- The US healthcare industry has embraced its digital future — and that future is dependent on the Internet. The passage and implementation of recent legislation has mandated the adoption of connected healthcare technology as a way to reduce costs, increase patient privacy, and improve care collaboration and quality of healthcare services.
Healthcare providers are introducing Internet-enabled patient monitoring devices that transmit readings of vital signs, send alerts if readings are abnormal, enable communication between patients and their physicians or nurses and make patients’ private electronic health records available on their physicians’ tablets or smartphones wherever they are. But with all this data comes risks.
The Dangers of a Networked Healthcare System
As the healthcare system rapidly embraces digital information and Internet of Things (IoT) for connected care, the risk for cybersecurity breaches goes up. Other industries, including retail and financial services, have made headlines in recent years because of their vulnerabilities to cyber attackers, who are stealing credit card numbers and other private consumer information.
A recent BitSight Insights report found that healthcare organizations have both a high volume of security incidents and the slowest response time compared to other industries, with the average event duration being 5.3 days. The healthcare industry also saw the largest percentage increase in cybersecurity incidents from April 2013 to March 2014.
So Why is the Healthcare Industry so Vulnerable?
For one thing, healthcare organizations have not started to treat potential cybersecurity breaches as a major strategic issue. If healthcare technology spending is any indication, industry executives do not yet view cybersecurity as an area of focus. According to BitSight Insights, healthcare institutions are plagued with weak encryption of patient records stored on hospital servers, poor authentication and authorization protocols, and unsecure communications of sensitive patient records.
What are Cyber Attackers After?
Gaining access to patients’ Electronic Health Records (EHRs) is a lucrative business. Unlike banks – which are set up to detect fraud and shut off compromised numbers quickly – pharmacies, physicians’ offices, health insurance companies and others in the industry are slow to detect fraud. Moreover, they often lack procedures to flag and block patient identifiers in their databases, giving thieves months of opportunity. Medical identities can also be sold to and used by multiple buyers. That’s why medical identity theft typically rewards thieves with $20,000 in payout for their efforts, compared to $2,000 for a credit card number.
The Hidden and Unhidden Costs of Healthcare Data Breaches
In addition to steep fines for violations, healthcare organizations face the same costs that companies in other industries incur with cyber attacks: investigation, containment, and recovery costs for information theft, equipment damage, loss of trust in the medical service provider, patient liability and business disruption. The Ponemon Institute estimates that a cyber attack costs more than $32,000 a day. The longer a healthcare technology threat goes undetected, the worse the damage becomes.
Additionally, litigation by patients whose identities have been compromised exposes healthcare organizations to enormous financial ramifications of cybersecurity breaches. All told, the average economic impact of a data breach at a healthcare organization is about $2 million over a two-year period, according to Ponemon.
Perhaps even more alarming is the potential for cyber attackers to disrupt a hospital’s systems in an effort to disrupt medical service or take down critical infrastructure. This ominous scenario could disable a hospital altogether from providing emergency care by introducing malware that infiltrates the hospital’s systems, such as EHRs, connected monitors, and drug-delivery systems.
Finally, there is the cost of consumer trust. A survey by the National Partnership for Women & Families found that up to 66 percent of consumers do not believe their electronic health records are safe or well-protected, and that EHRs will lead to more personal identity theft. As more healthcare technology breaches make headlines each day, patients’ trust and sense of security and privacy will continue to wane.
Thinking Bigger Picture About Cybersecurity
Healthcare is clearly an industry on the brink of a potential cybersecurity nightmare. With so many devices, users and applications now connected to their networks, healthcare organizations and their security teams face huge volumes and velocities of data and metadata entering their IT environments. Similar to the challenges of bring your own device (BYOD), IoT is also bringing new vulnerabilities into a network.
Even with malware detection and network perimeter security defense software in place, organizations can barely keep up with all the devices and data traversing the network, let alone interpret what it means, and determine what they need to do to protect their systems and intellectual property.
Healthcare organizations must look at cybersecurity holistically, and look to solutions that can bridge the gaps left by existing security infrastructure to gain full visibility into activity happening on networks with hundreds of connected devices that are leaving protected health information vulnerable to exfiltration. Gaining contextual insight into this activity, in real time, so organizations can act rapidly to identify and prevent a cyber threat is the key to building a secure, cost-effective and trusted modern healthcare organization.
John Trobough is the president of Narus. John brings more than 20 years of operations and international experience in the telecommunications and mobile software industries to the company. He is leading the Narus team to establish its cyber innovation presence in Silicon Valley and is dedicated to delivering the next generation of cyber security data analytics for enterprises, carriers and governments around the world. Prior to joining Narus, John was president of Teleca USA. He also held executive positions at Openwave Systems Sylantro Systems, AT&T and Qwest Communications. John co-founded Gravitate, a company that created location-based, peer-to-peer applications and services.