care systems. The publication was in response to a mandate set forth by the Cybersecurity Act of 2015, Section 405(d), to develop practical cybersecurity instructions to cost-effectively reduce cybersecurity risks for the health care industry. The task group led by HHS and HSSC consists of cybersecurity industry leaders, who developed the HICP Publication. It is essential that all health care organizations review and consider the implementation of the recommendations set forth in the HICP Publication.
The main document of the publication considers the five most relevant and current threats to the health care industry and recommends 10 cybersecurity practices to help reduce these threats.
Current Cybersecurity Threats to the Healthcare Industry
As per the main document of the HICP Publication, the following are the most current cybersecurity threats to the health care industry.
- E-mail phishing attacks – Theses attacks are an attempt to trick an e-mail recipient into giving out information using e-mail. It happens when an attacker, posing as a trusted party such as a friend, co-worker, or business partner, sends a phishing e-mail that includes an active link or file. Once the e-mail recipient opens the link, the recipient is taken to a website that may solicit sensitive information, proactively infect the computer, or compromise the organization’s entire network. HICP Publication reports that the lack of IT resources for managing suspicious e-mails, software scanning e-mails for malicious content or bad links, and e-mail detection software for testing malicious content, or e-mail sender and domain validation tools, puts a health care organization at risk to the phishing threat. These attacks can have negative impact on a health care organization, and result in loss of reputation in the community, stolen access credentials and an erosion of trust or brand reputation. In addition, they can potentially affect the ability to provide timely and quality patient care, which in turn leads to patient safety concerns.
- Ransomware attack – Ransomware is a type of malware that attempts to deny access to a user’s data by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. Ransomware attacks are sent in phishing campaign e-mails asking the recipient to either open an attachment or click on an embedded link. After the data of a user is encrypted, the ransomware will direct the user to pay the ransomware to the hacker, typically in cryptocurrency, to receive a decryption key to release the data. However, paying the ransom does not guarantee the hacker will unencrypt or unlock the stolen or locked data. According to the HICP Publication, the lack of system backup and anti-phishing capabilities; unpatched software; lack of anti-malware detection and remediation tools, testing and proven data backup and restoration, and network security controls such as segmentation and access control, may be the reasons for an organization’s exposure to ransomware attack. These attacks can adversely affect a health care organization by resulting in partial or complete clinical and service disruption, patient care and safety concerns and expenses for recovery from a ransomware attack.
- Loss or theft of equipment or data – Every day, mobile devices such as laptops, tablets, smartphones, and USB/thumb drives, are lost or stolen and may end up in the hands of hackers. When the lost equipment is not appropriately safeguarded or password protected, it may result in unauthorized or illegal access, dissemination, and use of sensitive data. As per the HICP Publication, the following are the reasons that can lead to the loss or theft of equipment or data.
- Lack of asset inventory and control
- Failure to encrypt data at rest
- Lack of physical security practices, including open office and poor physical management
- Lack of simple safeguards, such as computer cable locks to secure devices
- Lack of effective vendor security management, including controls to protect equipment or confidential data
- Lack of “End-of-Service” process to clear sensitive data before IT assets, including medical devices, are discarded or transferred to other users or other organizations.
Loss or theft of equipment or data can negatively affect a health care organization by resulting in inappropriate access to or loss of sensitive information, such as proprietary or confidential information or intellectual property. This may also cause theft or loss of unencrypted PHI (Protected Health Information) or PII (Personally Identifiable Information), which will result in a data breach requiring notification to impacted individuals, regulatory agencies, and media outlets. This will also severely damage the reputation of the health care organization.
- Insider, accidental or intentional data loss – There are two types of insider threats – accidental insider threats and intentional insider threats. An accidental insider threat is unintentional loss caused by honest mistakes, procedural errors or a degree of negligence. An intentional insider threat is malicious loss or theft caused by an employee, contractor, or other user of the organization’s technology infrastructure, network, or databases, with an intention of personal gain or inflicting harm on the organization or another individual. The HICP Publication reports that, accidentally e-mailing files that contain confidential data to incorrect or unauthorized addressees, lack of adequate monitoring, tracking, and auditing of access to patient information on electronic health record systems, logging and auditing of access to critical technology assets, such as e-mail and file storage, technical controls to monitor the e-mailing and uploading of sensitive data outside the organization’s network; and physical access controls or training about social engineering and phishing attacks may be the reason for the exposure of health care organizations to insider data loss,. Insider data loss can lead to reportable data breaches and incidents when the accidental loss of PHI or PII occurs through e-mail and unencrypted mobile storage. Reportable incidents can also occur when employees inappropriately view patient information. Financial loss occurs when insiders are not following proper procedures and employees give access to banking accounts and routing numbers after falling victim to phishing e-mail attacks disguised as bank communications.
- Attacks against connected medical devices – A hacker may attempt to gain access to a health care provider’s network to take control of a connected medical device (such as apparatus, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them) in order to put patients at risk. HHS notes that the reason for the vulnerability of connected medical devices is due to the failure to implement software patches on time, including regular and routine commercial system patches to maintain medical devices, or when legacy equipment is used that is out of date and lacks current functionality. Connected medical devices cannot be monitored by an organization’s intrusion detection system (IDS). Thus the safety of patients and protection of data integrity are based on identifying and understanding the threats and threat scenarios. Medical devices cybersecurity information is not readily available at health care organizations; this in turn makes cybersecurity optimization more challenging. This may translate into missed opportunities to identify and address vulnerabilities, which could increase the likelihood for threats.
In fact, attacks against connected medical devices may have broad implications to health care organizations. Even while considering data entry outsourcing, healthcare businesses needs to make sure that their partner company follows strict client data security policies.
In our next blog, we will discuss some of the best practices recommended by HICP to help minimize these cybersecurity threats.