As more and more of the healthcare sector progress in a digital fashion, unfortunately, it becomes a tempting site of attack for cybercriminals. Just like any other industry, the healthcare industry has faced its share of mega data breaches, such as the breaches of Banner Health and Newkirk Products, where close to 4 million people were affected.2 But unlike other industries, the healthcare industry faces the highest data breach cost of $6.45 million. What’s even more alarming is that, at 329 days, it also has the highest duration for identifying and containing a breach.3
Even with laws like the HIPAA which mandate strict standards and processes for the protection and confidential handling of PHI, compliance doesn’t ensure one hundred percent data security, and hence isn’t solely enough to protect hospitals from cybercrime.
Let’s go through some of the major data security challenges faced by medical institutions:
- Transfer of Electronic Health Records (EHRs)
The Health Information Technology for Economic and Clinical Health (HITECH) Act encourages healthcare providers to adopt EHRs and Health Information Exchanges (HIEs) so doctors can easily share data with their patients. However, this network of limitless medical information between numerous providers serves as a hotspot for hackers if not protected properly.
- Maintaining compliance
The HITECH Act offers incentives for EHR and HIE adoption. Having said that, it also creates the responsibility of having to maintain compliance. For instance, healthcare providers are required to notify their patients if there’s a breach of their unsecured data. In addition, healthcare institutions also have to comply with laws like the HIPAA, and other data protection regulations like the GDPR or the CCPA, whichever applies to them.
- Inability of end-user to protect medical information
Apart from medical providers having to maintain compliance, the adoption of EHRs also poses a burden in terms of end user errors. Once the user accesses his medical data from the provider’s portal, the privacy of his records is also his responsibility. By sending unsecured data across to anyone else, the user opens up an easy link for hackers to get through. While healthcare organizations are bound by data security laws, the same cannot be said for users, who often as an oversight do not keep up with data security best practices.
- The adoption of digital platforms to store, access and transfer data
The digital progression is very evident as greater number of hospitals move their resources to the cloud and to mobile platforms. The COVID-19 pandemic has also fundamentally changed the face of care provision across the world. Telehealth adoption in the US, for instance, has grown around 3,000% since the start of the crisis, taking much of primary care to people’s homes rather than being necessarily tied to a doctor’s office or hospital.4
- Inefficient IT infrastructure
Nobody said running a hospital would be cost efficient. In an episode of one of my favourite TV shows (Grey’s Anatomy), the chief of the hospital decides to cut back on fundamental necessities for the hospital since that money went to expensive medical tech. Sadly, this is true for hospitals in the real world too. While spending adequate money for something like IT infrastructure may seem like a tough decision or unimportant considered to all the other crucial activities that go on in a healthcare organization, it is better than facing the cost of a data breach.
- Evolution of technology vis a vis the threat landscape
As the healthcare sector continues to offer life-critical services while working to improve treatment and patient care with new technologies, criminals and cyber threat actors look to exploit the vulnerabilities that are coupled with these changes. Apart from data breaches, the following are some of the sources of frustration for healthcare IT and cybersecurity specialists:5
- DDoS attacks
- Insider threats
- Business email compromise
- Fraud scams
As healthcare institutions keep enhancing their technology, they’re incidentally open to cyber risk exposure. The COVID-19 outbreak has also not provided any relief in this matter. The INTERPOL Cybercrime Threat Response team findings have detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. 6
Technology is largely the cause for cybercrime, but technology is also what is needed to thwart it. People and processes are not enough; organizations should implement the right technology in place to build a strong data security posture.
- Monitor user activity for all actions performed on sensitive data in your enterprise.
- Choose from different methods or select a combination of techniques such as encryption, tokenization, static, and dynamic data masking to secure your data, whether it’s at rest, in use, or in motion. Before this step, sensitive data discovery is a must, because if you don’t know where your data is, how will you protect it?
- Deploy consistent and flexible data security approaches that protect sensitive data in high-risk applications without compromising the application architecture.
- Your data security platform should be scalable and well-integrated, which is consistent across all data sources and span both production and non-production environments.
- Finally, ensure the technology you’re implementing is well-integrated with existing data protection tools for efficient compliance reporting and breach notifications.
Cybercrime is a menacing threat for any industry, but more so for the healthcare sector, given the high cost of data breaches and the long duration it takes to identify a breach. The outcome of information theft is too great a risk, especially due to the ethical commitment medical providers share with their patients. Building a robust data security platform should be a principal goal of any hospital.
The Mage platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems - providing capabilities from sensitive data discovery, masking, and monitoring to data retirement. Engineered with unique, scalable architecture and built-in separation of duties, it delivers comprehensive, consistent, and reliable data and application security across various data sources (mainframe, relational databases, unstructured data, big data, on-premise, and cloud).
How a leading healthcare company in the US is effectively handling data security
A leading provider of hospital medicine and related facility-based services had an Oracle environment, storing information for more than 2,000 providers in 1,500 facilities. Due to the time required to manage the Oracle data masking tool that had been in place for two and a half years, they looked at the market for a data masking solution that would have ease of use and full automation.
The organization noted several advantages to using the Mage Platform instead of Oracle DM, one of the main advantages being the time required to implement and run the software. Apart from a fully automated anonymization solution, the organization was also able to discover many hidden sensitive data locations with the Mage sensitive data discovery tool.
1 Cleveland Clinic Newsroom – Cleveland Clinic Unveils Top 10 medical Innovations for 2019
2 Digital Guardian Data Insider – Top 10 Biggest Healthcare Data Breaches of All Time
3 Ponemon Institute – Cost of a Data Breach Report, 2019
4 Healthcare IT News – Digital transformation in the time of COVID-19
5 Center for Internet Security (CIS) – Cyber Attacks: In the Healthcare Sector
6 Forbes – Cyber Attacks Against Hospitals Have ‘Significantly Increased’ As Hackers Seek To Maximize Profits