4 Healthcare Cybersecurity Challenges and How to Combat Them
As the healthcare industry becomes more technologically connected, the risk of cyber theft also increases.
Digital technologies make it easier and more efficient to deliver patient care and provide better outcomes. However, the rise of digital technologies and the growing interconnectedness between different healthcare systems come with increasing healthcare cybersecurity threats.
The benefits of healthcare technology advancement are undeniable. Electronic health records (EHRs) have become critical to improving diagnostics and patient outcomes, with 75% of healthcare providers reporting that EHRs help them deliver better patient care, according to HealthIT.gov. With providers increasingly relying on technological advancements, healthcare cybersecurity threats have risen in tandem. The cybersecurity firm Emsisoft reports that the U.S. had more than 560 cyberattacks against healthcare facilities in 2020.
Hospitals house hundreds and even thousands of patients and their personal data, making them prime targets for hackers and making cybersecurity an important area of concern for hospital leaders. A 2018 attack on the Hancock Regional Hospital in Greenfield, Ind., shows just how a ransomware attack can impact cybersecurity in hospitals. Hackers accessed backup system data and permanently corrupted files, including EHRs. The hospital remained operational even after the IT team shut down the network, so thankfully, patients didn’t have to be diverted. However, the attack did impact the hospital financially — it wound up paying a ransom of four bitcoins valued at $55,000 to get its data back.
Cyberattacks come in many forms, from ransomware to theft of personal information. The impact of an attack can vary depending on the size of the facility. Four issues are common throughout healthcare as it relates to cybersecurity: patient privacy protection, the vulnerabilities of legacy systems in healthcare, the challenges of IT in healthcare, and security breaches.
1. Patient Privacy Protection
As the healthcare industry becomes more technologically connected, the risk of cyber theft also increases. There are two types of theft: outside theft and insider misuse.
- Outside theft: Hackers from a location outside of a healthcare organization penetrate patient and medical systems to steal and collect data, mainly for financial gain. For example, they might use patients’ personal information to submit fraudulent claims to health insurers. According to the Office of Inspector General, medical identity theft disrupts care and wastes taxpayer money. Outside theft can also include hackers forcing healthcare organizations to pay a ransom in return for restoring patient data systems. In 2020, healthcare data breaches from external actors exceeded inside breaches — 51% and 48%, respectively — according to Verizon.
- Insider misuse: Insider misuse often comes in the form of theft of patient data for financial gain or malicious intent. Other types of insider misuse include curiosity (unwarranted access to data not related to delivery of care) and convenience (overriding security protocols to make a job easier). Unintentional actions such as human error, including mistyping information into EHRs or clicking on a phishing email, make up the rest of insider misuse cases.
With the Health Insurance Portability and Accountability Act (HIPAA) of 1996, healthcare organizations are legally obligated to protect patient privacy. The HIPAA Privacy Rule sets limits on how patient health information is used and shared with other healthcare practitioners. Through cybersecurity measures and by adhering closely to legal regulations and standards, healthcare organizations can help ensure that patient data is kept away from potential cybercriminals.
2. Vulnerabilities of Legacy Systems
Replacing legacy systems with up-to-date digital tools can maximize health outcomes and provide healthcare providers, administrators, IT staff, and patients with better experiences. It can also minimize vulnerabilities. However, change is difficult. Before undertaking a transition, an organization should outline a strategy with input from multiple stakeholders. A considered plan can result in a successful transition if healthcare organizations are willing to take on challenges.
Despite the benefits digitization provides, many healthcare systems keep outdated legacy systems for the following reasons:
- Tight budgets to perform upgrades: Moving to a new system includes the costs of buying new technology and paying technicians. It may also mean downtime, which reduces opportunities for a healthcare facility to generate revenue.
- Compliance guarantee: Compliance processes to certify new equipment and technology can be tedious. Organizations that have already gone through the process once may prefer not to undertake it again.
- Upskilling costs: Training staff on new systems is time-consuming and costly, but necessary to minimize errors. Together with training from technology vendors, programs such as the American Hospital Association Team Training program can help leaders integrate teamwork principles into new healthcare systems.
- Complacency: Healthcare organizations may opt to fix a problem only after a system failure or hack — after the damage is done. A proactive approach to replacing legacy systems can help avoid future problems.
A common characteristic of legacy systems in healthcare is their vulnerability to cyberattacks — providing “back-door entry” for cybercriminals to access systems that hold personal and medical data. In addition to the danger to patients, data theft can interrupt workflows, impacting staff performance.
Another factor that increases the vulnerability of legacy systems is the lack of support from third-party vendors. Once a technology is outdated, it becomes increasingly difficult to find the necessary support to address issues or fix problems.
3. Challenges of IT in Healthcare
The increased use of IT in healthcare has provided benefits such as better communication between doctors and patients, automation of manual tasks, and improved communication between physicians caring for the same patients. IT and digitization have also empowered patients to make better decisions about their care, as patients have greater access to information about their health through EHRs and patient portals.
Additional benefits of IT and digitization in healthcare include the following:
- Reducing inefficiencies
- Improving healthcare access
- Lowering healthcare costs
- Enhancing care quality
- Providing more personalized medicine for patients
To achieve the benefits, connected technologies are essential, although they are also targets for cyberattacks and data breaches. Despite external breaches surpassing internal misuse as the predominant source of security risk, internal misuse is more common in the healthcare industry compared with other industries, according to Verizon.
For IT leaders trying to minimize security breaches in healthcare, reduce cyber theft, and increase patient privacy, strengthening cybersecurity remains a high priority. According to a LexisNexis Risk Solutions Group white paper, improving cybersecurity is the second most important focus among healthcare chief information officers.
Another key challenge for IT in healthcare is managing interoperability, which is cited as the first priority among technical leaders in healthcare in the LexisNexis white paper. Managing interoperability deals with how to effectively close gaps in information shared across different digital points of contact. Healthcare leaders look to address the challenges by transforming business and healthcare processes to align with digitization trends and improve performance.
4. Security Breaches
In 2020, the healthcare industry saw hackers taking advantage of COVID-19 fears. One example involved an email about a supposed “coronavirus map” to track COVID-19 cases; clicking on the link activated information stealer malware that stole passwords and credit card information.
Some of the biggest healthcare data breaches of 2020 came from fraud schemes, phishing attacks, and vulnerabilities in healthcare vendor systems. For example, HealthITSecurity reports that more than 1 million patients were impacted when hackers breached a third-party system from Dental Care Alliance, with 10% of patients’ bank account numbers breached.
Phishing, malware, ransomware, theft of patient data, insider threats, and hacked Internet of Things (IoT) devices — these are just a few concerns of healthcare cybersecurity professionals. Too many threats to healthcare cybersecurity exist to ignore the risks. In addition to acquiring personal patient data for financial gain, a security breach can cost lives. Strategies and practices to help prevent cyberattacks include the following:
- Cybersecurity training: Training staff in basic healthcare cybersecurity, such as never clicking on a link in an email from an unverified source, can play a big role in reducing cyber threats.
- Applying software updates promptly: Software updates typically include patches to address weak security, so ensure that systems have the latest software version.
- Implementing proven cybersecurity software: In addition to installing cybersecurity software on every connected machine, healthcare cybersecurity professionals can help address issues as they arise.
- Strengthening system access controls: Limiting access to those who need it can mitigate risk.
- Advocating best practices, such as updating passwords on all systems: Not only cybersecurity professionals are responsible for healthcare cybersecurity; everyone plays a role, even if simply updating passwords on a regular basis.
- Performing regular risk assessments: Risk/benefit assessments, especially for legacy systems, allow organizations to identify the weak points in a network.
Modernizing Healthcare to Reduce Risk, Improve Care Outcomes
The advantages of healthcare technology are clear. Technology enables:
- Physicians and other medical professionals to improve communication with their patients and other healthcare providers through smartphone apps, telehealth software, and texting.
- Patients to be more proactive in their care thanks to digital health apps and patient portals that allow them to check on test results, schedule appointments, and renew subscriptions.
- Healthcare facilities to improve operations, resulting in better care delivery, a more efficient workforce, and lower costs.
Technology can also be a pain point if left unprotected. Modernization of healthcare systems enables organizations to adapt to digital trends and respond to patient preferences, but also reduce security risks by eliminating weak points hackers look to target.
By addressing the four cybersecurity challenges healthcare faces, namely patient privacy protection, legacy system vulnerabilities, IT challenges, and security breaches, healthcare organizations can improve quality of care and advance the industry. To succeed in this effort, they need to embrace health industry cybersecurity practices, understand the risks of inaction, and create a culture in which healthcare cybersecurity is a top priority.
This content was originally posted on Maryville University’s blog. The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety magazine.