How often do we hear a provider say – “My priority is my patient, I don’t have time for other things”. Well, it is a fact that if Cybersecurity issues impact the confidentiality, integrity or availability of a provider’s patient information, then patient care will most likely be impacted. A running theme during previous OCR/ NIST HIPAA Security conference was that providers and business associates must be cognizant of the fact that Cybersecurity issues can impact patient care.
We are currently at the hotbed for Cybersecurity activity in the healthcare industry. A data explosion is taking place causing unprecedented security risk. This data explosion is resulting from many actions such as digitizing the patient record, sharing patient information across venues, data-based collaborative care, the use of analytics to enhance care, electronic registries for population health, personalized medicine, the omnipresent patient health record through fitness tracking devices, smartphone apps, connected electronic measurement devices and more.
With this data explosion, the healthcare industry has been targeted for attacks. Ransomware attacks have been particularly rampant in the healthcare industry, causing hospitals to even shut down temporarily and transfer patients. If this is not an impact on patient care, what is? Here's a flashback - the big global ransomware attack WannaCry that occurred in 2017 impacted patient care, and here are some real examples of how it did so.
- Providers were unable to look after patients properly as medical devices were not functioning. Many providers did not even have access to X-rays.
- Some patients complained about having to wait for a couple of hours for prescriptions, after chemotherapy infusion - suffering through the after-effects of a chemotherapy session waiting instead of resting.
- In some cases, administration of chemotherapy had to be delayed or postponed.
- A patient talked about how he could not get test results for severe kidney pain for a couple of days, because machines were unavailable.
Cybersecurity issues are at their heart, patient safety issues. It is part of the mission of a physician, part of the Hippocratic oath. The first step in understanding how a practice fares in terms of security, is to conduct an annual security risk assessment. This is key and must not be overlooked, as ensuring that patient data is safe is an important responsibility of a physician towards the patient and towards assuring consistent and quality patient care.
Why is HIPAA useful?
The Healthcare Insurance Portability and Accountability Act (HIPAA) may be anathema to many physicians and healthcare providers, but the law provides clear and simple guidelines to help improve an organization's security and privacy posture. The HIPAA law contains multiple rules such as the security rule, privacy rule, breach enforcement rule, and more, that organizations can use as a reference and not just as a matter to be complied with. Within the HIPAA security rule, there are requirements for various types of safeguards that can help secure a healthcare covered entity - administrative safeguards, physical safeguards, and technical safeguards.
The increased integration of technology into the health industry is resulting in more precision in healthcare; yet, breakthroughs in cybersecurity safeguards are still required. According to a 2021 analysis by IBM and the Ponemon Institute, data breaches in the healthcare business have been on the rise, and continually over the past 11 years, the highest average costs of data breaches are seen in the healthcare industry. It is one of the most targeted sectors by cyberattacks globally. The information obtained through health data breaches is of special interest to criminals due to its immutability. A person's medical file contains information such as blood type, previous operations and diagnoses, and other personal health information. Because these records contain personal information such as a person's name, date of birth, insurance, and healthcare provider information, as well as health and genetic information, they must be kept private.
Why does healthcare get targeted so much?
Within the industry, these hospitals and health organizations hold an incredible amount of sensitive information ranging from monetary to intelligence value, all of which are extremely valuable to cybercriminals and nation-state actors! Not only do health organizations need to constantly keep their security posture high, some cracks can form and they can become vulnerable to and targeted by cyberattacks. Some of the healthcare data sets targeted include protected health information (PHI) of patients, financial information such as bank account details and credit card numbers, and personally identifying information (PII) such as Social Security numbers. A person's medical file contains information such as blood type, previous operations and diagnoses, and other personal health information. Because these records contain personal information such as a person's name, date of birth, insurance, and healthcare provider information, as well as health and genetic information, they are considered valuable for healthcare fraud and must be kept private.
On the dark web, stolen health records may sell for up to ten times the price of stolen credit card numbers. Unfortunately, the bad news for healthcare firms does not end there: the cost of resolving a breach in this industry is over three times that of other industries, costing $408 per stolen record.
The reality of the health industry
Almost every department in a hospital handles PII and PHI in one or more health information systems. All healthcare providers (e.g., physicians, physician assistants, nurses, pharmacists, technicians, dietitians, and physical therapists) use electronic health records (EHR), e-prescribing software, remote patient monitoring, and/or laboratory information systems; the billing office uses medical billing software to work with insurance and financial information; the scheduling and administration departments use scheduling software to work with clinical data, and so on. While PII is often restricted within limited departments where cybersecurity measures may be consolidated in most other industries (e.g., academic institutions or corporations), in a hospital setting, the data is sensitive and valuable, and practically all departments handle it in some way. By securing devices, electronic systems, networks, and data from assaults, cybersecurity solutions strive to protect PII and PHI.
In some fields, such as the financial sector, the issue of cybersecurity has been addressed for decades, and as a result, policies and dedicated resources to invest in security have been established, whereas the health field struggles to devote adequate attention and resources to the problem because it is a relatively new field. Because healthcare is so expensive, only a little amount of money is set aside for IT security. Despite these limitations, hospital cybersecurity must account for thousands of networked medical devices as well as frequently inconsistent business procedures. Despite the fact that connected medical devices bring multiple vulnerabilities to a hospital's cybersecurity, they are deployed throughout the facility. It's even possible to use them off-site. The business process in hospitals varies greatly from patient to patient and department to department. This typically necessitates openness (for data interchange and emergency access to health records), and thus brings about a special challenge in terms of securing health records.
How hackers jeopardize patient privacy, clinical outcomes, and financial resources at your hospital
Because hackers have access to PHI and other sensitive information, cyberattacks on electronic health records and other systems constitute a risk to patient privacy. Your business could risk significant penalties under HIPAA's Privacy and Security Rules, as well as potential harm to its reputation in the community, if it fails to keep patient records private.
Patient safety and care delivery, above all, may be threatened. You will be unable to successfully care for your patients if you lose access to medical records and crucial medical devices, such as when a ransomware infection keeps them captive. Hackers' access to private patient data allows them to not only steal the information, but also to alter it, either purposefully or unintentionally, which could have catastrophic consequences on the health and results of patients.
One example can be pointed to when the British National Health Service was targeted as part of the "WannaCry" ransomware attack on computer systems in 150 countries in May 2017, ambulances were diverted and procedures were canceled, patient outcomes were jeopardized. There have been more cases of ambulance diversion orders issued as a result of ransomware since then, including here in the United States. For instance, in August 2021, Eskenazi Health in Indianapolis had to reroute incoming ambulances for over 12 hours as it was hit by a ransomware attack. However, with good planning and investment, this risk can be reduced.
Creating a high-quality IT foundation
Quality IT, at the very least a stable application foundation and IT infrastructure, is required for a health facility to have a solid information security posture. Due to a shortage of human resources, budget constraints, a history of underinvestment, and the extensive application area, this is especially difficult to achieve in healthcare settings; yet, it is critical.
Although there are no defined models or tools for measuring the quality of a health facility's IT, there are a few indicators that can help. A health institution with a stable application foundation, for example, does not have help desk call logs clogged with break/fix requests, and it's IT team is not largely focused on fixing faulty systems or broken applications.
The state of the IT infrastructure is just as crucial as the quality of the IT. Any connected resources and services used to supply and support IT services (e.g., hardware platforms, software applications, operating systems, networking, and telecommunication tools) can be included in the infrastructure. Information security necessitates configuration management, change management, and logging and monitoring in the IT system. A major configuration management goal is to keep an up-to-date inventory of IT assets and the relationships between them. This involves identifying each asset owned, and reporting it's version and associated components. Configuration management that is well-maintained improves vulnerability and patch management, despite the fact that it is a difficult undertaking. "Configuration management underpins management," according to the SANS Institute. Security, performance, accounting, and fault are among the other management roles. Change management, which is similar to configuration management, is defined by ITIL as a systematic strategy for handling all changes in a consistent manner. Change management is beneficial not only in avoiding unneeded service downtime but also in the event of a cyberattack. Change management might take the form of an event response plan. Similarly, tight audit logs and logging record monitoring are key IT services for immediately spotting assaults and acquiring facts about an attack.
Provider mindsets must include cybersecurity
The significance of altering provider mindsets and including cybersecurity awareness has increased manifold over the past few years. Every person in the healthcare industry must undergo regular periodic cybersecurity awareness training. They need to understand how much of an impact cybercrime can have over their ability to provide quality patient care. Cybersecurity must be top of mind in all healthcare organizations as it is clear that cybersecurity issues can impact patient care.
Note: this blog post was originally published in September 2017, and was updated in June 2022.