Rawpixel - Fotolia
Published: 08 Mar 2018
The state of healthcare cybersecurity technology largely reflects an ever-growing target for hackers created by an IT network that has extended connections to multiple organizations and devices through mergers and affiliations.
In response, better use of cloud computing and further exploration of artificial intelligence and blockchain will bolster patient data protection. But even with a flush of technology investments -- as well as improved antimalware, antiphishing and security products with extensive intelligence features -- healthcare organizations will still suffer from a high number of cyberattacks this year, predicted Lynne Dunbrack, a research vice president at IDC Health Insights.
In particular, IT analysts and security executives at healthcare organizations are watching for increased threats against connected medical device security. "We think medical devices will be the next wave of cybercriminal attacks," Dunbrack said. She added that cybercrime is increasingly profitable given the high black market value of health records when compared to stolen credit card and social security numbers. SearchHealthIT has previously reported that a stolen patient record can fetch $20 to $50, while a credit card record is worth $10 to $20.
"Ransomware attacks will surge as cybercrime as a service becomes more mainstream and cybercriminals become more 'professional' by offering their services to aspiring cybercriminals," Dunbrack said.
Security risks rise
As breaches to medical device security become more prevalent, IT security executives at healthcare organizations will have to apply the same type of security software, policies and procedures that exist for other IT devices, said Kristopher Kusche, vice president and CISO at Albany (N.Y.) Medical Center. The health system operates an academic health sciences center and a hospital with more than 700 beds.
"One of the big shifts that WannaCry highlighted is that the medical device world can be just as susceptible to the cyberthreats as our traditional IT devices," Kusche said.
Health IT security executives need to create an inventory of wireless diagnostic equipment if they want to carry out an effective program to ensure connected medical device security. "A good inventory of a hospital's medical devices is important because, from that inventory, you can do all of the typical security checks like risk assessment, mitigation management, patch management, network isolations and updating security software," Kusche explained.
Machine learning could harden targets
A prevention strategy that health IT executives are embracing more is the use of artificial intelligence, particularly machine learning. In a 2017 study conducted by PWC Health Research Institute, 39% of health provider executives said they were investing in AI, machine learning and predictive analytics.
"I think AI technologies have already started becoming more integrated and will continue to be integrated in 2018 into our security platforms in healthcare," Kusche said. "As the threat environment changes and as the exploits become more sophisticated, more advanced analytics tools will have to be layered on top of our basic block-and-tackling measures."
At the Healthcare Information and Management Systems Society (HIMSS), the organization's director of privacy and security, Lee Kim, said there are incremental improvements in machine learning's ability to perform threat detection from which healthcare organizations will eventually benefit. She also noted that machine learning has the potential over the next five years to significantly harden information systems and networks across the healthcare industry.
"Machine learning could be used to more efficiently detect and remediate threats," Kim said. "Ideally, a cyberthreat detection system, which deploys machine learning, could be more accurate than the traditional state-of-the-art technology."
Potential blockchain proving ground
Another nascent technology with an important security component is blockchain, which acts as a virtual ledger that verifies transactions within a "block" of data. Each transaction must be verified by computers within the blockchain's peer-based network, making any tampering difficult.
Importantly, blockchain can provide more verification and validation of transactions; it also can minimize access to data records, which means there are fewer eyes looking at the data, said Mitchell Parker, executive director of information security and compliance at Indianapolis-based Indiana University Health.
Dunbrack agreed. "A number of blockchain use cases in healthcare will improve security and data protection by creating an immutable record of the transaction and providing a strong audit trail," she said. "These use cases include provider and consumer identification, [internet of things] device identification, supply chain management and interoperability, to name a few."
Kim said blockchain offers IT managers the opportunity to rethink the way security should be applied to transactions in healthcare. "We need more innovation around how we conduct secure, electronic transactions," she explained. "Right now, we often use very old protocols, which are prone to attack, eavesdropping and compromise. We need to raise the bar and provide better security around electronic transactions in healthcare. To this end, blockchain may be worthwhile investigating further."
High-stakes healthcare breaches continue
Health IT managers are trying to raise awareness among employees about the importance of practicing security prevention tasks, such as looking out for suspicious emails, refraining from downloading documents generated from questionable sources and quickly reporting the loss of devices connected to the IT enterprise.
Still, data breach incidents are occurring at a rapid pace. Healthcare breaches involving ransomware increased 89% from 2016 to 2017, according to a report released in January from cybersecurity firm Cryptonite LLC. The study, which relied on data from the U.S. Department of Health and Human Services' Office of Civil Rights, showed that there were a total of 140 data breach events in 2017, which was a 24% increase over the 113 incidents reported in 2016.
Things didn't start off well in 2018, either. On January 18, Allscripts Healthcare Solutions, a vendor of electronic medical records, was hit by a ransomware attack that disrupted clients' business operations. In the same week, Singing River Health System, based in Ocean Springs, Miss., was forced to shut down its entire computer network to protect its data after a computer attack was detected. The health system operates two hospitals and is one of the largest employers on the Mississippi Gulf Coast.
Cloud diffuses past security worries
While innovative technologies will create new security strategies, old problems remain: There are few skilled IT professionals dedicated to cybersecurity efforts.
One alternative to that labor crunch is to migrate health data to the cloud. Though it was once deemed a data security risk, IT executives at healthcare organizations are now increasingly turning to cloud technology -- particularly hybrid cloud setups -- to help strengthen their data security strategy.
"In 2018, more health IT security managers will come to a more resounding conclusion that cloud actually improves security," Parker said. "This will happen because big cloud vendors, such as [Amazon Web Services] and Microsoft Azure, have more people working on security than any single health organization could."
"Today, healthcare IT executives recognize that the large cloud service providers know more about securing data centers and have better access to threat intelligence than they do," Dunbrack said. "Security professionals are in high demand, and it is difficult for healthcare organizations to attract and retain security professionals, especially smaller hospitals in rural areas."
Security training for healthcare workers
While technology is an important defense, it's just as crucial to make sure each employee understands steps they can take to protect health data in their day-to-day activities. Hospitals should place greater emphasis on training staff members on how to recognize phishing, spear phishing and even whaling, a type of phishing attack that targets executives, Dunbrack said.
"The high-profile ransomware attacks have all started with malware embedded in a link or attachment included in an email and then opened by an unsuspecting person," she explained. "Healthcare organizations [should] require all staff to successfully complete security training, including how to detect a phishing email. Some healthcare organizations will send mock phishing emails to complement this training and identify staff members who need additional training and reminders about being careful and inspecting emails that look even remotely suspicious."
Many patient data breaches are caused by simple human error. "Empowering individuals to make wiser security decisions," Kim said, "will be a priority in 2018."