4 top threats to healthcare cybersecurity
Summary
Learn about increasing threats to healthcare cybersecurity.
Read time: 8 minutes
Hackers, data breaches, phishing — healthcare cybersecurity is under constant attack. In fact, the U.S. Department of Health and Human Services (HHS) reports that cyberattacks in healthcare have risen at an alarming rate since the decade began.¹
Cyberattacks not only damage an organization’s reputation and relationships, they can also result in penalties as large as $1.5 million annually for HIPAA records. Hackers aren’t just stealing information — they’re holding it for ransom. When critical medical records are no longer accessible because they’re held for ransom, patient health suffers. Healthcare’s focus on patient health is part of what encourages ransomware attacks — hackers bet that they will pay. In this article, we look at four more factors contributing to the rise in threats to healthcare cybersecurity.
1. Staffing
There are fewer healthcare staff than before the pandemic — 78,000 fewer in July 2022 compared to Feb. 2020.² The U.S. Bureau of Labor Statistics reported “that more than 275,000 additional nurses are needed from 2020 to 2030. Employment opportunities for nurses are projected to grow at a faster rate (9%) than all other occupations from 2016 through 2026.”³
Those healthcare workers who struggled through the pandemic are experiencing fatigue and burnout, causing frustration and lack of vigilance — making organizations more susceptible to attack.
Healthcare organizations are turning to remote workers, telehealth, and other solutions to overcome staffing shortages and widen the hiring pool. That can come at a cost. Remote devices that aren't connected properly or equipped with the right capabilities can leak sensitive protected health information (PHI). Hackers can quickly gain access to your network through a remote connection and deploy ransomware or steal valuable patient data, resulting in a breach and loss of business operations — threatening patient care.
Healthcare data draws a high dollar on the black market because it is rich in personal data and valuable to identity thieves giving access to credit card information, email addresses, social security numbers, employment data and health history.
By outsourcing services to established IT organizations, healthcare entities can enable secure remote work necessitated by shifting employee needs.
2. Paperwork
Paperwork can be a security risk. PHI can be compromised when paper forms are scanned, copied, printed, or faxed. Three ways to improve security and reduce the risk of cyberattacks in healthcare:
Implement electronic forms
Replace paper forms with electronic versions and sync them with electronic health records. Patients and staff will enjoy the availability and convenience of having the correct, secure form ready for a signature, even in a telehealth environment.
Automate workflows
Automated routing moves encrypted information seamlessly to only the appropriate team or individual in a HIPAA-compliant, secured environment. For employees working from home, ensure settings allow for secured off-site exception handling.
Employ patient and form barcodes
Guard PHI by employing barcodes for tracking, auditing, reporting and return mail handling. Barcode-driven workflows eliminate manual collation and the need for random compliance inspections.
PHI is constantly on the move and having an audit trail is critical for security and regulatory compliance. Solutions that handle PHI must work under HIPAA’s privacy and security rules, so it’s critical to ensure that service providers support HIPAA compliance to help support ongoing business transformation.
3. Interoperability
Healthcare leaders are seeking partners that can help streamline operations from the front to the back of the office while offering secure transmission of PHI as it passes through each point. Why?
Managing multiple vendors spreads staff thin and creates complexities with processes, security, finances, and more. And digital interfaces for connecting different vendors’ electronic health record systems are often prohibitively expensive.
Part of the challenge is the proliferation of medical devices — some with legacy software systems that can no longer be updated. And those medical devices can be used as weapons. Application programming interfaces (APIs), the tools needed to exchange records and data, can be exploited to gain access to a network. It’s necessary to test APIs extensively to ensure security to allow the applications to continue talking to each other without leaking sensitive PHI.
With so many third-party partners involved in providing the technology that shares PHI, it’s no surprise that marrying the security of those systems without risk of compromise is difficult. Limiting the number of third-party partners to those with a wide depth and breadth can help healthcare organizations scale up or down as needed while ensuring the interoperability and security of systems.
4. Trust
Given the interconnected nature of the future with the Internet of Medical Things (IoMT), including software, applications, remote patient care devices, virtual care, robotics, and more, the current perimeter-based security model used by most healthcare organizations isn’t effective. To stay ahead of these trends, health organizations must make a fundamental shift to a Zero Trust model.⁴
The Zero Trust model recognizes that traditional security perimeters are a thing of the past. Zero Trust systems must always validate access for all resources to ensure only authorized, validated individuals are accessing data. It shifts defenses from traditional static, network-based perimeters to focus on:
Users – people using your system, including staff, vendors, and contractors
Assets – where your information and data live
Resources – tools used to protect your information
Zero Trust relies on a multi-layered approach — with the core principle that nothing can be trusted. With the traditional perimeter gone, the “trust but verify” paradigm is also gone, replaced by verify-verify-verify.
Technologies often deployed in Zero Trust systems include:
Multi-factor authentication
Advanced endpoint protection
Event isolation technologies
Data encryption
Identity management and protection
Secured messaging
Asset validation prior to connection
Zero Trust requires a cultural shift and company-wide commitment to security and clear communication to succeed. An experienced partner can assist in creating a culture of security and communicating with employees, partners, vendors, and more to assist healthcare organizations in modernizing their systems to protect against the latest attacks.
Related content
What you can do to improve cybersecurity
To effectively stay current on the latest vulnerabilities, health entities should continually review and update cybersecurity protocols and response plans. Implementing a risk assessment can have a significant impact on healthcare cybersecurity. Thoroughly review all aspects of data collection, storage, and use to improve and support tighter security measures across your organization — from business operations to output management and interoperability.
Include these key business systems as part of an internal review of cybersecurity preparedness:
Business process optimization — Examine current processes and operations to identify security gaps while looking for ways to improve efficiency
Asset management — Monitor vulnerabilities by constantly scanning and reporting enterprise technology assets regardless of location and how those assets work together to support the organization
Content management — Evaluate how clinical and administrative data is captured and linked to internal systems to improve business and clinical processes in a way that can reduce exposure
Device management — Confirm the secure organization and flow of internal and external information between internal and external devices
Forms management — Review the capture, management, and flow of clinical and administrative information to guarantee that data is safely and securely handled, as well as to help reduce the chance of information mismanagement and human error
Interoperability — Look at ways patient data is typically shared, from an unstructured, analog method to a digital, electronic transfer method
Output management — Monitor and audit enterprise printing to help address the need for confidentiality, misdirected or forgotten print jobs or unauthorized access
Point of service scanning — Assess how capturing and directly linking clinical and administrative data to internal systems at the point of service can help reduce potential exposure
Hardware — Gauge how well the organization uses hardware by examining steps such as user authentication at the printer, encryption to help safeguard documents, data, address books, passwords and more, automatically overwriting latent digital images and managing unstructured data
While a review of these systems may seem extensive, it's necessary to protect your network from the latest vulnerabilities. A trusted IT outsourcing company can identify vulnerabilities, help you establish safeguards, and free up time for you and your staff to focus on what matters most: patient care. Giving healthcare workers more time to focus on improving patient outcomes can deliver a meaningful morale boost and help retain talent — ever-important in this era of staffing shortages.
Outsourced IT services put expert industry knowledge on your side, improving security as well as ongoing system performance. This allows you to become more flexible and agile, ultimately being able to deliver a better patient experience and compete more successfully.
IT outsourcing also helps keep remote and hybrid workers productive and engaged. It not only gives them next-level tech support, but also secure 24/7 access to apps and data and the latest technology with current security standards.
Expert IT professionals can help arm you with a defined backup strategy with disaster recovery planning to keep downtime to a minimum and ensure patient health records don’t disappear forever.
Related Content:
Webinar: Addressing the cost and risk of human error and driving security culture
Webinar: Protecting your business by planning for disaster recovery
Recommended for you
Essentials Security Guide
Discover how a layered security approach can enable business transformation in today’s digital workplace.
Automating a Medical Center’s Patient Packet Workflow
Ricoh improves the patient experience and reduces privacy compliance risks for a world-renowned health system with Patient Packet Workflow automation.
Contain ransomware outbreaks
In this webinar, 'Contain Ransomware Outbreaks,' our team of experts shares the future of cybersecurity defense strategies and why reactive security measures aren't enough.
- 1https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
- 2https://altarum.org/sites/default/files/uploaded-publication-files/HSEI-Labor-Brief_Aug_2022 final.pdf
- 3https://www.ncbi.nlm.nih.gov/books/NBK493175/
- 4https://www.hhs.gov/sites/default/files/zero-trust.pdf
- 5http://www.verizon.com/business/resources/reports/dbir/
- 6https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf