Preparedness For the Next Generation of Cybersecurity Attacks in Healthcare
By Ame Wadler
10/21/16
Cybersecurity vulnerabilities pose a great risk to the healthcare industry and its livelihood. The expanded use of digital, electronic and network technology has induced significant benefits for care delivery and organizational efficiency, but also creates opportunities for cyber intrusions.
Think about this – in 2014, 85 percent of large health organizations experienced a data breach. Nearly 20 percent of those breaches cost more than $1 million to remediate. Today, PWC ranks cybersecurity as the fourth most imminent threat to healthcare as cybercriminals seek to gain financially from medical data and hospital records [1]. But it’s not just our privacy that is at stake. In 2015, the U.S. government issued a warning about the potential vulnerability of certain medical devices to hacking. This warning was spurred by evidence that an infusion pump used could be modified to deliver a fatal dose of medication.
In early 2016, we also saw a string of ransomware attacks that brought down the systems of several hospitals. Hospitals are a prime target for ransomware attacks as there is an urgent need for the ability to access the information on their systems. Being unable to access records or devices can put patients’ health in danger and that is not a risk these institutes can take.
While black hat hackers are often the culprits in cyberattacks, breaches aren’t always due to external forces. Employee error contributes 26 to 36 percent of data breaches — often due to lax security training and enforcement of policies [2].
The healthcare industry —hospital networks, medical device firms, insurance corporations, charitable nonprofits and others — are taking numerous steps to improve cybersecurity for their businesses and institutions. However no protective measure today is 100 percent foolproof. While companies routinely assess their security capabilities and policies to detect vulnerabilities, it is equally critical to prepare for such a breach. Consider the challenges faced by UCLA Health in 2015. The health system noticed suspicious activity on its computer servers in October 2014 and on May 5 investigators discovered that hackers gained access to patient data. About 4.5 million people, including UCLA Health patients and providers, were impacted [3]. However, the public wasn’t notified until July 17, earning criticism for the health system and ultimately, being named in class-action litigation.
The American Hospital Association (AHA) guides its members to establish response and reactive procedures in advance of a cyberattack and to develop a core cyber response team composed of IT, legal, and public relations experts [4].
With healthcare in the perennial threat of cyber danger, cybersecurity communications planning is a necessary endeavor of any major industry or enterprise, but healthcare is especially poised to reap the benefits of preparedness, planning and strategic implementation. Healthcare enterprises must be prepared for a cyber crisis in the same way they are for product safety, manufacturing or employee malfeasance.
- Research possible threats (hacktivists, competitors, etc.) to the enterprise and how those breaches may occur
- Learn lessons from other industries that have suffered from cyber attacks – identify the best practices that are applicable to your organization – and routinely scenario plan and update protocols for response
- Invest in data loss prevention systems and practices to help deter unauthorized data access and movement
- Educate employees, third-party vendors, and consumers on safe cyber habits and company security policies
- Craft a communications protocol that would enable critical stakeholders to be informed early, and often, such that they can take steps to protect themselves
[1] “Global State of Information Security Survey 2016.” PwC. 2016. Web. 15 July 2016.
[2] Kalaw, Paolo. “The Sorry State of Cybersecurity in the Healthcare Industry.” Nimbyx News. 4 Feb. 2016. Web. 12 July 2016.
[3] “UCLA Health Victim of a Criminal Cyber Attack.” UCLA Health. 17 July 2015. Web. 07 July 2016.
[4] Cybersecurity and Hospitals. American Hospital Association, 2014. PDF.[:]