In late 2014, the IT systems of Sony Pictures Entertainment were hacked in one of the most brazen cyberattacks in history.
The criminals (who still have not been brought to justice, or even positively identified) made off with the usual targets of cybercrime: names, Social Security numbers, and financial information. But this also represented a failure of a cybersecurity healthcare system.
How? Because among the compromised non-financial data was detailed healthcare information regarding Sony Pictures employees.
What would cybercriminals want with healthcare records? In the Sony Pictures case, the perpetrators appear to have been attempting to cause maximum embarrassment to the company by leaking the stolen healthcare information. For other victims, one can imagine other motivations, such as blackmail.
Cybercrime targeting healthcare information, healthcare providers, insurers, and other stakeholders is on the rise. It also costs the healthcare industry billions of dollars each year.
But the cybersecurity practices in place at many hospitals, clinics, insurers, employers, medical device and pharmaceutical manufacturers, and governments, remain woefully inadequate.
In this article, we will discuss cybersecurity for the healthcare industry, including the relevant healthcare IT security standards and regulations, the many ways in which the industry is vulnerable, and the best ways for healthcare entities to build their healthcare information security defenses.
Do Small and Mid-Sized Clinics Need to Worry About Healthcare Information Security?
The short answer is yes.
It isn’t just large organizations that need to be concerned with cybersecurity. Healthcare entities of all sizes, including smaller and mid-sized clinics and practices, must have solid cybersecurity defenses.
Many smaller organizations believe that because of their size they would not be of interest to hackers. The fact is that hackers know that small to mid-sized organizations often have inadequate defenses and are therefore easy targets.
Interested in learning more? Check out these blogs:
What Are the Healthcare Cyber Security Standards?
In the U.S., medical information security is regulated by the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Privacy Rule, and Breach Notification Rule:
- The Privacy Rule spells out what constitutes protected healthcare information. Protected healthcare information cannot be shared with other entities without the consent of the patient.
- The Security Rule specifies the requirements for securing protected health information, in particular electronic health records.
- The Breach Notification Rule requires a healthcare entity to provide notification to its patients when a health information security breach has occurred involving protected healthcare information.
HIPAA compliance is important, of course, but healthcare entities possess more than just protected healthcare information.
They also have financial information that would interest cybercriminals, such as Social Security numbers, driver license numbers, and payment card information. For this sensitive information other regulations and industry standards come into play:
- The Payment Card Industry Data Security Specification (PCI-DSS) defines security standards for credit and debit card data.
- The Federal Trade Commission Act has been used to levy punishments against for-profit entities who fail to provide adequate security for their customers’ personal data.
- Various state laws and regulations, such as California’s Consumer Privacy Act, provide additional requirements for protected customer data and remedies for non-compliance.
Where Are the Medical Cyber Security Vulnerabilities?
When hackers steal health or financial information, it can cost victims money and can ruin businesses. But modern healthcare IT technology also provides hackers with the ability to disrupt the delivery of healthcare, causing injury or death.
Thus, healthcare providers have an extra incentive to ensure the security of their information systems. Consider the following vulnerabilities:
- Many electronic medical devices connect to local and cloud-based databases, other medical devices, and more, using local networks and the internet. A hacker who gains access to such a device could not only access sensitive healthcare information but could also take control of devices.
- The growth of telemedicine presents hackers with new ways to disrupt healthcare delivery. Every telemedicine session needs to be locked down from end to end to ensure healthcare information security.
- The reliance on email as a primary means of communication within and among clinics, patients, suppliers, labs, and insurers means that many stakeholders can fall victim to phishing attacks.
- Hackers know that many healthcare entities keep their patient information only in electronic form and can’t function without it. Ransomware attacks against healthcare entities are on the rise, and more than one clinic has permanently closed its doors as a result of losing its data to ransomware.
This, of course, is just a small sample of the myriad ways that hackers can victimize healthcare entities and patients. For these and other reasons, security in healthcare information systems should be of paramount importance.
Improve Your Cybersecurity Practices
Ensure total healthcare information security with insight from True North’s experts.
How to Strengthen Cyber Security in Healthcare
How can healthcare entities improve their cybersecurity readiness? Most large organizations have dedicated data security teams within their IT departments.
However, small to mid-sized clinics and doctors’ offices tend to lack a single IT specialist, let alone a team. These entities are often on their own practices when it comes to healthcare information security.
There are some steps that any organization can take to improve its cybersecurity, even without any IT expertise, such as:
- Keep your systems up to date with the latest security patches and updates.
- Use strong passwords that are not easily guessed for all IT systems, components, and user accounts.
- Change super-user passwords from their defaults to stronger passwords.
- Learn the characteristics of phishing attacks and reinforce this knowledge among all staff members.
However, even with these basic steps, cybersecurity for healthcare entities is becoming an evolving challenge.
Your Proactive Healthcare Cybersecurity Partner
The sophistication of IT systems in even the smallest medical offices means that the skills needed to secure them often surpass the available expertise.
The time that doctors, nurses, and other practitioners spend dealing with healthcare IT issues is time not spent treating patients, after all.
The best way for small- and medium-sized healthcare entities to take control of their cybersecurity is to engage with an outside expert. At True North, we are experts on healthcare cybersecurity, serving over 100 hospitals and practices throughout the U.S.
We understand how to meet HIPAA and other regulatory data security requirements and can customize a right-sized, compliant, and robust security solution for your clinic or practice.
The time to address your cybersecurity vulnerabilities is now – not after a data breach or other cyberattack shuts down your practice.
If you are spending too much time addressing IT security concerns and not enough time treating patients, contact True North today and learn how our healthcare security experts can protect your IT systems and patient data.