The $3 trillion US healthcare industry is at a huge risk. It’s an industry that hasn’t thought about cybersecurity seriously, mostly because they use old systems with timeworn security mechanisms.
Forget your credit card records, the hackers are after your medical records. The medical records are 10 times more valuable than the stolen financial information. FBI issued warnings to healthcare service providers after Chinese cybercriminals hacked into the computer network of Community Health Systems Inc. As a result, 4.5 million patients lost their personal information. The hospitals’ network is vulnerable and it’s easy for hackers to lay their hands on personal data to perform a medical fraud.
Image Source: https://image.freepik.com/free-photo/male-hispanic-workers-technology-camera_1301-3082.jpg
The HIPAA Journal reported 33 data breaches in June 2018. It put 356,000 patients’ healthcare records at stake. Majority of the attacks were owing to IT infrastructure failure, unauthorized access and hacking.
With the patient record, the hackers get information related to names, date of birth, insurance policy numbers, diagnosis codes and billing information. Hoaxers use this information to create fake ids so that they can buy medical equipment and medicines that can be resold. The other fraud cases that have come into light are hackers trying to claim made-up claims with insurers as they combine patient numbers and bogus provider number. Unfortunately, victims with stolen information are not able to uncover the data theft for a long time unlike stolen financial information (that are instantly discovered and reported to banks for them to take immediate action). Digitizing medical information has increased the security risks much higher.
What are top reasons that put the healthcare industry at a risk?
1. Low cybersecurity awareness
Healthcare leader still see cyber-attacks an issue of the IT department rather than an issue for the entire organization. Not everyone working in the healthcare industry understands the importance of data security. As a result, there are often weak passwords that can be easily hacked and non-existent authentication practices. Majority of the security flaws in the system are introduced by the people working in the healthcare facility or hospital.
Solution: There must be a lot of focus on training the staff and organizational awareness on authentication policies and adoption of stricter authorization measures.
2. Higher chances of email phishing attacks
The healthcare staff use emails extensively and usually don’t have a foolproof mechanism to protect their emails. Since the volume is large and awareness low, healthcare professionals will open a phishing email (most likely).
Solution: As mentioned above, the staff needs to be made aware of the risks involved in opening unsolicited emails. Training sessions can help them identify the phishing emails.
3. Lenient access controls
There isn’t enough staff to manage access controls and, therefore, everyone can access everything. It’s internal staff members who are primarily responsible for data breaches (whether they do it intentionally or unintentionally).
Solution: Sensitive patient data must be protected always. There must be detailed and proper authorization documentation available to enable authorized access and appropriate action should be taken once the employee leaves the organization.
4. Obsolete software systems
It’s a known fact that the healthcare industry lags in the adoption of latest software systems. The operating systems are never updated, the backups are not taken, the security policies are not updated, and the software versions are old. If the systems are obsolete, the risk and vulnerability of bugs and cyber-attacks increases multi-fold.
Solution: It is critical to update the software, operating system and security policies periodically. Cyber attackers often think of new ways of cracking the security systems, therefore, it’s important to be one step ahead of them.
5. Increased use of other devices
There’s been a sharp rise in the use of mobiles, laptops and tablets at workplaces and healthcare industry is no exception. People bring their own devices to work and such devices might be exposed to data security risk.
Solution: There must be strict BYOD or Bring Your Own Device policy for staff members who wish to carry their own devices or access data over their mobiles. Data encryption is required for all devices, which will take care of the mobile application security.
There are several other reasons for the healthcare industry to be at a high risk of data theft. If, as someone from the healthcare industry, you wish to get more insight into cybersecurity and are serious about protecting your patient records, you can connect with us.