Cybersecurity in Healthcare is an emerging yet downplayed challenge of health tech worldwide as the vertical is exploring more digital ways of operations and engagement. Biden and Putin’s Geneva summit in June 2021 brought up the cybersecurity discussion to the global stage once again. Although the summit discussed more about how cyberattacks are creating cold wars between countries and effecting politics, it sure made the internet brainstorm the consequences, possible damages, and ways to strengthen cybersecurity norms at corporate level.
Earlier this year, Statista presented a graph of monetary damage caused by cybercrime (reported) to IC3 from 2001 to 2020. It started with 17.8 million USD and by 2020, the damage is 4.2 billion USD. If the forecast report by an IT consulting giant published by Entrepreneur is any true, cybercrime is most likely to cost the world over 10.5 trillion USD annually by the year 2025.
While whole world has been fighting with a virus outbreak, cybersecurity in healthcare turned out to be a digitally driven pandemic in the last 18 months. Sudden need for advanced diagnosis technologies, mechanisms to handle massive records of new data, and rapid communication channels – everything the medical world did to increase their responsiveness and efficiency created new digital gateways for the cybercriminals. Cost of an average medical data breach is in hundreds of million US dollars. The number is increasing year by year and it is impacting the patient’s trust with the institutions. Stronger Cybersecurity in Healthcare is not only for the organizational efficiency of hospitals but also to protect the trust and integrity of general public.
What comes under Cyberthreat?
Irrespective of their intentions and motivations, Cybersecurity threats upend all the efforts of a digitally growing organization, cause severe financial damage, and cost irreparable reputation damage. Technologies such as IoT and Cloud Computing that are being employed widely; Practices such as distributed data storage and using public networks are increasing the risk of security threats. Every business unit including the leadership teams must learn more about these common cybersecurity mishaps and start adopting safe practices (individual and org-wide) immediately.
Why Cybersecurity in Healthcare is a bigger problem in 2021?
Healthcare institutions and corporates are the new target groups for the hackctivists and cyber spies. IBM and Ponemon Institute collectively conducted a study and calculated the average cost of a data breach by industry. Healthcare continued to stay at the top of the list in 2020 and 2021. According to these charts, cost of an average data breach in healthcare industry is a whopping 9.23 million USD.
As much as the number is flattering, (considering the vertical holds such high-valued data) one cannot deny the fact that Health tech is in such vulnerable state and prone to peril. Here are the top aspects contributing to this phenomenon.
Networks – The intruders disrupts the network and gain access to the data that is travelling through the network. Subpar network security standards and trusting public networks to greater extents can lead to cybersecurity breaches. Vulnerabilities of networks can lead to Wiretapping, Encryptions, Traffic Analysis, Denial of service, Phishing, etc.
Communication Channels – A common target in the age of IoT and connected devices. The attackers try to compromise the operation of sensors and control systems by spoofing, jamming, or sending illicit commands in an attempt to disrupt the core system, cause blackouts, and in some events even result in physical damage to key system components.
Data Storage Practices – Scroll up and check the last graph. Data is the most valuable asset for the corporates in 21st century. Unsecured physical storage devices and cloud storages invite breaches. Impacts of Data breaches include business downtimes, legal complications, data loss, and threat to privacy.
Remote Working – It could be the most unexpected threat to cybersecurity in healthcare, considering most of the medical staff has been working as front-line support since ever the pandemic raised curtains. But 61 to 80% of corporate employees (non-essential healthcare delivery professionals who handle and have access to the data) work remotely. Device theft, unauthorized access or employees acting as corporate spies are just a few of potential cyberthreats due to remote working arrangements. Human error is one of the biggest contributors of data breaches.
Biggest health tech breaches during the 2021 pandemic
WannaCry Ransomware in UK – Due to an unfortunate ransomware attack in 2017, National Health System hospitals were forced to delay treatment plans and reroute their ambulances as they temporarily lost access to the hospital’s information systems.
Pfizer Breach – During a cyberattack on this pharma and biotech giant, COVID19 vaccine data was stolen and illegally published online in December 2020. Although the leak significantly caused no damage to Pfizer or approval process of their vaccine, it certainly caused drama considering the global medical emergency and Pfizer being one of the few first companies to attempt to create vaccine to prevent COVID19.
Wales Patient Data Breach – Over 18000 COVID-19 patient data was accidentally exposed when an employee ‘accidentally’ posted the information in a public-facing database instead of a secured server. Reports suggest that the patient data included the patients’ initials, dates of birth, geographical information, and gender details.
Brazil Data Leak – Yet another example of ‘human error’. Personal details and health information of 16 million Brazilian citizens are compromised when a hospital employee uploaded a very detailed spreadsheet onto GitHub software. Although the information was almost immediately removed from the platform, the damage was already done.
Incidents like these are why it is important for us to discuss Cybersecurity in healthcare today.
How to strengthen Cybersecurity in Healthcare?
Quite similar to any other industry vertical, Cybersecurity in Healthcare is all about protecting the electronic information to achieve three goals - Confidentiality, Integrity, and Availability. This is what Healthcare Information and Management Systems Society (HIMSS) calls CIA triad.
A system architectural model with 7 abstract layers that is inspired by the popular Open Systems Interconnection model (OSI) developed by the International Organization for Standardization (ISO) in the latter half of 1970’s is often used for documentation by the software engineers and architects. Let us follow the same model to discuss the layers’ functions and ways to reinforce better measures of cybersecurity in healthcare tech environments.
Humans and the devices they use to access the application comes under this layer. Most of the IT security professionals consider humans as the weakest link in the mission to enhance cybersecurity in healthcare. Digitally empowered Healthcare is sharing and receiving data from various individuals who are non-healthcare professionals which increases the exposure. Humans can be distracted, and hackers exploit that quality.
Ways to protect Physical Layer from Cyberthreats
Training & Education
Zero-trust Security Model
Encryption of Information
Access control and Dynamic policy enforcement
Security orchestration, automation, and response (SOAR)
Tools to monitor endpoints and remote employees
Data Link Layer
Often called as perimeter layer where all the network layer connects with the physical layer to access and transmit data. Link layer brings Media Access Control and Logic Link Control together. It is often the most unattended layer in terms of security measures. Irrespective of being wired, virtual, or wireless; the ethernet networks need added attention and practices like Key Establishment Protocol to secure the Link Layer.
Ways to protect Data Link Layer from Cyberthreats
Link Layer Encryption
Virtual Networks and Tunneling
Dynamic Access Control at Hardware level
Single Packet Authentication (SPA)
Symmetric Key Encryption
Dual Firewall / Demilitarized Zone
Someone being in your Network Layer means, they are already inside your system. Best practice is to give people access to this layer only when you believe it is absolutely necessary. Network Layer is responsible for addressing, routing, and traffic control. The most common threats to the Network layer are Information Gathering, Spoofing, and Distributed Denial of Service (DDoS).
Ways to protect Network Layer from Cyberthreats
Intrusion Prevention System (IPS)
Web and Packet Filtering
Monitor traffic between Containers
Firewalls between networks
Explore Software-defined Networking (SDN)
Transport Layer security (TLS) is a commonly adopted security measure among digitally forward health tech networking professionals to enforce cybersecurity in healthcare. TLS usually involves securing communications between their Web servers and browsers irrespective of their sensitivity levels. Ignoring Transport Layer security can lead to interruption of communications, eavesdropping, data tampering and message forgery.
Ways to protect Transport Layer from Cyberthreats
Ensure site access via HTTPS by enacting HTTP Strict Transport Security (HSTS)
HTTP Public Key Pinning
Internet Engineering Task Force (IETF) standards
Perfect Forward Secrecy (PFS)
Application Layer Protocol Negotiation (ALPN)
Chain of Trust and Certificate Authorities
Session hijacking, Personal information retrieval, and Cross Site Scripting are some of the common cyberthreats at this layer. The IT managers and software engineers who build the applications are usually accountable to strengthen Session and Presentation layers. Considering the rise of web applications in health tech, focus on this and forthcoming layers could really tighten the cybersecurity in healthcare.
This host layer ensures the data is structured, presented, encoded, and translated for the Application layer to accept. Losing access control of this layer to wrong hands can result into SSL Hijacking, Decryption attacks, System exploitation, and Data exploitation. The common security breaches of this layer are attempted via unauthorized login access.
Ways to protect Session and Presentation Layers from Cyberthreats
Data / Key Encryption
Restricted Access Controls
Zero Trust security model
Adopt Identity and Access Management (IAM) tools
System Hygiene (Deactivate ex-user accounts, uninstall unused software, monitor critical patches, etc.)
Use timing methods to restrict unsuccessful session attempts
Employ an Application Delivery Platform (ADP)
It is the development team’s responsibility to build this layer to be unbreakable to cybersecurity threats. The healthcare workers and the IT teams that Intrusions to this layer can invite Virus, Phishing, Key Loggers, Backdoors, Logic Flaws, Bugs, Trojan attacks, etc.
Ways to protect Transport Layer from Cyberthreats
Install Virus Scanners
Patching and Hardening
Filer user-supplied data
Follow quality-first coding practices
Use runtime self-protection controls
Perform root-cause analysis
Make wise design choices
Gartner says, Healthcare’s IT spending is most likely to reach 128 billion USD by the end of 2021. That’s a ton of legacy modernization projects, technology adoptions, application renewals, and data. As every CIO of a healthcare establishment is being ambitious about digital maturity, it is time for them to aim big for cybersecurity in healthcare too. Nearly every healthcare department (frontline or otherwise) will have access to patient’s Personally Identifiable Information (PII) and Protected Health Information (PHI). In addition to training employees for better compliance, it is also important for the tech leadership to (re)build a cyber incident response plan.
If you are a CIO or a CTO of a healthcare firm, want to build or refine your cybersecurity program, see if you are already doing these:
- Infuse ‘Security’ and ‘Quality’ in organizational culture
- Secure your sites with HTTPS with an SSL certification
- Regularly update your systems and software
- Healthcare IT Asset Management (ITAM) is vital
- Never overlook the data backups no matter how reliable your database provider is
- Have a cybersecurity partner / consultant
- Subtly train your patients / users with best practices of browsing
- Have phishing simulation and redraft your action plan with better ideas
- Have regular conversations with your vendors and partners about cybersecurity in healthcare
If you have everything above already in action and you want to go one step ahead, our experts who’ve helped some of the biggest corporates in the world with their digital and business transformation initiatives would love to brainstorm with you. Drop us a ‘hi’ some time. firstname.lastname@example.org