The healthcare industry is now using integrated technology with the digitization of patient data. There are medical monitoring devices using smart technology. There are also various types of software for telehealth and virtual care for patients who are away from the hospital. Emergency medical services (EMS) such as mobile integrated or MIH healthcare collect data through computer-aided dispatch (CAD) that can be integrated with an ePCR (electronic personal care record) system. All these are vulnerable to breaches and need tight cybersecurity.
The pandemic also brought on more cyber vulnerabilities. With some healthcare staff doing remote work during the pandemic, there are more points of cybersecurity weakness. Healthcare personnel working on site are under a deluge of cases and are always fatigued. This affects compliance with security protocols, even if unintended.
Cyber Brehaches on Health Institutions
According to FitchRatings, the number and severity of cyberattacks against the public healthcare sector in the U.S. have reached historic highs in the past year and a half. The patient data of an estimated 22 million people were compromised in attacks in 2020 based on information from the U.S. Department of Health and Human Services (HHS). Bitglass research shows that compared to 2019, there were 55 percent more cyberattacks in 2020. Forbes reports that research from Proteneus shows an even higher increase at 62 percent.
Attacks in 2020 were also more complex and at higher scales compared to attacks in 2019, with the average cost needed to recover each patient’s data at 16 percent more. Attacks also caused costly and risky system downtime at an average of 236 days before restoration.
There are state and federal laws in the U.S. that protect the confidentiality of patient data. One such law is the Health Insurance Portability and Accountability Act (HIPAA). Health institutions shoulder the responsibility of keeping patient data secure in compliance with regulations. When there is a breach that exposes patient information, health institutions are held accountable. They can face litigation as well as federal punitive actions. A breach also results in loss of confidence in the health institution from the public.
These are on top of the millions of dollars in ransom that health institutions usually pay just to get their data back. Also, they need to restore the functionality of their systems as soon as possible because downtime puts lives at risk.
Impact on Patients
When healthcare systems are down for long periods, the entire facility is affected. Most often, the whole hospital or large sections are closed down. This further choked the healthcare system that already had stretched resources during the pandemic. Many patients with severe illnesses from COVID-19 need critical care. There are also other patients, such as those with advanced illnesses that require hospitalization. Having to seek other hospitals endangers the lives of patients.
Cybercriminals do not only victimize the health institutions when they hold their data for ransom. Hackers also steal identities and personal information to sell on the deep web. Other criminals use these to create fake identities, use credit cards, apply for loans, file false insurance claims, or apply for government pandemic aid. There has been a surge in such fraudulent applications. Persons who experience identity theft undergo stressful and lengthy processes to clear up their names. Some have to pay for the fake transactions if they cannot prove the identity theft.
Elevating Cybersecurity Measures
In October 2020, an alert was released jointly by the Federal Bureau of Investigation (FBI), the HHS, and the Cybersecurity and Infrastructure Security Agency (CISA), warning of imminent and increased cybercrime threats against the U.S. healthcare sector. The alert identified the most common ransomware deployed by hackers and recommended best practices for protection.
Institutions must have a recovery plan in place. This includes regular data backup with password-protected offline copies and having an air gap. The network must be segmented to separate sensitive data from the email network. Proprietary or sensitive data must have several copies of backups in separate servers in secure locations that are physically apart.
Manufacturers’ updates for operating systems, firmware, and software must be patched upon release. Install automatically updating antivirus and anti-malware software that does regular scans. Multi-factor authentication must be implemented. Limit users with administrative privileges and compartmentalize access based on need.
Finally, all personnel who use internet-connected devices must be given thorough training in cybersecurity to guard against phishing scams and ransomware sent through emails. They must be made to understand the importance of having complex passwords that are changed regularly and kept secure. If they observe any questionable activities, they must report this promptly to stop or mitigate any possible attack.