June 27, 2014
Information Security Risks Gone Viral: The Risks and Challenges Facing the Healthcare Industry
Information security attacks against the healthcare industry are on the rise – up 100 percent since 20101 with no reversal of the trend in sight. For a multitude of reasons, healthcare IT often doesn’t have the same capacity as in other industries to reduce the likelihood of attacks or react to attacks as quickly. Rectifying the situation requires a cultural shift, which must start at the top in healthcare organizations.
Anonymous, the notorious hacktivist group, launched a distributed denial-of-service (DDoS) attack against the Boston Children’s Hospital website in April.2 Although the group was acting for political reasons, other hackers do it for personal gain. “The information that's contained in a medical record has real value in the hands of a cyber-criminal,” said one healthcare industry researcher.3 “And there's evidence that suggests that in the world of black market information, a medical record is considered more valuable than everything else.” Because Social Security numbers and personal health records don’t change, a medical record has a longer shelf life than payment card data, which expires when financial institutions replace the cards.4
The healthcare industry’s information security is behind that of other regulated industries. In fact, a recent analysis found that healthcare and pharmaceutical companies performed worse in security analyses than financial institutions, utilities, and even retailers. Many healthcare organizations are neglecting to put into place even basic protective measures.5
It should come as no surprise that IT and information security have not always worked together cohesively in healthcare organizations. Antiquated technology combined with resistance from physicians and other providers and shorthanded IT departments have created the worst-case scenario for healthcare organizations needing to secure their IT environment and the data it protects.
The steady increase in reports of hacking and breaches in the industry can be attributed to several other factors as well, including:
- Meaningful use attestation. Healthcare facilities are using more technology (externally facing patient portals, mobile devices, tap-and-go workstations) at a rapid rate to react to attestation requirements. However, healthcare IT does not have the time and resources for efficient testing before putting systems into production, which leaves security as an afterthought.
- Healthcare environment. Almost every device in a healthcare system is mission-critical and serves a medical purpose. The purpose of the devices is patient care, which, above all else, is the core function of a healthcare system. Many of these devices need to run 24/7/365, which leaves a strapped IT staff and zero downtime available for upgrades, patches, and configuration changes.
- Third-party vendor woes. Healthcare IT employees often are not made aware of various systems placed on the network, have no opportunity to provide input about the security settings of third-party devices, and overall are not involved in the procurement process. All of these factors can lead to bad security practices.
- Providers and upper management. Historically, the healthcare IT function has struggled with implementing strong security practices due in part to resistance from physicians and other providers and weak support from upper management.
To protect a healthcare organization’s valuable digital assets, information security personnel need to become immersed in the fabric of healthcare IT, and such a change must start from the top. Every organization needs the buy-in from top management, and the healthcare industry is no different.
According to the firm that did the previously cited analysis, attention to information security by top management is one of the primary differences in better performance from a security perspective. At “the high-performing organizations, it is an executive-level issue,” said the firm’s chief technology officer. “What we’ve seen in financial services is they have a culture of risk management. They’ve been managing fraud for quite some time. It’s money to them.”6
Change in the healthcare industry might be slow, but by following a risk-based approach to assess and prioritize information security issues, a healthcare organization can not only create change among IT personnel but also facilitate a more security-centric mindset among all employees. Following are some of the actions organizations need to take to bring about those changes:
- Create an information security committee. This committee should consist of employees from various departments, including IT, physician, compliance, legal, privacy, and the C-suite. The committee meets periodically to communicate issues, make informed decisions about vendors and new types of technology, and discuss security and privacy concerns as they arise.
- Develop strong policies and procedures. The core of an organization is in its policies and procedures. Aside from requirements related to meaningful use and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), policies set the standard and tone for the entire organization.
- Conduct security-focused assessments. Healthcare organizations need to engage high-quality information security professionals to perform security-focused assessments. Performing risk assessments to meet meaningful use requirements often does not go into the depth needed to identify core security issues. Compliance with a regulation does not mean the environment is secure.
- Enable employees. Employees require security-specific training with regard to password management, social engineering, and general awareness. Sending IT “tips of the month” to all employees reinforces the importance of security best practices.
- Improve hiring practices. Healthcare organizations should seek out individuals who bring information security, healthcare, and IT experience when hiring for IT departments. Typically, IT in one industry is similar to IT in another industry – until the industry is healthcare. Then IT personnel need to understand the intricacies of the organization and special concerns of the healthcare industry.
Once the message comes from the top, personnel in healthcare IT will soon realize the importance they play in making their environment secure and reducing the risk of successful information security attacks on their organizations.
Contact Raj Chaudhary for additional information about healthcare information security.
For More Information
1 Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy and Data Security, March 12, 2014, http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-data-security
2 Michael B. Farrell, “Boston Children’s Hospital Comes Under Repeated Cyber Attacks,” The Boston Globe, April 24, 2014, http://www.bostonglobe.com/business/2014/04/23/boston-children-hospital-comes-under-repeated-cyber-attacks/RBTgg9pT2YU8upp3W4IpzI/story.html
3 Larry Ponemon, quoted in Herb Weisbaum, “Health Care System’s $5.6 Billion Security Problem,” CNBC, March 12, 2014, http://www.cnbc.com/id/101488137.
4 According to Rick Kam, of ID Experts, quoted in CNBC article cited above.
5 Dune Lawrence, “Health-Care Companies Have Worse Cybersecurity Than Retailers,” Bloomberg Businessweek, May 28, 2014, http://www.businessweek.com/articles/2014-05-28/health-care-companies-have-worse-cybersecurity-than-retailers