Healthcare Organizations in the Crosshairs of Malicious Actors
Over the last year healthcare organizations in the United States – both patient care facilities and insurance companies – have become the target of choice for malicious actors from around the world. This uptick in attacks of all kinds against healthcare organization stems from both organizational change and economic drivers. As healthcare organizations continue to move data to the cloud to streamline patient care through electronic health records (EHR) and drive down the administrative costs of doing business, there are simply more records to steal and data mine. However it’s the economic driver for malicious actors that’s the real impetus for attacks. Not only do patient records contain the most complete identity records, meaning they can be used over the long term for a variety of on-going attacks, but they are also able to be used immediately to initiate fraudulent insurance claims.
C-level executives on both the provider and payee sides are under no illusion about the fact that they’re in the crosshairs of malicious actors. In fact, many of them were together at HIMSS this week to discuss the state of data security and how to ensure the integrity of data and patient privacy. From conversations shared at the conference it seems that the big three areas of vulnerability stem from mobile device use in hospitals, the interconnectedness of data and data transmitting devices, and insider threats.
One threat vector that should be added to that list is ransomware. While ransomware attacks have been on the rise since 2014, 2016 has already seen several notable exploits in January and February specifically targeted at hospitals. In general, ransomware attacks are the domain of the unsophisticated and opportunistic. They result in inconveniences – such as requiring handwritten records and the use of fax machines – while the situation is resolved, but because a malicious actor has gained access to the network and been able to place malware, which often lies dormant and is difficult to remove, these “annoying attacks” need to be taken just as seriously as other forms of data breach.
While healthcare CISOs, CIOs, and CSOs, are aware of the value of their organization’s data to malicious actors and the likelihood of attack, they’re still behind the curve in both in being able to identify the patterns of attack and having a systematic incident response plan in place. In fact, according to the KPMG 2015 Healthcare Cybersecurity survey, nearly 20% of healthcare CIOs don’t know when they’re under attacked and one in three had no incident response plan.
The KPMG survey did reveal, however, that there is funding available to prevent data security attacks, and that funding for prevention, detection, and remediation for most healthcare organizations is on the rise. The key however, is making sure that budget is then spent on the right initiatives to combat the threats. To start this process healthcare information security leaders need to understand both what is already in their data security arsenal and the areas that are currently not covered by existing solutions. While the perimeter of the static network is more than likely well secured and other measures in place to comply with HIPAA, CISOs need to be looking at mobile endpoints, like tablets and phones that are used by physicians and patients alike to not only to create, access, and share records as well as manage care and make payments.
Obviously, the healthcare industry is not going to turn back and take away the very platforms and devices that are improving patient outcomes, increasing provider satisfaction, and streamlining cost management, but they do need to be secured. So, what should CISOs and their peers be looking for when evaluating a solution? Here are our three top tips:
- A solution that provides the ability to streamline workflow to allow medical professionals to focus on patient care and patients to access information without frustration.
- A solution that facilitates collaboration not only within the organization but with external partners.
- A solution that promotes IT as a business partner, one that’s focused on containing costs through better business operations and expanding revenue sources through patient retention.