In late 2017, Midwest healthcare-services provider SSM Health announced that 29,000 patient data records were compromised between February and October, 2017. The organization believes the breach occurred when a call center employee improperly accessed clinical information. The leak seemingly affected patients with a primary care physician in St. Louis and prescriptions for specific drugs.
Far from being an outlier, this episode represents an increasingly common experience among medical centers and healthcare providers. In 2016, hackers stole more than 16 million patient records from U.S. healthcare service providers. Healthcare is believed to be the fifth-most targeted industry in the hacking community currently. But evidence suggests that healthcare is moving steadily higher on that list over time.
Several factors make healthcare organizations a prime target for hackers, but the primary factor is that healthcare data is very valuable. Hackers can use patients’ medical data to steal their identities. They can also use that data to file fraudulent tax returns, obtain credit, and validate purchases of prescription medications. Moreover, the healthcare industry is only slowly adopting robust cyber defense systems to fend off hackers. The prevalence of internet-connected medical devices also creates more avenues for hackers to access healthcare information systems.
Hackers also perceive that healthcare entities are more likely to pay a ransom to unfreeze critical information systems during ransomware attacks. Physicians often need immediate access to healthcare networks to provide timely services to patients. Timing can be the difference between life and death for certain patients. Thus, hospitals do not want to risk a delay leading to an adverse outcome. This creates a very strong incentive for the hospital to pay ransoms.
Healthcare Industry Options for Better Data Protection
Perfect cybersecurity in healthcare does not happen overnight. However, carrying cyber insurance does protect hospitals and medical centers against losses and third-party liabilities associated with a successful attack. The industry, however, cannot afford to ignore its immediate cyber defense vulnerabilities. All hospitals and medical centers should also take several steps to remediate this problem:
- Inventory all equipment and systems that could expose the center to a cyberattack, and assess current cyber defense technology;
- Implement regular cybersecurity training and education requirements for all personnel at all levels, including management, physicians, and administrative staff;
- Audit supply chains and vendor information systems to uncover weaknesses that can lead to cyberattacks through those systems;
- Determine cybersecurity best practices in place at other healthcare centers, then work together to improve the overall healthcare cybersecurity environment;
- Require multifactor authentication systems for logging into critical healthcare information systems networks;
- “Tokenize” sensitive data by replacing it with non-sensitive information that hackers couldn’t use for fraudulent purposes;
- Use enhanced security measures, such as biometric logins, for access to networks.
Cybersecurity in healthcare is no longer the concern of a medical center’s technology department alone. Instead, organizations must elevate it to the forefront of overall management. This will require the healthcare industry to create new and better opportunities for cybersecurity personnel. For example, salaries and promotion opportunities must match the opportunities available in other industries to attract top talent.
Cyberattack incidents against the healthcare industry show no signs of slowing down. The industry’s ability to respond to those incidents will depend on how it reacts now to the growing threat.