Cybersecurity risks and the health care system [Report]

By Shelly Kramer, Co-CEO, V3 Broadsuite

When you think about online security, it’s a fair bet that the protection of your health records will be near the top of the list of the personal data that you value the most. Well, surprise: According to a new benchmark report, your personal health information would appear to be less well protected than you might imagine.

The Insights Industry Benchmark Report, the third in an annual series published by BitSight, took a look at six industries that handle and collate our most personal information. The rankings, based on algorithms that take into account security metrics on “events, diligence, and behaviors,” suggest that our health care sector is continuing to underperform when compared to other sectors, with little progress being made to improve the situation.

BitSight applies its proprietary algorithms to produce annual ratings that rank industries on a scale between 250 and 900. The higher the rating, the better the performance. The rating for the healthcare sector falls at 634, which is barely above last year’s 630 ranking. I’m thinking that when healthcare falls behind finance, utilities, and retail—well, let’s just say we have a big problem. We won’t even talk about how dismal the rating of the education sector is.

While the finance industry and the federal government consistently rank highly, it’s surprising that the healthcare industry continues to languish. Also surprising overall is how little progress is being made in improving the ratings in any sector, given today’s hyper-awareness of the real threat of cybersecurity risks.

The type of highly personal and sensitive information maintained by the healthcare industry is attractive to and holds great value for cyberattackers, potentially enabling identity theft and medical fraud. In fact, according to a report in USA Today, the healthcare industry has accounted for 42.5 percent of data breaches over the last three years, with 91 percent of all health organizations reporting a breach over the last two years. Why are these numbers so high? And why does the healthcare sector continue to be so vulnerable to cyber attackers?

While the BitSight report doesn’t give any insight into the reasons for this continued vulnerability, over at Beckers’s Healthcare Health IT and CIO Review, Stephanie Tayengco puts forward some solid reasons why data breaches might be so common.

The cost of updating aging IT. Many operators in the healthcare sector have aging IT systems that run large numbers of legacy applications. The cost sensitive environment that healthcare IT operates in means that rather than updating and modernizing, the approach is typically one of patch and repair. That inevitably leads to weaknesses that hackers are able to exploit. Tayengco suggests that the solution may lie in the flexibility and affordability that cloud technology can offer. The problem is that while the more enlightened are tackling a move to the cloud, inertia in the more conservative healthcare sector is holding back the pace of change.

Too little automation. The antiquated and patched together nature of many healthcare IT systems means that most of the maintenance work must be done manually. As Tayengco  points out, with cybersecurity “manual work is a risk.” However good an IT engineer might be, human error has a high risk possibility margin, and mistakes can leave data vulnerable to attack. Security can and should be improved by automation, and while older legacy systems might not always be easily automated, when updating or moving to the cloud, automated practices should be incorporated whenever possible.

Inefficient monitoring. Disjointed, manually dependent systems by their very nature are harder to monitor, resulting in the inability to proactively identify the threat of attack. A move to more modern, automated technology, combined with a clear response plan under the control of a suitably skilled Chief Information Security Officer, would assist healthcare organizations in identifying—and nullifying—the impact of security breaches.

Reliance on compliance. Although HIPAA regulations set out best practices and implementation guidelines, compliance isn’t in and of itself a guarantee of effective data security. Data managers need to go further than just saying “we’re compliant with the rules, so everything is okay”. The people responsible for data security, any managed IT services provider and/or cloud service provider, as well as any subcontractors, need to be aware of HIPAA’s requirements and have the appropriate safeguards in place. It’s also important to keep up-to-date with current threats and act to mitigate them instead of waiting for the regulations to catch up.

Insider threats. Looking again at Becker’s Healthcare Health IT and CIO Review, Akanksha Jayanthi highlights another potential threat, that of an attack from the inside.

Jayanthi quotes Amit Kulkarni, CEO of Secure Healing who likens the issue of health care security to an egg. “You normally have a hard shell on the outside. Your typical firewall, intrusion detection system, proxy servers. That’s essentially the outer hard shell. What’s on the inside? Once you have an employee authorization — whether you are a nurse, physician, technician, someone from IT, a social worker or a volunteer — you pretty much have unrestricted access to any and all patients’ medical records. It’s all gravy.”

That, he goes on to explain, is in part due to the nature of healthcare. The medical care of the patient comes first, meaning that access to information for professionals and support staff has the highest priority. In those circumstances, it can be easier for someone with malicious intentions to access data. Kulkarni considers that raising awareness of the consequences of breaking the regulations with a program of continuous employee training is key saying, “The enforcement of these policies with the help of fully automated and intelligent tools will continue to bring out the bad apples; many at first, and then the occasional violators surface, and thus the risk continues to diminish.”

The BitSight report highlights an important issue, one that our healthcare sector needs to address to better protect our sensitive health data. Modernization, automation, training, and cloud technologies can all help to mitigate security risks by allowing the implementation of more stringent and effective cybersecurity controls. Cybercriminals are becoming ever more sophisticated and determined and the challenge for our health industry is to match that technological sophistication and determination, to frustrate them, and ultimately, to deter them.

What do you think? Are you surprised by the low ranking of healthcare on the security scale? Do you work in the industry, and perhaps face push-back when trying to alert people to potential tech weak spots? Have other suggestions for shoring up healthcare cyber security? I’d love to hear your thoughts.

Additional Resources on this Topic:

Providers Grapple with Cybersecurity

Weak Cybersecurity At healthcare.Gov Could Place Sensitive Data at Risk

Cyberattacks Could Cost Healthcare Providers $305 Billion in Next 5 Years, Report Says

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies. 

Insights are the best medicine. Visit Dell at HIMSS16.

About the Author: Power More