During the pandemic, our gratitude for healthcare workers is growing all the more. Yet, grateful as we are, cybersecurity is another burden added to the load healthcare workers already carry.
Members of the cybersecurity community recognize that there are security challenges in healthcare, and this article will explore them.
Join us in examining these challenges and ways to alleviate them.
Health Industry Information Systems and Security Challenges in Healthcare
The healthcare industry is an enormous business ecosystem with many moving parts. Even on an individual, organizational scale, the information system is incredibly complex. With cross-industry partnerships, government contracts, public health needs, the healthcare industry’s leviathan requires special attention when it comes to security.
The primary reason so many cybersecurity professionals and governmental bodies are concerned about the industry’s security is the type of data processed.
Why Is The Healthcare Industry On Cyberattackers Radar
There are many reasons why the healthcare industry is the target of cyberattacks and under public scrutiny.
This type of information is even being valued above financial data by some attackers and bad actors. The exposure of healthcare data has real implications on the individual and is a privacy risk.
The patient can suffer from:
- Embarrassment or loss of face due to their condition
- Health data can be used in blackmail operations
- Health data can also be used in identity theft and cases of fraud
Lastly, due to budgetary constraints, a constant theme in the security challenges, as we will see throughout the article, hacking the healthcare industry is relatively simple for would-be attackers.
Healthcare Internet of Things (IoT)
The adoption of IoT has exploded in the past decade, and the healthcare industry has also seen mass IoT innovations. But innovation often outpaces their security needs. It is important to note that IoT has done wonders for advancing traditional sectors. With the use of mobile technologies, many developing nations and overlooked businesses have seen massive growth.
The positives are also clearly seen in the healthcare industry. Streamlining the management of devices on a single information system has afforded better healthcare. With such fast growth in IoT, you will eventually hit a bump in the road. And that bump has manifested as security issues.
Attackers have taken advantage of IoT providers rushing to push out their latest fix-all device without considering the security implications. With so many devices now circulating the market, it is a hacker’s paradise for exploiting vulnerabilities.
Just imagine all the IoT devices used in a hospital, from heart-rate monitors to IV drips. Nowadays, some devices will automatically administer the medication required via internet connectivity, entering a truly futuristic age. But it is also a nightmare to imagine unsecured devices leading to patient death.
IoT will undoubtedly lead to a bright future for the healthcare industry, but we must also be prudent regarding its security. Later on in the article, we will see all the other challenges that the healthcare industry faces will only compound IoT adoption issues.
eHealth Records and Digital Transformation
Standards like HITECH have pushed for electronic patient information in the healthcare industry. The standard rightly sees this adoption as a means to increase productivity and reduce costs across the board. Many industries have already benefited from transitioning to a more cyber-friendly business environment.
Traditionally the healthcare industry has been slow to move, with most of the tech adoption coming from devices that directly impact healthcare (like MRIs). Unfortunately, this has left information management by the wayside, leading standardization boards like HITECH to step in.
Thankfully, they have not forgotten the security requirements of the industry. And you will commonly see HITECH referenced in the same sentence as Health Insurance Portability and Accountability Act HIPAA. This regulation requires healthcare providers to adhere to a set of privacy and security rules, which protect sensitive patient information.
But the ongoing digital transformation of the industry has not come without its fair share of teething problems. The industry rarely has time or resources for a budget in security frameworks. Although they may comply with regulations, the internal mechanisms are still “faulty” and open to attack.
An example of this, which we will explore in more detail in the next section, is health practitioners’ ability to balance privacy and patient needs.
“To Err Is Human”
Possibly the biggest challenge that the healthcare industry faces is human error. If you’re part of the healthcare industry, don’t feel bad, human error is the biggest issue in cybersecurity across all industries.
Relying on machines to adhere to security policy is super simple. You make the policy. The device follows it to a T. In fact, hacks that bypass encryption are very low, with only 1-2 percent of total breaches in 2019 bypass any form of encryption.
The lion’s share of hacks came from exploiting human error. Whether it be social engineering or using a computer that was left logged in, hackers are always looking for gaps.
The budgetary constraints in the healthcare industry compound the effects of human error. Healthcare professionals are not expected to know the best practice cybersecurity methods, but the administration should make an effort to instill some basic cyber hygiene.
You can’t eliminate human error, but you can significantly mitigate it. Using staff awareness training programs will reduce the chance of attackers exploiting your staff, but it will also help regulations (like HIPAA or the GDPR).
Whatever you chose to do, understand that your organization personnel’s low-security awareness will significantly increase your risk. Recognizing this as a significant challenge in the healthcare industry will help you be ahead of your competitors, and it will also have long-term effects on changing the paradigm.
Legacy Systems and Outdated Technology
As mentioned throughout the article, the healthcare industry is plagued with budgetary constraints. Both public healthcare infrastructure and private healthcare have to juggle the needs of staff and patients.
In most cases, the organization will prioritize spending on improving healthcare provisions (do you know how expensive an MRI scanner is?). For apparent reasons enhancing the condition of health should be the top priority of health providers. Still, it is essential to mention that the individual’s security and privacy are quickly becoming important.
With this in mind, most hospitals still employ information management systems that are outdated – a killer for any information system. An obsolete system means that the provider no longer supports it and will not patch any security issues.
For this reason, attackers will target legacy systems. Any vulnerabilities discovered will remain for the entirety of the system’s operation. If you don’t replace them immediately, it could halt the entire operation of the hospital immediately.
The same is true for outdated technology. There are some cases of patient diagnostics sent through fax. It’s not that you shouldn’t use a fax, but there are much better and secure methods when dealing with sensitive information.
The speed of complete network takeover is exacerbated in legacy systems. When an attacker finds an “in” all devices on the local area network (LAN) are susceptible, it can jeopardize the entire information system.
For example, scanners and other medical equipment usually connect to local area networks within the hospital. And if an attacker gains access to the local network exploiting legacy systems, they can cause catastrophic damage to the hospital. They can, for instance, easily change settings on scanners and other devices and even change scheduling and medicine dosages.
In a historically tragic event, ransomware was used to freeze a German hospital’s information system, which resulted in a patient’s death. Attackers locked staff out of the information system, meaning the patient could not be transferred to the correct ward for their treatment.
Extensive Third-Party Networks
Business networks are very far-reaching, especially in today’s global economy. Healthcare providers have traditionally always had extensive third-party networks. From drug-stores partnering with pharmaceutical companies to contracts with government and hospitals, the healthcare behemoth is a large web.
This web is great for job creation and improving our people’s health, but, as a knitwear piece, it only takes pulling one thread to have the whole thing unravel. These complex networks pose security challenges to the industry. It is only in the recent decade that third-party networks have become a point of concern.
With data protection regulation nominating third-party risk management as a primary tool in combating data loss, third-party networks have been brought into the cybersecurity fold.
Much like IoT, cloud technology has seen a massive increase in the past decade. More industries are seeing the benefits cloud tech is bringing to their business. However, cloud technologies further complicate already complex information systems, especially if adopted from a cloud-services provider.
The healthcare industry could reap the benefits of cloud technology, and some already do, but this adds an extra layer of risk. As we have seen, most of the industry’s resources restrict them from developing an in-house cloud system, which means they will have to rely on a provider.
The provider then becomes part of the third-party network and can be a liability instead of an asset if not picked correctly.
Thankfully, some conditions make the process of picking a provider much smoother.
- Ensure the provider has a good reputation with existing clients
- Ensure the provider has stated that the security of the cloud system is a priority to them
- Check to see what options are there to conduct a cloud pen-test (if available, you can test your information system’s security resilience).
Unfortunately, the reality of software-as-a-service means that we’re limited to how the provider implements their cybersecurity architecture. But that does not mean you have to buy what they are selling.
Remember, some providers specialize in the storage and processing of sensitive data. Which means they will likely have to comply with the same regulations as you.
The final data security challenge on the list is encryption. Previously, we mentioned legacy systems; and this comes under the encryption fold. The healthcare industry is woefully under encrypted.
The robber won’t have to do much work robbing a house if the doors are unlocked. And it’s even easier for a hacker if your system isn’t encrypted; they don’t have to carry all the stuff.
The healthcare industry’s very fabric relies on patient health information (PHI), which happens to be the gold the pirates are after. It is paramount that organizations employ all means to protect that data, and encryption is your greatest tool.
There are a wide array of encryption methods that the healthcare industry can use:
- Public Key Infrastructure (PKI): can work well for enterprise information systems.
- Hashing techniques: hashing is an excellent way to password-protect sensitive data.
The reality is that the industry does not have the resources or time to implement wide-scale encryption. However, like training doctors in encryption as part of security awareness, it could make a considerable difference in the industry’s long-term cyber resilience, even on an individual level.
Conclusions and Recap
The healthcare industry has a long road ahead of it to reach an appropriate level of security. But the road does not have to be hard.
Understanding the challenges is the first step in becoming aware of your shortcomings. In this article, we discussed:
- Internet of Things (IoT) in the healthcare industry
- eHealth records and the impact of digital transformation
- Tackling human error
- Updating legacy systems and getting rid of old vulnerable tech
- The question of protecting third-party networks
- Cloud technologies
Tackling these issues and applying cybersecurity best practices will set the industry on the right path. Protecting the privacy of the patient while providing the best healthcare is possible.
If you are in the healthcare industry and are concerned about your organization’s cyber health, don’t hesitate to contact RSI Security today.
We offer top-end cybersecurity services from full-stack security architecture implementation to compliance advisories, like HITECH and HIPAA.
Don’t let security challenges in healthcare be a worry; schedule a consultation today.