Getty Images/iStockphoto
Top Healthcare Cybersecurity Challenges, How to Overcome Them
With a multitude of critical data and patient safety hanging in the balance, there is a unique set of healthcare cybersecurity challenges that must be carefully considered.
From ransomware to COVID-19 struggles to unauthorized disclosure and constant technological innovation, the healthcare sector must always be considering the unique cybersecurity challenges that come along with the ever-changing healthcare cyber threat landscape.
Cyber threats and security vulnerabilities can jeopardize patient protected health information (PHI) and distract healthcare professionals, but that does not mean that the challenges cannot be overcome.
Sharon Klein, attorney and chair of Blank Rome’s privacy, security, and data practice, has years of firsthand experience with managing and assessing healthcare cybersecurity threats.
Klein is part of an HHS task group that was formed to leverage communication between the private and public sectors as part of the Cybersecurity Act of 2015. The task force specifically addressed Section 405(d) of the Act, “Aligning Health Care Industry Security Approaches.”
As part of the task force, Klein, along with over 150 other privacy experts, industry leaders, and medical professionals, helped develop guidelines to strengthen the healthcare sector’s cybersecurity posture. Due to her position, Klein has a unique perspective on the healthcare industry’s top cybersecurity challenges and what barriers the sector must break down in order to mitigate risk.
Healthcare data is extremely valuable on the dark web
“Unfortunately, the dark web is very interested in medical information because it provides them a number of sources for identity theft,” Klein explained. A single record with protected health information may contain a patient’s Social Security number, medical history, treatment information, and even payment information.
According to a report from SecureLink, one healthcare record can be worth up to $250 on the black market, compared to $5.40 for payment card information, which is the next highest-value record type.
To Klein, the main issue in this space is the concentration and volume of healthcare data. Researchers, providers, and other healthcare professionals know that availability of quality health data is crucial to driving better outcomes.
But having large quantities of valuable data comes with a significant amount of security risks that healthcare organizations must be able to balance.
Unauthorized disclosure can be just as damaging as ransomware
Ransomware gets a lot of attention from the media, the government, and healthcare cybersecurity leaders. However, unauthorized access or disclosure of health information can be just as dangerous to a patient’s PHI.
Whether it is intentional or not, negligence by providers and employees may result in PHI exposure.
For example, South Florida Community Care Network, also known as Community Care Plan (CCP), announced in September 2021 that a former employee had been sending internal documents containing PHI to their personal email address for multiple months. Incidents like this are almost as common as ransomware and can be equally damaging.
While some instances may stem from malicious intent, unauthorized disclosure incidents by employees are often the result of negligence or a lack of proper cyber hygiene.
“We’ve seen unauthorized disclosure by people who are in the system, unwittingly like doctors and clinicians, who really just want to get the information and the medical record to treat the patient,” Klein said.
Incidents of unauthorized access or disclosure can be prevented by educating employees on cyber hygiene techniques and promoting the safe handling of PHI. Cybersecurity is a team effort, especially in healthcare where employees have access to sensitive patient data that can impact patient safety and privacy if exposed.
New technology introduces new risks
Any technological innovation comes with a new set of security risks that must be considered. The emergence of artificial intelligence (AI) and cloud computing technologies has simultaneously advanced and hindered healthcare cybersecurity efforts.
“The healthcare industry has been digitized for a number of years. Now with the Internet of Things and artificial intelligence, you have a lot of other players that are monetizing data that may or may not have as robust control,” Klein reasoned.
Recent research suggested that using artificial intelligence tools may be able to effectively bolster cybersecurity efforts. AI’s ability to constantly monitor networks may allow it detect threats faster and work alongside humans in mitigating cyber risks. AI in cybersecurity is projected to increase at a CAGR of 23.66 percent from 2020 to 2027.
On the clinical side, AI has the capability to improve predictive analytics and care coordination and efficiently process large quantities of de-identified data. When data is de-identified, it is no longer beholden to HIPAA and can be used for research purposes. However, some experts argue that it is not that difficult for savvy cybercriminals to re-identify data and pose further security risks.
But introducing new technologies often means introducing new third-party vendors to a healthcare organization’s data repositories, which also contributes added risk.
“The question is whether [AI vendors] have the same incentives to make sure that information is not being utilized in a way where the individual who provided the information does not know how the data will be used,” Klein noted.
Organizations should make sure to properly assess third-party vendors before entrusting them with any critical data.
Financial strain caused by COVID-19
COVID-19 overwhelmed the healthcare sector in numerous ways, and it pushed cybersecurity efforts to the backburner. Financially, many healthcare organizations could not afford to invest more funds into preventive cybersecurity measures.
“One would have thought that COVID would have produced a lot of revenue for healthcare institutions, but that's not actually what happened,” Klein revealed.
“They certainly had to divert their attention to take care of COVID patients and hire more staff. They also had to turn away elective surgeries, which provide a lot of cash for healthcare.”
Meanwhile, ransomware actors saw the pandemic as an opportunity to attack the healthcare sector while providers were stretched to their limits caring for patients.
“It takes money to do security well,” Klein continued. “There is no question that COVID has increased ransomware. It has not only increased the number of ransomware attacks, but the extortion amount too.”
Threat actors tend to target potential victims who have a lot to lose if they fail to pay the ransom and their data is deemed unrecoverable. The healthcare sector is particularly vulnerable because patient safety hangs in the balance.
Without the proper security investments, bad actors can more easily infiltrate networks and access valuable healthcare data.
Top priorities, mitigation tips for the healthcare sector
Klein said that she expects regulatory agencies to carry over their increased focus on cybersecurity into the next year. The White House and the Department of Justice both announced initiatives and programs aimed at tackling cybersecurity across US critical infrastructure.
In the first quarter of 2022, the Office of the National Coordinator for Health Information Technology (ONC) plans to release its final version of the Trusted Exchange Framework and Common Agreement (TEFCA). By the end of 2022, Qualified Health Information Networks (QHINs) will begin signing the Common Agreement.
“The overall goal for [TEFCA] is to establish a floor of universal interoperability across the country,” ONC’s website states.
“The Common Agreement will establish the infrastructure model and the governing approach for users in different networks to securely share basic clinical information with each other—all under commonly agreed-to expectations and rules and regardless of which network they happen to be in.”
Klein, who is also on the board of the Electronic Health Network Accreditation Commission (EHNAC), predicted that TEFCA would bring more attention to data exchange and improve interoperability throughout the healthcare sector in upcoming years. There are currently no industry-wide trusted data exchange standards.
Klein also predicted that regulatory agencies would shift their attention toward businesses that have access to PHI, beyond healthcare providers.
The Federal Trade Commission (FTC) recently released a new policy statement affirming that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule.
Health tech companies are often found in a regulatory grey area when it comes to collecting health information. Regulatory agencies have not yet matched the speed of technological innovation, leaving some companies in the dark when it comes to rules surrounding heath data exchanges.
Organizations should focus on obtaining and maintaining reliable data backups, regularly patching vulnerabilities, and gaining an understanding of where their critical data assets are beyond just PHI in order to manage healthcare’s unique cybersecurity risks, Klein suggested.