A New Approach to Security and Compliance for Healthcare: Cybersecurity Threats & Concerns
Cybersecurity has always been a concern for the healthcare industry. Still, malicious hackers are ramping up their attacks against hospitals, health networks, and third-party vendors like payroll systems and electronic health records. Criminals agreed to temporarily halt their attacks against the industry during the COVID-19 pandemic, but that’s no longer the case. So, what makes the healthcare industry so appealing to hackers?
The value of one EHR record is worth about 10 times the value of a single payment card’s account data on the black market. These records hold large troves of healthcare data. Companies need to ensure that they comply with the latest privacy regulations while safeguarding their systems from the growing possibility of a breach.
Healthcare organizations also don’t have the luxury of halting their operations or shutting down critical infrastructure when lives are on the line. Providers need to access this information 24/7 without worrying about leaving themselves vulnerable to an attack.
These systems also may not have enough room in their budgets to adequately address the issue. A possible breach can lead to costly regulatory fines of up to $1.5 million for noncompliance. Learn more about the state of healthcare cybersecurity and how these threats continue to evolve.
Common Healthcare Cyber Threats:
Most cyber attacks on the healthcare industry target electronic health records or medical records, which contain sensitive information about the patient. However, adopting an EHR system can lead to several security issues. For example, using an outdated electronic records system can leave systems vulnerable to threats. Issues may also arise if the employee can easily send and share the records with the click of a button using cloud computing, email, messaging, and online patient portals. Accessing or managing these records on the same system used to browse the internet is another potential mistake.
According to our internal data, these are the biggest vulnerabilities in security data:
- 65% external hackers
- 48% sharing data with third parties
- 35% employee breaches/threats
- 35% wireless computing
- 27% inadequate firewalls
The top information securing concerns for the healthcare industry include:
- 67% malware infecting systems
- 57% HIPAA violations and/or breach of patient privacy
- 40% internal vulnerabilities, i.e., employee theft/negligence
- 32% medical device security
- 31% aging IT hardware
Security and Compliance
All healthcare organizations must comply with the latest regulations regarding patient privacy. Facilities are regularly audited to make sure they are in full compliance with the law. The U.S. Health and Human Services Office for Civil Rights HIPAA Audit Protocol guidebook is designed to help administrators prepare for such audits.
When it comes to vulnerability management, healthcare organizations must document assessments of potential risks and vulnerabilities of using electronic health records. They must verify that current security measures are sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. They must obtain satisfactory assurance from business associates that they will appropriately safeguard the information in accordance with HIPAA requirements. Organizations must also document remediation responses and outcomes to security incidents. They should also periodically evaluate security safeguards and demonstrate and document compliance.
Healthcare cybersecurity compliance can be divided into four categories:
- Laws and Regulations, such as HIPAA and those outlined in the Technology for Economic and Clinical Health Act
- Standard Control Frameworks, including specific technical standards and security control requirements
- Audit Guidelines, such as those outlined in the HHS Office for Civil Rights HIPAA Audit Protocol
- Industry Self-Regulations & Guidelines, including those outlined in the Common Security Framework from the Health Insurance Trust Alliance and the Payment Card Industry Security Standards Council’s PCI Data Security Standard
Complying with these standards is not always easy. Many health networks are worried about their ability to identify new and emerging threats. They are also concerned that they won’t be able to recover quickly from a breach.
Cybersecurity compliance in healthcare is about more than just updating EHR systems. It’s also about building a safe environment for workers to use this software, such as restricting sharing access, managing records on a different system than the one used to surf the web, and training staff on the latest cybersecurity protocols.
Just 53% of providers and 66% of payers consider themselves ready to defend against a cyber attack, according to KPMG. And 23% do not have a security operations center to identify and evaluate risks. Notably, 65% said they did not have enough resources for managing vendor security risks; 45% said the same for handling security incidents.
New Approaches to Healthcare Cybersecurity
Many smaller companies and organizations may not have the staff or resources to invest in the latest trends in cybersecurity. A cloud-based automated solution for vulnerability management (VM) can help companies continuously audit their systems for possible vulnerabilities allowing them to patch the system before a potential breach.
Healthcare organizations also need to prioritize assets and certain vulnerabilities based on the likelihood or the possible severity of the attack so they can take immediate steps to remediate the vulnerability.
Vulnerability prioritization software simplifies the scanning process so that healthcare companies can comply with the latest regulations. Cybercriminals will continue to target health systems, and security professionals need to stay one step ahead. Companies should keep this information in mind when developing an effective cybersecurity strategy.
Download the full report to learn more about how smaller healthcare organizations can systematically assess vulnerabilities and distill the right data to make accurate, informed and timely decisions for precisely predicting and remediating threats.