Time for health care industry to give its data security a checkup
With no cure in sight, organizations must take preventive measures to ward off attacks
By Ermis Sfakiyanudis, Special to ThirdCertainty
As the health care industry continues to digitize, data protection technology has not been able to keep pace. Unfortunately for industry participants, health care has become a top target for state-sponsored and free-agent hackers.
In fact, a study released by Michigan State University in April 2017 found that health care providers reported 1,225 of the total 1,798 data breaches in the United States from 2009 to 2016. Why has the health care industry become such a target? And what can health care providers do to protect their organizations and the thousands of patients they serve?
Related infographic: Cyber criminals follow the money … to your health care data
One primary reason for the target on health care’s figurative back is the rapid implementation of Electronic Health Records (EHRs). From 2009 to 2014, adoption of EHRs rose from less than 10 percent to 97 percent. This haste to complete implementation has led to a deficiency in adequate data protection and security measures within EHRs. Additionally, with more and more providers leveraging mobile devices and turning to data driven by the Internet of Things, attackers have a plethora of new entry points to access private and sensitive data.
A quick scan of the Identity Theft Center’s 2016 Data Breach Report shows that lost workplace laptops and stolen company-issued cell phones are frequently listed as reasons for a data breach.
Given the growing use of workplace devices in the health care industry, as well as the corresponding danger of transmitting information from a central data center to end-user devices and back again, it is crucial that data is protected the moment it is created. Further, health care providers must ensure employees are aware that their devices could be compromised when connectivity to the data center is lost.
Mobile devices make it harder to protect data
For example, an attacker could access data while employees are traveling between medical centers when connectivity is lost and then sell the retrieved information or leverage it for ransom. As such, data should be protected regardless of whether it is at rest or in transit, as well as in connected and disconnected environments.
To protect themselves from vulnerabilities that lead to data breaches, cyber attacks and ransomware, health care organizations must revisit their security strategy. This strategy should be comprehensive, flexible and capable of mitigating the impact of a breach at various levels within the enterprise via multiple layers of security solutions. The use of layered security allows for incremental defense to ultimately protect what is most vital to the business—its data. If other security countermeasures are defeated, data protection, which supersedes traditional encryption, will be vital as the last line of defense. For this reason, organizations must use data protection that travels with their data, rendering the data useless to the attacker should it be compromised.
Training, technology part of treatment
Data security is a threat that will not fade away, but rather grow in importance. As technology continues to advance, attackers and other entities involved in data theft will have just as many tools as the health care providers endeavoring to protect valuable and private information.
Health care organizations must accept that their data will become a target and that these threats could originate from nontraditional sources, such as IoT and other new innovations. Leaders must act now to protect their business, patients and other stakeholders.
More stories related to medical data security:
Compromised patient data sets off a new health care crisis
Health care IT departments must defend against cyber attacks — and also the NSA
Medical records theft is a plague on health care, other industries