Healthcare Security In 2015: 9 Hotspots
With data breaches growing, 2015 promises to be the healthcare industry's most challenging security year yet. These nine areas demand attention in 2015.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt86a4aee7b6b8539f/64cb580276244f1357eba191/Cover.jpg?width=700&auto=webp&quality=80&disable=upscale)
Healthcare organizations must tighten security or risk getting breached, penalized, and potentially ostracized by a public fed up with seeming carelessness with their personal information. Unfortunately, the task of securing protected health information (PHI) is only becoming more challenging for even the best-prepared organizations. Fitness bands, hospital portals, electronic health records, health information exchanges, insurance networks -- the list of Internet-connected devices, tools, and sites containing personal and medical data keeps growing.
The healthcare sector has been under attack for some time. In 2014, despite headlines dominated by JPMorgan Chase, Home Depot, and other retail or financial entities, the healthcare industry accounted for 43% of all major breaches, according to the Ponemon Institute.
Even attacks on companies that don't operate within the medical field can have healthcare-related consequences. When Sony Pictures Entertainment was hacked in November, cyberthieves apparently stole more than movies. They reportedly also took more than 25 gigabytes of data on tens of thousands of Sony employees, including medical and salary information, Social Security numbers, and addresses, according to Krebs On Security.
Within healthcare organizations, a whopping 93% of information held requires protection, according to EMC's The Digital Universe report. The data includes claims requests, PHI, and medical records. Yet only 57% of this information is "somewhat protected," while 43% is inadequately safeguarded, the report found. But IT professionals must balance security needs against healthcare professionals' need for fast access to data and applications; extra clicks can make a difference in a patient's life, after all.
"With the continuation of high-profile hacks, IT security, specifically distributed or mobile security, will be a renewed priority for many organizations," David Appelbaum, senior vice president of marketing at Moka5, told InformationWeek. "No one wants to be the next headline, and as the stakes go increasingly higher, the need for enhanced security that does not inhibit end-user productivity is becoming increasingly more of a requirement."
Healthcare organizations have been warned about the consequences of an insecure environment, and the cacophony of cautions grew following the Community Health System breach in August. Still, a frightening number of healthcare providers continue to ignore the alarms from a federal alphabet soup of agencies, including the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the Food and Drug Administration (FDA). Consider:
More than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week, according to Forrester Research.
Sixty-eight percent of the industry's breaches since 2010 have occurred because files or devices were stolen, the Bitglass 2014 Healthcare Breach Report determined.
Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, Websense Security Labs' Carl Leonard told TechNewsWorld.
Attackers also are becoming more sophisticated, experts warn. Cybercriminals are seeking more information than ever about their victims to sell, Websense researchers cautioned. "These fuller, richer, personal identity dossiers of individual users, consisting of multiple credit cards, regional and geographic data, personal information and behavior, will be increasingly traded in the same manner that stolen credit cards are today."
Because this information often resides within health systems' databases or networks, hospitals are natural targets and require extraordinary defenses.
With so much cyberdanger to battle, it seems obvious the healthcare industry will face additional crises in 2015. None of the underlying security issues are new, but all are crucial to address. Click through our slideshow to see the nine security hotspots we predict for healthcare in 2015.
Health information is valuable, and because it's at a premium, thieves will continue to steal it. Likewise, insufficiently trained employees or workers at organizations that pay scant attention to creating a security-aware culture will suffer data losses when unprotected devices are lost or stolen. By 2015, half the healthcare organizations will have suffered one to five cyberattacks in the prior year, with one to three being deemed "successful," according to IDC's Futurescape for Health Insights.
"We think healthcare breaches are going to continue," Michael Bruemmer, vice president at Experian's Data Breach Resolution Group, said in an interview. "It's the distribution of data and all the access points; it's everything from where electronic medical records are and even the advent of wearable technology." Though Ponemon found "modest improvements" in the number of healthcare breaches between 2013 and 2014, the ongoing surge in adoption of health-related technologies and the lucrative market could propel that number higher in 2015.
Just as neither the CEO nor the chief financial officer should lead IT, at a large organization the chief information officer should not head security. Instead, health systems need a chief security officer experienced in security to lead the charge against vulnerabilities and toward protection.
Though many large health systems have hired a CSO, CISO, or similar professional, some of these executives don't know much about security. Small healthcare providers sometimes don't hire a security officer at all, perhaps relying on an external consultant, their CIO, or even a committee approach to safeguarding data, devices, and brand, Brian Evans, senior managing consultant at IBM Security Services, told InformationWeek this year. However, as security -- including computer devices, medical devices, digital products, physical, training, websites, processes, and procedures -- becomes a full-time job, no CIO can successfully juggle both priorities. Wise hospitals are investing in a CSO and giving this person executive power to accompany the title.
"I've seen more smart technologies sit on the shelf because healthcare organizations haven't figured out the people and processes side," Evans said. "But they can say, 'We have an intrusion detection system in our organization.' It might be on, but it's not functioning appropriately. That's one of the many challenges healthcare organizations face. They need some expertise to drive through the gaps."
Healthcare providers must ensure partners that manage, store, or otherwise touch PHI meet all HIPAA and other security and privacy responsibilities. A simple signature on a contract does not meet a covered entity's obligation, as one oral surgeon told InformationWeek in October.
But the fine print won't -- and shouldn't -- stop healthcare providers from partnering. Increasingly, organizations are teaming up with cloud service providers, recognizing the value the cloud delivers. In fact, 80% of healthcare data will pass through the cloud at some point by 2020, IDC predicted.
For clinicians, every second counts. If security measures add time to procedures, no doubt they will figure out a workaround. It's equally likely that that workaround will introduce insecurities to IT's carefully devised measures.
It's imperative, then, that security chiefs and IT include clinical and other users when designing processes or considering new technologies. Even as security becomes more complex, it has to appear simpler to users.
Health systems have invested in mobile apps and websites: After all, the average consumer spent almost 52 hours looking up health information online in 2013 (and almost certainly that number has grown), and mobile platforms accounted for about 60% of digital media time in 2014.
Apps give providers a faster, more affordable way to address challenges such as patient engagement, population health, satisfaction scores, and readmission penalties, but they potentially open an insecure door into organizations' software or networks and thus require careful safeguarding. Though none of the top 20 iOS healthcare apps have been hacked yet, 90% of Android apps have been, including 22% that received FDA approval, according to Arxan's State of Mobile App Security. Overall, 97% of the top 100 paid Android apps and 87% of the top 100 paid iOS apps have been hacked; that does not include the many free apps available, Arxan found.
Employees also will continue to use their own devices, regardless of an organization's policy: 67% of employees overall use their personal devices, whether or not their employer has a BYOD program, and 77% never received any training about BYOD risks, according to Moka5.
Healthcare providers keep requesting more information from patients; they're seeking engagement via portals and relationships as the basis of population health initiatives. Yet data loss, no matter the root cause, easily and immediately can shatter that trust, especially if personal health information is compromised. More patients than ever want to communicate with their doctors via email, yet healthcare organizations lag other industries in their protection of this basic tool.
"The reputation of an institution takes a big hit every time there's a breach," Nat Kausik, CEO of Bitglass, said in an interview.
In its quarterly Email TrustIndex, Agari rated healthcare in "critical condition" for the first half of 2014 -- and little has been done to reverse this status. In the index, Agari analyzed 6.5 billion emails daily across 11 industries to determine which organizations were being targeted by cyberthreats and which companies proactively prevented these threats from reaching consumers. Of the 14 healthcare organizations surveyed, 13 were "critical," Agari found in August. Healthcare performed worse than any other industry surveyed, including retail, travel, logistics, and financial.
Open standards, such as DMARC, give healthcare organizations more control and visibility into email, protecting their brand and relationships.
Diabetic Jay Radcliffe prefers to give himself insulin shots manually, rather than relying on an automated insulin pump, he told the Regulatory Affairs Professional Society. As a security researcher who hacks into medical devices for a living, he sees first-hand the vulnerabilities that permeate too many products.
In October, the US Department of Homeland Security investigated almost 25 cases of suspected cyber security flaws in medical devices, including an infusion pump and an implantable heart device, Reuters reported. That same month, the FDA published new guidelines -- but did not mandate countermeasures against hacking. This leaves the field open for criminals to launch a Hollywood-like attack on the growing number of software-equipped devices, ranging from monitoring to implanted, used across the country.
Just as hackers often use small and midsized businesses or social engineering as conduits to break into otherwise-secure large enterprises, you can expect them to deploy similar tactics when pursuing large health systems or pharmaceutical companies. Healthcare security experts, like their counterparts in compliance, must remember they are only as protected as the weakest link, which could be a solo practitioner, a courier service, or another organization with few security barriers.
Just as criminals quickly used Ebola to launch online scams, healthcare IT professionals must stay alert to cybercrooks' propensity to use natural fears, especially medical worries, to try to separate consumers from their money and identities. Whenever a new cure, illness, or medical breakthrough hits the news, savvy technologists should be prepared to protect employees and patients from related scams.
-
About the Author(s)
You May Also Like