For all of the debate about the future of American healthcare, it is clear that the healthcare industry in our country is gargantuan, yet complicated. According to the Centers for Medicare and Medicaid Services, U.S. healthcare spending reached $3.5 trillion in 2017. That comes out to $10,739 per person. The United States spends about 17 percent of its gross domestic product on healthcare, which is significantly above the comparable country average. While Georgia has one of the lowest rates of healthcare spending per capita, it is still sizable.
High costs and patient outcomes are significant hurdles in the American healthcare industry. But having said that, another persisting concern centers on security threats. The industry deals with extremely sensitive information on a daily basis. Privacy is a concern, as all healthcare professionals must protect patients’ privacy according to HIPAA, HITECH, and other legislation.
Ultimately, this sensitive information can be used to provide better patient outcomes, it can also be used by bad actors in truly nefarious ways. One study has revealed that the healthcare industry is the industry with the most cyber-security breaches. Therefore, it is important to not only identify these security vulnerabilities, but to understand how industry professionals can proactively mitigate—or even entirely eliminate—these risks. Doing so will provide patients with some much-needed peace of mind and will help medical professionals concentrate on providing the best possible care to patients.
To start, one of the most obvious security threats in the healthcare industry is from the medical provider’s own employees. While it is slightly concerning to think that a provider’s employees are misappropriating patient information, the data shows otherwise. According to one Verizon study on data breaches within different industries, many cyber-attacks in the healthcare industry are caused by internal actors. These internal actors often have broad access to a wide range of patient data, so privilege abuse against databases is quite common. Ultimately, the Verizon study found that 59 percent of the data breaches they studied in healthcare came from internal actors.
The most common type of security vulnerability in the healthcare industry is the misdelivery of data. Misdelivery of data, essentially, is a situation where data about a patient is sent to the wrong recipient. For instance, a document detailing a patient’s procedure or costs for that procedure is sent to a third-party rather than the patient herself or the patient’s insurer. The Verizon study revealed that misdelivery of data comprises about 60 percent of error varieties in healthcare breaches. This is followed by publishing errors, disposal errors, loss of documents, and then misconfiguration.
The ultimate issue with security vulnerabilities emerging from internal employees is that they are extremely hard to detect. It can take years to detect these breaches. Therefore, data security professionals within healthcare organizations must do their part to control access to sensitive patient data. Regular audits of staff members’ devices is also a step in the right direction. Finally, healthcare organizations can invest in data loss prevention products that can further mitigate data misappropriation.
From threats inside the organization, another top security threat comes from outside the organization. Namely, we are talking about hackers and other cyber-criminals who are aiming to find and misappropriate patient information. The most common type of breach is a phishing attack, followed by network intrusions, unpatched servers, and remote desktop connections. In other words, humans are again contributing to security vulnerabilities, but here they are unwitting accomplices compared to other healthcare professionals intending to misappropriate data.
Once cyber-criminals gain access to a healthcare system, they proceed in several different ways. Most often, these cyber-criminals attempt to access an Office365 account, roam the network for available data, install ransomware, or try to secure a wire transfer to the attacker’s account. The average ransomware payment was $28,920. That said, for about 10 percent of the time, a decryption key was not provided.
Healthcare professionals and organizations certainly need to do their part to further protect patient data from outside threats. Because some of the most glaring vulnerabilities come from employees, training is critical. There are signs of improvement in this area, as one recent survey by Infoblox found that employee education in this space has grown over the past two years. Healthcare companies are spending 10 percent more to not only improve email hygiene, but to eliminate phishing scams and ransomware. This is a constant work in progress, however, and it requires employee vigilance at all times. As with defending any other type of attack, the defending organization has to be right every single time while an attacker only needs to be right once.
To help employees with this effort, healthcare organizations are also allocating more capital to cyber-security. According to the Infoblox study, 28 percent of healthcare organizations are spending 11 percent to 20 percent more on cyber-security year over year. As for those investments, 59 percent is being spent on antivirus software, 52 percent is being spent on firewalls, and 51 percent is being spent on application security. While this is a start, healthcare organizations and their employees must continue to be vigilant in order to protect patient data from bad actors.
Whether you are protecting patient information from internal employees or third-party actors, it is critical to be aware of these potential threats. Unfortunately, this is a significant problem. The discussion above was not inclusive of all threats. For instance, one of the fastest rising security threats within the medical industry centers on medical devices. New medical devices that are both (1) connected to the internet and (2) contain even more patient information represent a treasure trove of data for cyber-criminals. This is a new area that concerns security professionals in the healthcare industry, so it will certainly be worth watching in the near and long term.
Because of all of these threats, healthcare organizations both large and small must invest in security. By doing so, you will not only provide better service and care for your patients, but you will avoid potential financial or legal troubles in the future.
To see other healthcare trends, see our blog about the market overview here.