- Cyberattacks were the top cause of healthcare data breaches in 2015, according to a recent study by Symantec Corporation on healthcare cybersecurity.
The study showed that providers have shifted their views on healthcare cybersecurity to account for the rise of cyber threats, such as ransomware and phishing scams, and the increasing risk to care delivery and patient safety.
“For the first time in 2015, criminal attacks are the number one cause of data breaches in the health sector,” stated the study. “Why? Because, the cybercriminals have figured out that health data is deep and valuable, and that healthcare IT infrastructure, from traditional IT systems to connected medical devices, is typically vulnerable and easy to penetrate.”
In the last ten years, the majority of healthcare data breaches were caused by lost or stolen devices, explained the report. However, in 2014, there was an 82 percent increase in healthcare data security incidents caused by cyberattacks.
The study revealed a significant increase in sophisticated phishing and ransomware attacks that targeted entire healthcare IT systems in 2015.
Targeted cyberattacks compromise more than PHI and patient data. Data security incidents can impact care delivery and patient safety because hospitals may need to shut down EHR and other health IT systems across the organization or network.
Recently, a ransomware attack on MedStar Health caused providers to revert to paper processes for several days after the organization took its EHR and email systems offline. Many of the healthcare network’s processes were halted or slowed down and patient volumes were substantially reduced.
Researchers attributed the rise in healthcare cybersecurity threats to the increase in innovative medical devices. These devices were found to be particularly vulnerable because they provided easy back-door entry to hospital networks.
“Healthcare is a uniquely difficult environment to secure against cyber threats and often security measures conflict with care delivery,” wrote the authors of the report. “There are a lot of shared devices, many of which are critical to patient care. Routine security measures often don’t work in a clinical context.”
Many providers also use networked medical devices to implement a home care network. Remote patient monitoring devices and platforms are helpful for population health management, but the tools are usually connected to a public and less secure network.
Medical devices are not properly secured because developers are focusing more on innovation, stated the report.
Regulatory procedures require that medical devices go through a formal product development, test, and release process. This can oftentimes delay the installation of security measures.
To battle cyberattacks, healthcare organizations may need to concentrate on enhancing cybersecurity frameworks and less on compliance, explained the study.
There are more data security incidents in the healthcare sector than any other industry because the healthcare industry is highly regulated. Healthcare organizations are required by laws, such as the Breach Notification Law and the HITECH Act, to report every data breach.
Most healthcare providers reported that they concentrated more on meeting compliance requirements for protecting PHI rather than developing comprehensive cybersecurity processes.
Additionally, healthcare organizations should implement comprehensive cybersecurity frameworks that extend beyond the IT department.
“Certainly, security technologies are available to protect organizations from these sophisticated attacks across multiple security control points―email, network, and endpoint―but the front line of defense is still the employee who receives the email and may be tempted to click on an infected web link,” stated the report. “Investment in contemporary security technology is important, but always needs to be complemented by training and drills for your workforce.”
The healthcare industry faces unique challenges when it comes to protecting patient data. From a web of regulations to the high value of health information, organizations are trying to develop security postures that respond to ever-evolving cyberattacks.
Whether a laptop containing PHI is stolen or hackers gain access to an EHR system, healthcare providers need to prepare for a wide array of threats.
“Any breach, no matter how small, can provide valuable information to attackers as they accumulate details on healthcare organizations, their staff and patients, and their IT infrastructure,” noted the report.