IT security professionals in healthcare industry have a difficult job to do. Every day they face the seemingly impossible task of delivering on two opposing goals: enabling the connectivity and transparency that power digital healthcare, while maintaining strong barriers to protect data, devices and networks from data breaches and cyber-threats.
This challenge is made even harder because digital healthcare allows ever more non-security trained medical staff to access and share confidential patient data. New security vulnerabilities are opening up all over the place and, if left unprotected, will quickly be seized on by cyber-attackers.
The growing threat
According to the Ponemon Institute, the number of criminal attacks on healthcare organisations has doubled in the last five years. In 2015, 112 million medical records were breached in the US alone, 78.8 million of them exposed in a single hacking attack on healthcare insurer, Anthem Blue Cross. Europe is equally vulnerable: in February 2016, a number of hospitals in Germany were hit with ransomware attacks, leading to critical operations being postponed.
To date, many European governments and individual healthcare providers have been free to make their own decisions about cyber-security and protection, which in practice often meant that investment in IT security was minimal. This is about to change.
Healthcare providers and their IT security teams need to understand and address the requirements that affect them. Not just for the sake of ‘tick-box’ compliance or to avoid a punitive fine and embarrassing reputational damage, but because doing so will ensure that they and their patients can reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure.
Connecting with care: How ready is #healthcare IT? #infosecTweet
The drive for connected healthcare
The healthcare sector in Europe is harnessing the power of the internet and digital technologies to enhance medical care for a growing and ageing population, while reducing operational costs and improving efficiency. This digital transformation includes concepts such as eHealth, mHealth and connected clinical environments.
The introduction of electronic healthcare records (EHR) enables patient data to be transferred between different healthcare providers and even across national borders, delivering accurate, consistent and continuous care. Mobile devices such as smartphones and wearables allow long-term chronic conditions to be managed remotely, while medical equipment, from MRIs to pacemakers and drug infusion pumps, can be connected with each other and share, analyse, adjust and trigger treatment seamlessly in real-time.
Everywhere, patients benefit, healthcare professionals benefit, and overall costs to the nation are reduced.
(dis) integrated IT systems
Security vulnerabilities can also be found in the IT infrastructure of healthcare providers. New IT approaches, including the cloud, virtual environments and wireless networks are being widely introduced as part of digital transformation. However, these new technologies are often patched onto legacy IT infrastructures and components, with mission-critical equipment frequently left running on old and outdated operating systems. If there are any gaps in security or resilience the healthcare provider could be at risk of accidental data leakage. At worst, they could be offering cyber-attackers ways into their immensely valuable data repositories that these criminals won’t hesitate to exploit.
In many healthcare organisations, however, the greatest vulnerability is its employees. Highly-trained and experienced healthcare professionals are not IT security experts. Yet they are increasingly the custodians of highly confidential digital records and data. The best IT security measures in the world will fail unless employees understand the risks and know how to handle information with responsibility and care.
Cyber-criminals are drawn to healthcare for a number of reasons. Confidential patient data is one of them. #infosecTweet
The appeal of healthcare to cyber-attackers
Cyber-criminals are drawn to healthcare for a number of reasons. These include the lucrative black-market and blackmail value of confidential patient medical data; the extortion opportunities of ransomware; the opportunity for a targeted attack through equipment and dosage tampering; and the malicious pleasure of paralysing a hospital or clinic by disabling its systems. Kaspersky Lab’s own research has shown that it can be relatively easy to hack into a hospital.
Healthcare providers and their IT security teams need to implement the sophisticated, high quality protection that will allow them to withstand such attacks.
How to get future-ready
There are a number of things healthcare providers and their IT security professionals can do to ensure they cope with a growing pressure of known and emerging threats. The good news is that many of these already appear on the list of security best practice.
They include implementing a comprehensive, multi-layered security solution that encompasses new and well as legacy systems, not to mention all kinds of devices, as well as making sure that device software is up-to-date, encrypting all data as standard, and introducing robust authentication measures. This should be complemented by sound information governance policies, such as ensuring that confidential or personally-identifiable information can be tracked and accounted for at all times, restricting data access to authorised individuals, and educating employees.
Over the next few years, the pace of healthcare’s digital journey will accelerate, introducing ever greater connectivity and generating ever more data. At the same time cyber-attackers will become more creative and professional and the number of attempted attacks will increase. It is only a matter of time before healthcare-specific regulation will be introduced and by then the penalties will be even more unforgiving. Don’t wait until tomorrow to introduce the safeguards your patients and organisation deserve today.