By Ken Bradberry
Electronic healthcare systems today are under constant assault from hackers and other cyber criminals. A new study from the U.S. Government Accountability Office (GAO) shows that in 2015 there were 56 reported hacks and data breaches affecting the healthcare records of more than 500 individuals, up from 23 in 2013 and zero in 2009.
The number of patient records compromised from those 56 breaches in 2015 totaled more than 113 million, exponentially larger than the 6.9 million breaches in 2013 and 135,000 in 2009. It’s an alarming trend, and the inability of providers to protect patient data from increasingly frequent attacks on healthcare databases and networks is exposing millions of people to fraud, identity theft, and other crimes.
A data-rich target
Along with the financial services industry, healthcare is a top target of cybercriminals primarily because hospitals and other healthcare stakeholders – including payers, pharmacies, clinics, and data clearinghouses – are rich repositories of highly sensitive personal and financial data.
But there are other factors that make healthcare a tempting target for data thieves. The move toward value-based care is triggering changes in how providers are paid, while federal mandates for interoperability are putting pressure on providers to make their IT systems more accessible and able to share data.
The result is a complex and shifting ecosystem of providers, payers, and other stakeholders sharing electronic data, an ecosystem that requires an equally sophisticated approach to security. Unfortunately, most providers and payers still adopt a traditional approach to security, focusing on basics such as firewalls and intrusion detection.
Our healthcare provider solutions can help improve operations and clinical care. We help you streamline your business processes and maximize the value of your technology investments.
Move beyond information security basics
Such a myopic view of security — combined with a general lack of awareness and coordination, best practices, and education about threats such as malware, phishing and ransomware — leaves dangerous gaps in security that can be exploited. With the advent of the Internet of Things and a variety of wearables and sensors – all of which can collect and transmit data – the number of potential security gaps within the healthcare industry will only grow.
Another source of security gaps are the fine lines between HIPAA, HITRUST, the International Organization for Standardization (ISO), privacy and security frameworks. These expanding challenges present a clear and present danger to any organization participating in the delivery of healthcare services. This includes service providers responsible for business process outsourcing and IT service delivery.
The time has come for an overarching healthcare initiative focused on health and regulated industry cyber threat management. This initiative would involve healthcare providers, payers, technology vendors, pharmaceutical companies, standards bodies, and the government.
Such an initiative could unify industry and security expertise to build a framework and best practices for industry-focused cyber threat analysis that would include:
- Threat assessments unique to industry specific challenges.
- Risk analytics.
- Big data focus on security threat detection and prevention.
- Cloud security services by industry.
- Block chain technologies.
Safeguarding protected health information with clinical and financial services that focus on maintaining the integrity of customers, providers, payers and pharma clients is essential in an industry targeted by cyber criminals and other threats. An alliance of healthcare stakeholders and members of other regulated industries could be an important first step.
This is the first of an occasional series of articles on health IT security from Ken Bradberry. Ken will examine individual elements of the framework and best practices for an effective cyber threat analysis in the healthcare industry.