Time for health care industry to give its data security a checkup

With no cure in sight, organizations must take preventive measures to ward off attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As the health care indus­try con­tin­ues to dig­i­tize, data pro­tec­tion tech­nol­o­gy has not been able to keep pace. Unfor­tu­nate­ly for indus­try par­tic­i­pants, health care has become a top tar­get for state-spon­sored and free-agent hack­ers.

In fact, a study released by Michi­gan State Uni­ver­si­ty in April 2017 found that health care providers report­ed 1,225 of the total 1,798 data breach­es in the Unit­ed States from 2009 to 2016. Why has the health care indus­try become such a tar­get? And what can health care providers do to pro­tect their orga­ni­za­tions and the thou­sands of patients they serve?

Relat­ed info­graph­ic: Cyber crim­i­nals fol­low the mon­ey … to your health care data

One pri­ma­ry rea­son for the tar­get on health care’s fig­u­ra­tive back is the rapid imple­men­ta­tion of Elec­tron­ic Health Records (EHRs). From 2009 to 2014, adop­tion of EHRs rose from less than 10 per­cent to 97 per­cent. This haste to com­plete imple­men­ta­tion has led to a defi­cien­cy in ade­quate data pro­tec­tion and secu­ri­ty mea­sures with­in EHRs. Addi­tion­al­ly, with more and more providers lever­ag­ing mobile devices and turn­ing to data dri­ven by the Inter­net of Things, attack­ers have a pletho­ra of new entry points to access pri­vate and sen­si­tive data.

A quick scan of the Iden­ti­ty Theft Center’s 2016 Data Breach Report shows that lost work­place lap­tops and stolen com­pa­ny-issued cell phones are fre­quent­ly list­ed as rea­sons for a data breach.

Giv­en the grow­ing use of work­place devices in the health care indus­try, as well as the cor­re­spond­ing dan­ger of trans­mit­ting infor­ma­tion from a cen­tral data cen­ter to end-user devices and back again, it is cru­cial that data is pro­tect­ed the moment it is cre­at­ed. Fur­ther, health care providers must ensure employ­ees are aware that their devices could be com­pro­mised when con­nec­tiv­i­ty to the data cen­ter is lost.

Mobile devices make it hard­er to pro­tect data

For exam­ple, an attack­er could access data while employ­ees are trav­el­ing between med­ical cen­ters when con­nec­tiv­i­ty is lost and then sell the retrieved infor­ma­tion or lever­age it for ran­som. As such, data should be pro­tect­ed regard­less of whether it is at rest or in tran­sit, as well as in con­nect­ed and dis­con­nect­ed envi­ron­ments.

To pro­tect them­selves from vul­ner­a­bil­i­ties that lead to data breach­es, cyber attacks and ran­somware, health care orga­ni­za­tions must revis­it their secu­ri­ty strat­e­gy. This strat­e­gy should be com­pre­hen­sive, flex­i­ble and capa­ble of mit­i­gat­ing the impact of a breach at var­i­ous lev­els with­in the enter­prise via mul­ti­ple lay­ers of secu­ri­ty solu­tions. The use of lay­ered secu­ri­ty allows for incre­men­tal defense to ulti­mate­ly pro­tect what is most vital to the business—its data. If oth­er secu­ri­ty coun­ter­mea­sures are defeat­ed, data pro­tec­tion, which super­sedes tra­di­tion­al encryp­tion, will be vital as the last line of defense. For this rea­son, orga­ni­za­tions must use data pro­tec­tion that trav­els with their data, ren­der­ing the data use­less to the attack­er should it be com­pro­mised.

Train­ing, tech­nol­o­gy part of treat­ment

Data secu­ri­ty is a threat that will not fade away, but rather grow in impor­tance. As tech­nol­o­gy con­tin­ues to advance, attack­ers and oth­er enti­ties involved in data theft will have just as many tools as the health care providers endeav­or­ing to pro­tect valu­able and pri­vate infor­ma­tion.

Health care orga­ni­za­tions must accept that their data will become a tar­get and that these threats could orig­i­nate from non­tra­di­tion­al sources, such as IoT and oth­er new inno­va­tions. Lead­ers must act now to pro­tect their busi­ness, patients and oth­er stake­hold­ers.

More sto­ries relat­ed to med­ical data secu­ri­ty:
Com­pro­mised patient data sets off a new health care cri­sis
Health care IT depart­ments must defend against cyber attacks — and also the NSA
Med­ical records theft is a plague on health care, oth­er indus­tries