Increased and imminent — that’s how the FBI and the Cybersecurity and Infrastructure Security Agency describe the rising cyber threats faced by already strained healthcare providers in an advisory last October. Attacks like ransomware and phishing are becoming more and more alarming, with over 40 million Americans affected by healthcare data breaches in 2019 alone.
And although the industry is expected to spend a whopping $125 billion on cybersecurity between 2020 and 2025, the threat of cybercrime looms over big and small providers alike. But how did we get here, and how can the industry ensure a more secure future?
The cybersecurity landscape in healthcare
It wasn’t too long ago that not even half of all healthcare organizations were using electronic health records (EHRs). The passing of the Health Information Technology for Economic and Clinical Health Act of 2009 made EHRs commonplace. And though this did bring about the much-needed digitalization of healthcare, it also ushered in cybercriminals looking to take advantage of the technology to get their hands on newly digitized healthcare data.
And how tempting all this data turned out to be. Just last year, medical data was reported to be 50 times more valuable than credit card data. “Medical information is a lot richer,” Chris Bowen, ClearDATA founder and chief privacy and security officer, told D Magazine. “You can create or seek medical treatment, abuse drugs, or get prescriptions. The life span is so much longer than a credit card.” Moreover, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, points out that EHRs can go for $20 on the deep web, and then be developed into full-on identity kits that are worth $1,500 to $2,000.
Compounding the problem is the fact that often, technological systems and programs are being developed at a faster rate than security measures and policies can evolve. This means that simply relying on compliance with Health Insurance Portability and Accountability Act (HIPAA) guidelines can be dangerous for many healthcare institutions.
And not every institution can adapt and innovate as easily. Karen Schechter, director of Maryville University’s online healthcare management degree program, says that addressing cyber threats can be a costly and complicated endeavor for healthcare providers. Keeping up with the constantly evolving tech landscape can be extremely difficult on top of everyday operations and today’s current health crisis — particularly for smaller organizations.
“Larger healthcare organizations are constantly working on building secure technology infrastructures to safeguard medical data internally and externally,” Schechter says in an interview with The Mighty’s Renee Fabian. “Smaller organizations and individual providers, while also at risk, have a more difficult time implementing security measures due to lack of resources.”
So given all the constraints, what kind of threats are healthcare providers facing?
Common threats faced by healthcare providers
Increasingly, cybercriminals have been turning to ransomware attacks, or when a form of malware encrypts files or systems until a payment — or ransom — is made. The October FBI report reveals that Russian-based cybercriminals known as Ryuk are planning to launch ransomware attacks on more than 400 US healthcare facilities. Universal Health Services, one of the largest healthcare providers in the US, fell victim to this kind of attack in September.
Another threat to healthcare institutions is phishing, which HIPAA reports is involved in over 60% of data breaches in the industry. Phishing is when cyber criminals pose convincingly as a legitimate institution and trick victims via e-mail, phone, or text message to divulge information like usernames, passwords, and other sensitive data.
Last but not least are insider threats, or legitimate employees that pose a risk to your system’s security either unknowingly or deliberately. This can take the form of an employee mistakenly clicking a malicious link, which opens the door for malware to infect your network or a team member that has been coerced or bribed by cybercriminals into stealing data.
What can be done?
The good news is, there are always things healthcare managers and employees can do to strengthen your institution’s cybersecurity. A previous post by our very own Marc Beck highlights the importance of backing up your data and updating your software on regular basis.
It’s also a good idea to implement organization-wide training to educate employees on good cyber hygiene and security measures.
Lastly, you can also switch to a secure cloud-based EHR system like CureMD, which can help improve care delivery, boost safety, and minimize costs.
A submission exclusive to medipro.com by writer Elise