Healthcare industry steps up security as cyber attacks increase

Data breaches in the United States healthcare industry cost $6.2 billion each year. Over the past two years, roughly 90 percent of hospitals have reported a security breach.¹ Cyberattacks are on the rise. Between 2009 and 2013, the percentage of healthcare organizations that reported attacks rose from 20 percent to 40 percent.²

When a hospital experiences a cyberattack, the implications can be far-reaching, from impacting the hospital’s finances and reputation to patient safety, availability of IT programs, and possible compromise of patient and employee information.³ Accessing registration and demographic data can be used to steal patients’ identity,financial data, credit cards, and social security numbers.

The worldwide WannaCry ransomware attack in May 2017, which targeted computers running the Microsoft Windows operating system, added a whole new perspective on the implications of a large-scale cyberattack. Although governments in the United Kingdom and the U.S. downplayed the effect that the ransomware attack had on patient care, the attack had a reverberating effect. Many doctors in the UK resorted to pen and paper for record-keeping, and some patients refrained from elective surgeries.

Expanding connectivity heightens risk

With expanding connectivity of information systems, laboratory work stations, and instruments to the Internet, the need to secure laboratory information is critical.

“A ransomware incident is a possibility in every hospital, clinic and outpatient facility,” Paul H. Keckley, PhD, healthcare analyst, wrote.⁴ “Preventing it is a high priority, and, if attacked, managing it quickly and efficiently is an absolute necessity to sustain patient care and protect the reputation of the organization.”

Dr. Keckley suggests that hospitals encourage staff to follow measures to protect against ransomware and other cyber threats, such as:

• Regularly updating internet browsers, computer operating systems, and applications
• Using strong passwords
• Declining to open suspicious links or attachments
• Routinely backing up important files.

Protecting laboratory data is critical

The workflow in the pathology laboratory depends on the use of LIS, which acquires, generates, analyzes, stores, and manages electronic protected health information (ePHI). “Laboratories likely also store ePHI in software that run laboratory instruments and automation lines as well as in middleware such as auto-verification software,” Ioan Cucoranu, et al, wrote. “Therefore, making sure that the data contained in laboratory software remain protected and secure at all times is critical to daily pathology practice. The same is true for interfaced devices such as chemistry analyzers that also store ePHI. Accordingly, security policies and procedures have to be in place and enforced in the laboratory.”⁵

The U.S. Office of the National Coordinator (ONC) for Health Information Technology (HIT) suggested several steps are needed to perform a security risk analysis. They include reviewing current health information security, identifying vulnerabilities, minimizing security risks, and monitoring results.⁵

In the United States, the privacy and protection of medical information and health records is governed by the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Symantec, an enterprise security vendor, believes the healthcare industry is prone to cyberattacks because it underfunds its cybersecurity investment. In comparison, the federal government spends 16 percent of its IT budget on security, and industries such as banking and finance spend 12 to 15 percent of their IT budget on security programs.⁶

More training for end users

Adding to the risk is the fact that healthcare companies encourage medical staff to use their own tablets, smartphones, and laptops at work. In one survey, 81 percent of healthcare providers indicated they allow their medical staff to use their own iPads and other mobile devices. Yet 46 percent of those companies said they had done nothing to secure the mobile devices.²

One of the reasons that cyberattacks are on the rise is the strong demand for patients’ medical records in the black market. Electronic health records (EHR) have greater value than financial data, and can bring in $50 in the black market. In comparison, a stolen Social Security number or credit card number can bring in $1.2 The wealth of data on EHRs—names of patients, birth dates, policy numbers, diagnosis codes, and billing information—can be used in myriad ways, such as buying medical equipment or medications to resell. Another scheme is to file false claims with medical insurers, using a patient number with a false provider. And, in an alarming trend, cyber criminals have discovered it is more profitable to ransom a hospital’s data than to steal it.

Many security issues can be minimized by educating hospital personnel. A 2015 study by Wombat Security Technologies and the Aberdeen Group determined that employee training on cyber security can reduce the risk of a cyberattack from 70 to 45 percent.⁶

That study emphasizes that not enough companies pay attention to the greatest security threat—the end users. Although investing in IT security technologies can help minimize the threat of data theft and ransomware, healthcare systems should train their staff to be more cognizant of cyberattacks.

REFERENCES

1. Dietsche E. Healthcare breaches cost $6.2B annually. Becker’s Hospital Review, Jan. 19, 2017. www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html.
2. Infosec Institute. Top cyber security risks in health care. http://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/#gref.
3. Miri A. The impact of cyber-attacks, and how healthcare organizations can protect themselves. Imprivata. Jan. 16, 2017. www.imprivata.com/blog/impact-cyber-attacks-and-how-healthcare-organizations-can-protect-themselves.
4. Minemyer P. Four Ways Hospitals Can Prevent a Ransomware Attack. FierceHealthcare. June 9, 2017. www.fiercehealthcare.com/privacy-security/4-simple-ways-hospitals-can-prevent-a-ransomware-attack.
5. Cucoranu I, Parwani A, West AJ, et al. Privacy and security of patient data in the pathology laboratory. J Pathol Inform. March 13, 2013. www.ncbi.nlm.nih.gov/pmc/articles/PMC3624703/.
6. Symantec Corporation. Operationalizing cybersecurity in healthcare organizations: 2017 IT security & risk management study. www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study-en.pdf.

Anil Parwani, MD, PhD, MBA, FASCP, is a Professor of Pathology and Biomedical Informatics at The Ohio State University Wexner Medical Center, where he also serves as the Vice Chair of Anatomic Pathology as well as Director of Pathology Informatics and Digital Pathology Shared Resources. Dr. Parwani serves as the API Program Committee Chair and one of the editors of Journal of Pathology Informatics. A member of the American Society for Clinical Pathology, he also serves on the USCAP Education Committee and on the board of Digital Pathology Association.