To Hackers, Weak Hospital Data Security Is a Gold Mine
Hospital data security is a challenging issue — one that still plagues healthcare IT leaders. Charged with adhering to strict regulatory guidelines governing data management and meeting Service-Level Agreements (SLAs), IT leaders also contend with a sprawling array of data, which continues to grow.
Mobility adds yet another layer of complexity to the environment. Along with these concerns, healthcare IT professionals must stay on top of rapidly evolving security threats that could wreak havoc on the organization. Here, we outline some of the most pressing security concerns IT leaders face today — and provide some expert guidance on how to handle them.
Meet data security head-on.
According to Kyle Fleming, healthcare account executive at Insight, "Healthcare records are worth a ton of money. They're 10 to 20 times more valuable on the market than credit card information, so you always need to stay two steps ahead as the CISO in a healthcare organization. That information is valuable, and hackers will do anything to steal it."
Everyone in the U.S. will have had their healthcare data compromised by 2024 if these hacks continue accelerating at their current rate, according to Crain’s Chicago Business newspaper. That's no surprise when you consider the incentive for hackers. Apparently, a single medical record can fetch as much as $1,000 on the dark net.1
Meanwhile, the threat environment is shifting. Specifically, Fleming and his colleagues are seeing a resurgence of phishing attacks. An estimated 4,000 ransomware attacks are occurring each day, potentially costing victims up to $1 billion every year — and the health care sector is one of their largest targets.
The Food and Drug Administration has even gone on record expressing its grave concern about the security vulnerability of medical devices, such as pacemakers and insulin pumps. Every healthcare organization needs to take these macro-level security trends into account, in addition to their own unique security considerations, when designing an effective strategy to combat attacks. But how?
Justin Wing, senior healthcare account executive at Insight, believes it's important to step back and look at the big picture. "You can do this by having security audits go in and do a top-to-bottom analysis of what's happening in the environment,” he says. “There may be areas of risk that come up you probably weren't even thinking about."
The audit may highlight a range of action items, including a need for stronger security policies and processes, enhanced user training on how to spot phishing emails, or recommendations on how to secure your core infrastructure down to the endpoints. IT teams can then make informed decisions on how to address security risks in their environment and prioritize their follow-up action items.
Tackle compliance concerns.
Healthcare organizations face a unique challenge: regulatory compliance. As Wing notes, "It's more difficult to be agile when it comes to new legislation or processes coming down, because hospitals are on 24/7, and they have so much critical data and patients to look out for." This detrimentally blocks innovation. A doctor may notice some exciting new technology, but it will still fall to the IT professional to ensure the technology complies with strict guidelines and security practices.
Allowing doctors and patients to access healthcare information from a mobile app might sound promising from a productivity standpoint, for example, but it could trigger a HIPAA security rule regarding the exchange of Personal Health Information (PHI). Even setting HIPAA requirements aside, mobile devices face great security risks that could land a hospital in hot water if patient medical records are stolen.
These types of risk management and compliance concerns make it especially challenging for IT to accommodate doctors — who provide improved care through the latest and greatest techniques — while still guaranteeing the required level of compliance.
IT leaders are doing their best to stay prepared for any new regulatory changes. In the meantime, they can improve security and compliance by training end users on security procedures — particularly those related to HIPAA compliance. For example, paper-based workflows were standard practice until recently, so employees might require dedicated training on how to successfully use newer procedures, such as single sign-on to the network.
Fleming adds that thorough documentation is also critical to ensuring successful user adherence to compliance requirements. "You can have all the best practices and the right technology solutions in place, but if your nurses, staff, doctors and patients don't know how to properly utilize them for what they were designed to do, they'll be useless," he says. That's why it's important to invest in user education.
Turn to secure printing.
Printer security is an important dimension to consider for hospital data security and compliance. As Wing explains, "Everything that connects to the internet is definitely susceptible. It's something really overlooked by a lot of companies, especially in healthcare."
A hacker could leverage an unsecured printer as an entry point for staging damaging attacks across the entire organization's network. As “The Wolf,” a new video series highlighting opportunities from a hacker's perspective, demonstrates, such an incident can have frightening implications for a hospital's security and regulatory compliance — not to mention its reputation.
Any connected device that hasn't been secured poses a threat to the business. Meanwhile, advances in printing security have made it possible to deploy a printer fleet armed with real-time threat detection, automated monitoring and software validation to better guard against such incursions. To ensure they're defending all possible entry points from an attack, hospitals should consider shoring up their defenses on the printing front, too.
Although hospital data security is a challenging endeavor for IT professionals, it's an essential priority to keep top of mind as the business evolves. The threat environment is becoming more complex, and attacks are becoming more sophisticated. Yet, printing innovation has its guard up. Healthcare IT leaders can go a long way toward defending their organization and guarding patient data by taking a holistic view of their hospital's unique security needs, keeping a close eye on compliance and making sure connected devices — including printers — are included as part of the security plan.
1Sweeney, B. (2017, April 8). The Frightening New Frontier for Hackers: Your Medical Records. Crain’s Chicago Business.