The healthcare industry has always been a prominent target for cybercriminals worldwide. They can access high-value patient PHI/PII data and use it maliciously to disrupt the patient’s treatment routine and bring down uptime, which is critical. It has repercussions on patients, doctors, hospitals, and everything associated with the healthcare ecosystem.
Data security is one of the most pressing challenges facing the healthcare industry today. Cybercrime’s recent surge has led many healthcare organizations to realize that they need better security. The industry now understands the need for data security, but many obstacles remain. Here are some of the most substantial of these challenges for the coming year.
The key challenges faced by the industry include Data Breaches, Ransomware, Extensive use of Mobile Applications without proper ways to perform Authentication and Authorization and Lack of Healthcare Data Interoperability.
1. Data breaches
The average cost of the healthcare data breach was $9.6 million in 2021. So, it’s clear that data breaches are one of the biggest challenges for the healthcare vertical. The emphasis is to ensure that we implement proper processes and controls within the organization and limit people’s access only to the data that they needed to perform their day-to-day business operations and implement the latest cutting-edge technologies across our nations to prevent any further data breaches. In addition, Healthcare software providers and organizations must comply with HIPAA (Health Insurance Portability and Accountability Act). It helps them to protect their sensitive information. However, few of them follow it strictly, giving attackers access to the data.
Recent Data Breaches:
– November 2022: Ransomware Hacker Steals Medibank Data on 9.7m Customers
– September 2022: American Airlines Discloses Data Breach
– September 2022: U-Haul Discloses Data Breach Including Driver’s License Numbers
– July 2022: Hacker Posts Data on 5.4 Million Twitter Users For Sale
– July 2022: Marriott Confirms 20 GB Data Breach
– June 2022: Up to 2 Million Affected By Shields Health Care Group Breach
– June 2022: Flagstar Bank Notifies Customers of Breach Affecting 1.5m
– May 2022: Texas Department of Insurance Data Leak Comes to Light
– March 2022: Microsoft Breached by Lapsus$ Hacker Group
– March 2022: Lapsus$ Group Breaches Authentication Company Okta
– March 2022: Ronin Network Breached in $540 million Crypto Heist
Ransomware plagued healthcare organizations in 2020 and 2021, and 2022. As many as 34% of health care organizations experienced a ransomware attack in 2020, and 65% of those attacks were successful. Of those victims, more than a third paid the ransom, a trend that will encourage future attacks.
Health care data is valuable, so much so that these organizations can’t operate without it. As a result, cybercriminals are more likely to receive a substantial payout from a successful ransomware attack. Ransomware is a reality that medical organizations must plan for, likely for as long as they use digital data.
Recent Ransomware Attack Examples:
1. Nvidia: The world’s largest semiconductor chip company was compromised by a ransomware attack in February, 2022.
2. Costa Rica Government: This has probably been the most spoken-of attack in 2022 as it’s the first time a country declared a national emergency in response to a cyber-attack.
3. Bernalillo County, New Mexico: This was one of the first big attacks in 2022. On January 5, the largest county in New Mexico discovered that it had become the victim of a paralyzing ransomware attack, taking several county departments and government offices offline.
4. Toyota: Between February and March 2022, three Toyota suppliers were hacked, showing us that no matter how secure your organization may be, a determined threat actor can and will find a way to break in.
3. Extensive Use of Mobile Applications without Predefined Authentication and Authorization
Another threat to healthcare data security in 2022 is the extensive use of mobile apps without defined Authentication and the Authorization methods. Telehealth adoption has skyrocketed, rising 50% in the first quarter of 2022 alone, and while this makes medical care more accessible, it also introduces risks. Sensitive medical data is now accessible through mobile devices that often lack extensive security.
Many of these risks exist on the patient’s side. Users who don’t understand the importance of security steps like multi-factor authentication and avoiding public Wi-Fi may make their own medical data vulnerable. App developers and organizations that use them must anticipate this behavior and secure these apps.
4. Lack of Interoperability
US Healthcare system is huge with various healthcare entities working in silos using various disparate systems with same data stored in different formats across various systems, which makes achieving healthcare interoperability a challenge to improve the member healthcare outcome and to reduce the healthcare waste. This sprawl will make it harder to understand a network’s vulnerabilities, placing this data at risk.
The industry is grappling with ways to implement HITRUST, NIST, SOC2 and HIPAA-defined controls to mitigate some of these security challenges and to implement FHIR Healthcare Interoperability Standards to encourage Healthcare data exchange across different Healthcare Stakeholders. In the coming blogs, we will be focusing on some of these areas and try to define a pathway for a Healthcare Organization to implement best practices to mitigate some of these challenges/risks.
About Ankit Kumar Agarwal
Ankit Kumar Agarwal is the Director of IT Delivery Services at NewWave Telecom & Technologies Inc., a full-service Information Technology (IT), Business Services, and Data Management company.