A report published by the Ponemon Institute indicated that there were 106 major data breaches in the Healthcare Industry in 2016. The total number of patient records exposed was more than 13.5 million. The average loss for single record breached in healthcare was $402 (which is much more than average cost of $150/record for other industries). This means there was a total loss of 2.8 billion USD due to hacking in the healthcare industry in USA alone.
Is the threat really that severe?
Imagine that a critical surgery is underway and patient’s vitals are monitored using a computer, which is a normal practice in hospitals today. At the same time, another screen shows patients test results which doctors refer to, while performing the surgery to ensure that the right amount of medicines are being administered. Suddenly, all the screens go blank and a message appears on it ‘Your Machine is locked, transfer $$$ Bitcoins to unlock your machine.’ The computers are now completely locked out and are not responding to any action. Patient is admitted and doctors have no way to know the vitals or any other information about the patient to continue the surgery. Get the picture? This is just one, though a severe example, of how critical it is to secure healthcare systems against data loss and hacking.
Patients share critical details with healthcare providers. Healthcare organizations store all of this sensitive data digitally for a very large number of patients. This data pertains not only to the health parameters (habits, tests, reports, diagnosis, ailments, treatment etc) but may also include financial information (payment details, credit card details, insurance policies etc) and personal information of the patient. Organizations also hold all the information about their staff, their medical facilities and inventories in digital format. All this information is very valuable. The data and reports by doctors can be used for medical identity theft. All this data must be protected against loss whether accidental or intentional.
In many countries, there are specific laws that require health organizations to secure all the patient data. For example, United States of America has enacted Health Insurance Portability and Accountability Act (commonly known as HIPAA) to protect all patient information that is produced, saved, transferred or received in electronic format.
Nature of threats
Healthcare industry like any other industry faces three kinds of primary threat. However, due to the nature of data, which affect the life and death situation, the threat is much more severe in healthcare.
- Insider Threats: This is the most frequent and common type of data loss threat. Current or an ex employee, either by mistake or by malicious intention steals or exposes the personal health information data to outside world.
- Third Party Hack: This is a targeted attack by criminals to gain back door entry through software glitches to steal the data. This hack is also generally done to steal confidential information that may be of use to a competitor or information that can be sold in open he dark market.
- Malware/Ransomware: In colloquial language, these may be grouped with computer viruses. These corrupt the data which is still in control of the organization, and usually lock out the organization from its own data and systems. This necessitates the suspension of emergency services leading to life threatening situations.
How does this data breach occur?
Mostly the data loss is due to human error or incorrect understanding of the organization’s data security policies. However, many times data loss is also due to somebody’s malicious effort to extract data. Whatever the reason, data loss can occur using common or similar channels like Email Communication, External Storage Devices, Social Media/Web2.0, P2P/IM File Transfer and Unsecured Partner Communication. Hence these must be monitored and controlled.
Health care industry faces threats from these channels because of a variety of reasons like most doctors and service providers use webmail which is more prone to data loss. Since their file sizes are big (say a series of MRI scans or a patient medical history), they often transfer their data using Instant Messenger (IM), FTP or other P2P software. They sometimes even store data in external portable devices which are plugged into different computers exposing them to a host of cyber threats. The seemingly innocent social media sites may have spyware/Trojan applications that steal data from the computer. Again a channel to surely watch out!
What can be done to secure Data and Systems in healthcare industry
Healthcare organizations need to deploy complete data loss prevention solutions that not only prevent the theft of data but also prevent intrusion and blocking of their devices to avoid life threatening situations. The security solutions must have:
- Device control to configure access to several types of devices providing data protection with one integrated solution to prevent unauthorized access.
- Active network intrusion protection and firewall to protect against viruses and ransomwares.
- Active encryption of all static and dynamic data to ensure information safety in event of theft of data.
- Enhanced security for multiple platforms such as Windows and Mac.
- Advanced Web Access and Data Access control and smart blocking of unauthorized applications
- Proactive scanning of installed applications to detect vulnerabilities.
Healthcare organization, be it a hospital or a specialist test lab, must deploy complete Data loss prevention software suite not only to meet the regulatory compliance, but also protect the patient’s data which may be critical to his treatment and may save his life.