Cyber Security – Possible Threats and Risks in Healthcare
Digital technology has increasingly pervaded all sectors of the industry and revolutionised the way information is transmitted, received and utilized in various contexts. Though this has immense impact globally on business transactions, it is simultaneously hampered by the malpractice of cyber threats and misuse of confidential information. Healthcare industry is no exception to this drawback. Today, an exorbitantly increasing number of cyber threats in healthcare is posing a serious matter of concern to all stakeholders in this domain alike.
Healthcare industry was one of the most lucrative targets for hackers in 2016 itself and 2017 has followed suit so far. During 2015 itself, globally, more than 100 million healthcare records were compromised from over 8,000 devices across 100 countries worldwide (Source IBM). Even today, substantial number of healthcare organisations are clogged with exposed, unused websites and unencrypted storage drives portraying the wide gap in implementing security measures.
Healthcare industry was one of the most lucrative targets for hackers in 2016 itself and 2017 has followed suit so far. During 2015 itself, globally, more than 100 million healthcare records were compromised from over 8,000 devices across 100 countries worldwide (Source IBM). Even today, substantial number of healthcare organisations are clogged with exposed, unused websites and unencrypted storage drives portraying the wide gap in implementing security measures.
Causes of Cyber Threats
- Lack of qualified Information Technology Security Personnel to build robust security infrastructure
- Obsolete or easily breakable protocols and data encryption frameworks that aid hacking intrusions
- Stolen health records, providing high financial benefits due to its multi usage factor- identity theft, monetary gain, targeted blackmailing and insurance malpractices.
Categories of Cyber Attackers
- Hacktivist Groups
- Script Kiddies who own limited rudimentary knowledge
- Cyber criminals
- Cyber terrorists
- National threat groups
Major Cyber Risks
- Inadequate spending on cyber security – Most Heath Care Providers (HCPs), until now, have had limited budget allocations and investments made thereof for addressing cyber security threats. This is to be considered seriously as overall cybercrime damage costs is likely to hit $6 trillion annually by 2021. Therefore, Cyber security spending is likely to increase in the future and exceed $1 trillion from 2017 to 2021.
- Huge demand for medical records in the black market thanks to digitisation of medical records - Currently there is extensive usage of Electronic Health Records (EHR) in various information systems like Healthcare Information Management System (HIMS) and Hospital Information System (HIS) for managing and retrieving patient information effectively in the treatment course. The vital statistics of patients in EHR including personal information, health insurance policy details, diagnosis codes and hospitalisation billing details are manipulated by fraudsters in different ways of filing false claims and duplicating patient IDs for buying and reselling medical equipment and medicines. EHRs procure high prices in the black market and are also more valuable because they are difficult to track.
- Ransomeware - This is a new data security threat that targets and victimizes several hospitals. Here, malware is used to infect the information system of the HCP, to encrypt them, preventing authorized access to certain files or sectors. The hackers then demand a ransom for restoring access to the affected system. Bitcoin payment is usually demanded to make detection difficult. Also, since HCPs need speedy access to patient information for efficient functioning, they are more likely to pay out rather than jeopardizing their own operations and reputation. Global ransomeware damage costs are predicted to exceed $5 billion in 2017 alone!
- Usage of own devices by Healthcare Professionals - Most HCPS allow doctors, nurses, technicians and other medical personnel to use own portable devices like tablets, smartphones, and laptops to work due to the Bring Your Own Device (BYOD) policy. These devices may be easily stolen to expose confidential patient information (including social security numbers) since the data is unencrypted. Lack of privacy policies also causes significant data breaches.
- Employee negligence and unawareness about cyber-attacks - This poses severe risks and compromises confidential information if there are no adequate security mechanisms adopted by employees.
Mitigating Cyber Risks in Healthcare
- Allocating sufficient budgets for handling data security
- Adopting a Universal Information Privacy and Security Framework in healthcare and following regulatory policies like HIPAA
- Ensuring regular software updates, having multi layered defense mechanisms, having periodic backups and prevention plans for data breaches
- Addressing the shortage of qualified Cyber Security Professionals
- Educating employees, periodically testing their security knowledge levels and training them for undertaking security best practices to help identify phishing emails and other forms of cyber-attacks.
Conclusion
Though no network is deemed completely safe from cyber intrusions, substantial measures must be undertaken by healthcare organisations to evade information hackers to the best extent possible to ensure confidentiality of patient information.