Cybersecurity in Healthcare

Cybersecurity in Healthcare

Issue

Even though ransomware, data breaches, and other cybersecurity concerns are not new in the healthcare industry, the coronavirus pandemic has revealed how vulnerable, sensitive patient information is. Additionally, the recent growth of various digital initiatives such as telehealth doctor visits is among the major contributors to the increased breach cases of patient records. As healthcare organizations move more of their functions online, they must ensure that they protect these processes from outside threats. However, there is a high likelihood that this healthcare issue with continue as many healthcare providers are slow to respond to threats. At the same time, the use of decentralized systems causes a higher vulnerability to attacks. When a breach occurs, healthcare organizations compromise confidential information and face hefty penalties if they are found to have done anything that could have violated different compliant standards that regulate the industry.

Healthcare information is considered the most vulnerable and the most valuable asset by healthcare authorities; therefore, its security should be prioritized. According to Walker-Roberts et al. (2018), the healthcare industry has registered a 60% increase in cybersecurity threats in recent years. This has turned attacks on healthcare providers into a $13.5 billion industry and made it susceptible to criminals who view it as a gold mine. As the healthcare sector becomes more dependent on technology, cybersecurity risks increases. Having a proper understanding of these challenges can help the healthcare industry protect itself from current and future vulnerabilities.

Risks that it Represent

Ransomware risk involves using a particular form of malware that infect devices, files, and systems until the victim organization pays cybercriminals a certain amount of money. In most cases, common ransomware attacks occur when someone clicks a malicious link, views an ad, and phishing emails containing a malicious attachment. When healthcare staff innocently fall for these traps, the healthcare organization may be forced to spend a lot of time and money (Muthuppalaniappan & Stevenson, 2021). Additionally, when ransomware infects the devices or the network, it becomes hard to perform critical operations and processes until a ransom is paid to the threat actor. Ultimately, this leads to the misappropriation of funds that could otherwise have been used in investing in new technology to help improve the overall standards of patient care.

Currently, the healthcare industry experiences more numerous data breach cases than other industries. According to Walker-Roberts et al. (2018), healthcare has been impacted by 36 million breaches annually. Therefore, there is a need for proper management of healthcare information and monitoring to prevent these data breaches. Additionally, protecting sensitive information is vital to ensuring that patients are provided quality medical care. The challenge is that, even though the mandated HIPPAA guidelines are in place, many organizations do not have the necessary resources to help them ensure that they stay up-to-date with security measures (Muthuppalaniappan & Stevenson, 2021). As a result, this provides an open opportunity for cybercriminals to easily access the patient’s personal information, which may cause reputational issues for the organization and problems for the patients whose data leaks.

Insider threat risks have become a common phenomenon in the healthcare industry today.  Therefore, they are why encryption of data and zero-trust access strategies are utilized to ensure the security of sensitive patient information and data protection. As much as the thought may be unsettling, it is not in all instances when security threats result from staff negligence. Considering that there is so much money surrounding cybersecurity in the healthcare field, sometimes malicious employees may intentionally disclose critical patient information out of spite to generate money from black-market deals. It is easy for employees to leak critical patient information because they know how the network system is set up, possible vulnerabilities in the system, and access codes. Therefore, an employee with malicious intent may expose an organization to a series of threats to benefit themselves.

Additionally, cloud threat risks have increased in recent years. Many healthcare providers have switched to cloud-based data storage solutions because they are simple to use and are easier to retrieve data from, together with enhanced security to help protect patient information. Unfortunately, Muthuppalaniappan & Stevenson (2021) notes that some cloud-based solutions are not HIPAA compliant. Additionally, some popular platforms like Dropbox and the Amazon Web Service fail to meet HIPAA data security and privacy requirements, which makes them easy targets for hackers. Moreover, some organizations do not encrypt data before they send it to and from the cloud, which sometimes creates a chance for intrusion.

It Impacts the Role of the Healthcare Manager

Healthcare managers are responsible for promoting patient records' accuracy, security, and privacy as the professionals on the frontlines of healthcare cybersecurity work. Moreover, as more and more healthcare organizations continue to switch to electronic health records and electronic health systems, healthcare managers are called upon to work with healthcare information management and ensure this information is protected (Muthuppalaniappan & Stevenson, 2021). Human error can result in profound loss of data and money, so healthcare managers must stay vigilant in protecting critical information (Ghafur et al., 2019). Simple mistakes such as printing patient-sensitive information and throwing the paper into a dustbin without tearing it can have devastating implications. Therefore, healthcare managers must create clear roles and responsibilities for employees and access to health information.

It Impacts the Population And Organization

Cyber-attacks have numerous implications for the population and healthcare organizations. For instance, cyber threats to critical patient information and operations systems may take any facility off-line, causing a disruption of care resulting from software outages. In addition, when a healthcare facility cannot access patient records, it may make the provider’s work difficult, making it impossible to provide proper care, shelter, and medication when it is necessary (Walker-Roberts et al., 2018). Also, hospitals may be forced to pay vast amounts of money to the attackers to protect themselves from exposure and prevent the loss of the already exposed patient personal information. Moreover, hospitals risk defamation risk if they are exposed to cyber security issues and disruption of overall operations within the organization.

Possible Actions Needed To Be Taken To Mitigate the Problem

To protect healthcare organizations from cybersecurity threats, many medical providers have started investing in proper safeguards to protect sensitive patient data. Additionally, simple steps like multi-factor authentication, among other strong firewalls, make it hard for hackers to access healthcare organization data (Muthuppalaniappan & Stevenson, 2021). Also, third-party patient engagement vendors must be required to process the HITRUST Certification that employs combined extensive safeguards from the HIPAA, HITECH, and PCI guidelines (Ghafur et al., 2019). Usually, vendors who hold this certification are less vulnerable to ransomware attacks and breaches of essential health data.

Healthcare workers should be educated on ways to avoid potential security breaches. All healthcare staff should learn how to handle and report breaches in security. For instance, they can be taught the dangers of clicking on potential threat links, opening emails originating from unknown senders, and downloading and installing applications (Walker-Roberts et al., 2018). Ensuring that every individual within a healthcare facility is proactive in preventing all potential cybersecurity threats, it would be difficult for attackers to spot openings to leak crucial data. In addition, vulnerability assessment and penetration testing are essential because unpatched vulnerabilities within the information technology infrastructure are the primary targets of cyber attackers. These vulnerabilities provide a better chance for cyber attackers to penetrate the system unnoticed (Ghafur et al., 2019). Therefore, all security patches ought to be updated regularly. Additionally, periodic vulnerability check-ups should be made a norm in the healthcare sector to ensure that the IT infrastructures are free from weaknesses and vulnerabilities.

Employing a seamless backup, offline storage, and restoration methods are among the best ways to avoid or minimize damages caused by cyberattacks. Those in the IT departments can set up backups at preferred times varying from real-time to a couple of hours (Ghafur et al., 2019). Moreover, there should be a routine monitoring of back-ups and weekly checkups for restoration to ensure that these backups do not contain errors.

Lastly, role-based access control can be used to prevent cybersecurity issues within the healthcare industry. Usually, users receive permissions from administrators based on the assigned roles. That means different individuals are provided access based on their responsibility within the healthcare facility to determine their appropriate access levels (Muthuppalaniappan & Stevenson, 2021). Also, access to protected information is provided primarily on the ‘need to know basis by the employees authorized to access that kind of information and according to their occupation titles. 

References

Ghafur, S., Grass, E., Jennings, N. R., & Darzi, A. (2019). The challenges of cybersecurity in health care: the UK National Health Service as a case study. The Lancet Digital Health, 1(1), e10-e12.

Muthuppalaniappan, M., & Stevenson, K. (2021). Healthcare cyber-attacks and the COVID-19 pandemic: an urgent threat to global health. International Journal for Quality in Health Care, 33(1), mzaa117.

Walker-Roberts, S., Hammoudeh, M., & Dehghantanha, A. (2018). A systematic review of the availability and efficacy of countermeasures to internal threats in healthcare critical infrastructure. IEEE Access, 6, 25167-25177.