The healthcare industry has come a long way in improving patient care. Lifesaving instruments such as pacemakers and insulin pumps are now combined with connectivity. Remote monitoring by a health professional can track dramatic spikes in a patient’s heart rhythms. An alert is then sent to a physician for preventative measures. It’s a lot better than repairing damage after the fact.
Nevertheless, if a device is connected to the internet in some way, this means that it is susceptible to hacking. Two cybersecurity researchers showed how they were able to remotely hack pacemakers altering patient heart rhythms that could either harm or kill the patient. One researcher, Billy Rios put the danger in perspective, “If a pacemaker for a patient gets hacked, you can’t take that back…You can’t issue them a new credit card. You can’t tell them to change their password. You can’t issue them credit monitoring.”
Image Source: https://null-byte.wonderhowto.com/forum
While there haven’t been any reported cases of medical device hacking deaths, Wired has reported on hacking unprotected medical devices for private patient data. In their report on medical device security nightmares, they indicated that “the medical data discovered in these types of attacks can be used for tax fraud or identity theft, and can even be used to track active drug prescriptions, enabling hackers to order medication online to then sell on the dark web.”
Healthcare IT security is a crucial element of any medical company as the stakes are no longer limited to money, data, or identity, but can be life or death. While many challenges exist for healthcare IT security, there are solutions from both government regulation and partnering with healthcare security services.
Cybersecurity Challenges within the Healthcare Industry
Hackers are like slippery fish that quickly adapt to their environment and become more difficult to catch. Aided by a rapidly changing technology landscape, the hacker darts between toolsets evading even the most clever fishermen.
Healthcare IT security is a challenging element of the healthcare industry because for a long time there were no strict regulations on how patient data should be handled and stored. Scribes took notes and organized paper records that medical professionals could later pull to assess patient care. The only thing the healthcare industry had to worry about was losing records, fried hard drives, or some kind of disaster like a fire.
With the introduction of computers, file sharing, connected medical devices, and cloud services, among other technologies, data were more than just a few pieces of paper and the good memory of nurses and doctors. This holistic, robust approach to healthcare and data brought many challenges to the healthcare industry.
Any kind of system that enters an electronic database or a cloud database is susceptible to hacking. Since 2009, the number of reported data breaches has steadily increased. This trend is due to the increased skill of hackers and their available tools, lack of preparation or updates on a hospital or other healthcare systems, and of course, the amount of available data.
Hackers aren’t the only challenge threatening the safety of patient data. The HIPAA Journal reports that unauthorized access or disclosure is another source of a data breach.
Human error maintains one of the top spots of threats to private patient data. Employee error can be either negligent or ignorant of system operations or malicious in nature. Sometimes the error is due to an employee not securing a program which leads to data leaks. Other times, a manager gives access to an employee who should not have access. Employees may also fall prey to phishing scams or other outside methods. If negligence wasn’t bad enough, there are also employees who purposefully wish to cause harm to a company. They may sell data to a private third-party or seek retribution against a manager who mistreated them or chose another for promotion.
One such incident of employee error occurred when an employee uploaded a file containing member information to a public website. This employee IT error was exasperated by the lack of any manager or the IT team noticing the records were even exposed; for a total of three months, 16,762 patients had their data openly accessible on the public website.
Phishing attacks are another common source of data breaches. Hackers may be able to gain access to employee emails, access codes, or private information about patients by tricking employees to click on external links or send information to the hacker.
Still another potential error can be the result of misconfigured databases. This could be the result of either third-party security companies that misconfigure a database or through an internal team.
In June and August, two different health vendors, Medico and Amarin Pharma “reported data breaches caused by misconfigured databases, which potentially exposed the data of thousands of patients.” These two misconfigured database breaches left identifying information about 78,000 patients exposed, and leaked a total of 1.7GB of documents, PDFs, spreadsheets, and medical reports.
Challenging as healthcare IT security is, government entities and private companies are working on healthcare IT security solutions to prevent expensive and burdensome data breaches.
Healthcare IT Security Solutions
There are many ways in which healthcare companies can improve their security. Some of these methods include:
- Establishing a security culture: One of the ways to prevent employee error is by implementing ongoing cybersecurity education and training programs. Every member of the company is responsible for protecting patient data because access to information through even one employee who falls for a phishing scam is a possibility.
- Maintaining good computer habits: All new employees should be trained in best practices for computer use. This includes the use of software for operating systems maintenance.
- Controlling access to private health information: Grant access to private health information only to those who need to use or view the data. This means ensuring that each instance of granting information is carefully scrutinized so that employees who should not be responsible for granting access to private data cannot do so.
- Limiting network access: Just as access to private health information should be tightly controlled, only the proper organizational authorities should authorize installations of applications, software, or any other additional system updates. Doing so prevents installing software riddled with malware or systems that are not properly programed
- Maintaining and installing anti-virus software: Furthermore, keeping an anti-virus software program up to date is crucial to ensuring the best possible protection against system attacks. Updates should be made continuously. Working with a security company to test systems and help recommend anti-virus software is also a beneficial practice.
- Using a firewall: Any device connected to the internet should have a firewall in place.
- Protecting mobile devices: This means that mobile devices are also targets for hackers. Many health care providers are using mobile devices at work. It is crucial that encryption and other protective measures are put in place to guarantee that the information on the device is secure. It may be best to consider implementing policies in which employees have designated devices for work rather than mixing personal with professional devices.
- Using strong passwords and changing them regularly: Many breaches occur because hackers took advantage of default, stolen, or weak passwords. Have employees use strong passwords to protect information and change these passwords with some frequency. It might be wise to consider additional password protection for important, confidential information that only a few should access.
- Planning for unexpected occurrences: Take care to back up files for easy and quick data restoration should a hard drive crash or any other kind of disaster occurs. Storing data within a cloud or separate from the main system will help prevent against possibly losing the data for a second time.
- Controlling physical access: Computers and other electronic equipment should be secured to prevent physical break-ins. It is possible to access private data when a thief steals physical devices.
Another method that helps protect the healthcare industry was the establishment of HIPAA laws. The Health Insurance Portability and Accountability Act was signed into law on August 21, 1996. Designed to modernize record-keeping, HIPAA focused on protecting patient data.
This was really the first crucial step in establishing any sort of data protection as most medical practitioners were merely relying on paper records to track patient data. Paper data was difficult to store large amounts, transfer to other medical professionals, or safeguard against physical catastrophes.
These first steps into digital record keeping and management were a positive shift from illegible or incomplete records. Doctors could add as many notes or files as needed without fear of wasting space. Healthcare professionals must be HIPAA compliant. It doesn’t need to be complicated to be compliant, tools such as HIPAA compliance checklist can make it easy to meet all the requirements.
Unfortunately, as medical records moved online, the dangers of catastrophic loss turned from fire or flood to outright theft. Cybercriminals were profiting from the poor safeguards put in place by medical professionals. After all, their expertise was really in saving lives and improving health, not firewalls and healthcare IT security. So, another revolutionary act was adopted to support the growing attacks against healthcare data.
HIPAA laid the groundwork for record management and moving into the digital space; the Health Information Technology for Economic and Clinical Health (HITECH) act revolutionized it. Data was being collected, stored, and shared, but it wasn’t doing much more than that. HITECH really focused on two main principles: analyzing data and protecting data.
Now that doctors could track patient data and share information within the medical community, the ability to utilize that data in meaningful ways became a reality. Doctors could assess budgetary needs by tracking patient demographics such as serving the elderly or expectant mothers. This data could be shared to fuel a geriatrics or maternity program/ward.
Analyzing data helps improve healthcare for all patients. Transferring and sharing knowledge creates a healthcare community that promotes positive health practices across clinics and medical centers. HITECH provisions encouraged using this data to develop better drugs and healthcare practices.
Nonetheless, this more robust data collection and transfer of data increased the likelihood that the data could be compromised. Thus, the HITECH act also focused on implementing provisions that protected the patient.
Some of these provisions included controlling who had access to data, extending provisions and regulations to third-party businesses, stricter enforcement of regulations, enforcing medical professionals to notify patients of data breaches, and harsher punishments than HIPAA had for non-compliance.
HITECH protects patient data in many ways, from audits to regulating data transfer. By maintaining HITECH compliance, medical centers drastically improve their healthcare IT security. The image below shows how the HITECH act was crucial in extending patient privacy to all parties involved, not just the primary healthcare service.
Image source: https://www.televox.com/graphics/hitech_act.jpg
This means that a company like TeleVox must maintain the same level of security standards as the covered entity would. They are also under the same obligations to protect patient data. Additionally, this can give patients peace of mind that these third-party services are not selling or transferring their data without their direct authorization given to their covered entity.
Partnering with Healthcare Security Services
Even still with new laws and acts being passed, government planning and laws cannot always regulate every issue or attack. This is why the final piece of improving healthcare IT security is by partnering with healthcare security services. These services can manage governmental or basic compliance oversight. A service will generally perform more robust audits and reporting than a basic compliance checklist.
Healthcare security services often do more than just meet basic requirements, but instead, actively focus on mounting aggressive defenses that adapt to new types of attacks. The time between HIPAA’s first introduction into law and then the HITECH act 13 years later, indicates that the government is not the fastest service for preventing loss and damage.
This is why partnering with a healthcare security service like RSI Security is so crucial to meeting healthcare IT security needs. Remember that with HITECH, even business associates must be compliant. It would be worthwhile for a business associate to indicate to a covered entity that beyond just being HITECH or HIPAA compliant, they are also actively working with a healthcare security service.
Privacy is increasingly becoming a topic of conversation across political lines and in the homes of all Americans. With new generations carrying cellphones and accessing computers at younger and younger ages, data privacy is a key component on which to focus.
Google recently began amassing private health data without the users’ knowledge, prompting journalists to question the ethics behind this action. Was the trade-off of “better healthcare” worth not knowing who had access to private patient data? Google argued that its actions complied with HIPAA laws and was creating tools to improve patient care.
The question then remains: is the government doing enough to protect private patient data? Did Google find a way to exploit the complicated HIPAA laws to serve its own means? If the healthcare industry really wants to improve the relationship with patients and protecting their private data, it appears the best solution is pushing for more robust privacy laws and partnering with healthcare security services that protect patients.