Preparing Healthcare Data Security for Hackers in 2016
Healthcare data security measures must be stronger than ever as more hackers are looking for ways to infiltrate covered entities’ networks.
The healthcare industry is undergoing a digital revolution. For the most part, this means positive developments in the speed, efficiency, and effectiveness with which the industry can treat patients and prevent diseases.
Unfortunately, it’s also a boon for hackers.
In fact, the healthcare industry was the most targeted sector for cyberattacks in 2015, with over 100 million medical records compromised. Last year, two of the largest known cyberattacks targeted healthcare organizations. The hack on health insurance giant Anthem’s network was responsible for 70% of all compromised records that year.
Given the increased digitization of health records and the growing reliance of medical procedures, monitoring, and life-saving devices on digital technology, this growing wave of cyberattacks is cause for great concern – and the healthcare industry’s vulnerability to targeting by cyber-criminals will only increase. Here’s why:
The growing use of Electronic Health Records (EHRs) in the healthcare industry has created a plethora of online data, offering hackers a tantalizing trove of financial and informational plunder. These records hold the most sensitive data imaginable, from medical histories, psychological profiles, and family connections to billing data and addresses.
These same records can be used by threat actors to conduct insurance fraud, perform identity theft, and even extort victims. What’s more, unlike stealing financial data like credit card details, once medical information has been stolen, it doesn’t expire and cannot be cancelled with a phone call – and therefore can be reused over and over again by the perpetrators. As such, healthcare data is extremely valuable on the black market. Health records for individuals can sell for around $60 each, nearly 20 times the black market value of a stolen credit card number.
Beyond deceptive acts against individuals, there is also the threat of corporate cyber-espionage. This is particularly acute in the pharmaceutical industry, with its long-term R&D processes and wealth of valuable intellectual property.
In short, the high resell value of both corporate and individual data helps make healthcare organizations extremely desirable targets.
Lack of Awareness
The healthcare industry is undergoing a massive technology transition – from migrating health records to digital, to using new storage and processing techniques to analyze patient data. The rush to digitally revolutionize the industry is in full force, but it’s coming at the expense of securing the data of these systems, which has lagged behind. Other industries with a more mature approach to securing data have already established policies and procedures in case of attacks, including sharing security strategies and tactics.
Healthcare still needs to catch up.
Lack of Knowhow & Human Resources
Additionally, there is a woeful lack of security professionals in the healthcare industry, and many of those working in the field have admitted to feeling inadequately prepared to defend their organization against a cyberattack.
New Attack Vectors
Critical medical devices such as insulin pumps or digital pacemakers can also be potentially compromised by threat actors. A few years ago, a security researcher presented ways to remotely modify the dosage rates of an insulin pump. In another case, researchers showed how easy it was to manipulate baby monitors. As these devices become increasingly connected, they also offer dangerous opportunities for threat actors.
Healing Healthcare Security
One important bill impacting the future of healthcare cybersecurity is the Cybersecurity Act of 2015. The bill requires the Department of Health and Human Services (HHS) to assess the healthcare industry’s capability to respond to cyberattacks, and includes a taskforce to determine how information security tactics from other industries can be integrated into the healthcare sector.
Together with HIPAA, healthcare and related organizations are mandated to secure EHRs or face possible fines. These regulations are forcing the sector to take full responsibility in managing the threats.
While regulation tries to provide standards, it does not provide a security panacea. Because healthcare is such a valuable target, threat actors will eventually find a way to penetrate organizations. And, as the latest attacks have demonstrated, existing methods of detecting threat actors before they cause damage have proven ineffective.
The goal of a cyberattack is not to enter a foreign network just to say they did, but to seize valuable data from the network. That’s why there needs to be a paradigm shift in the approach of cybersecurity. The healthcare sector needs to shift focus from preventing infiltration to preventing information from being tampered with or stolen. Hackers always seem to find a way into a network, and healthcare organizations, so critical to so many people’s lives, must find a way to carry on with business as usual while they are combatting the threat.
Cyber-crime is a growing industry and is not going away anytime soon. However, the healthcare data security threat can be significantly reduced if emphasis is put not on keeping the hackers out, but rather, on rendering the attacks themselves harmless.
By Roy Katmor of enSilo