As 2018 comes to an end, and we head into an era in which artificial intelligence, the Internet of Things and powerful data analytics are expected to fuel the quantity and value of data, there is one industry that may face more daunting responsibilities than any other because of the type of data it holds: healthcare.
And yet, as 2019 looms, there are indications that cybersecurity in the healthcare industry, rather than improving, is actually getting worse. SecurityScorecard's 2018 Healthcare Cybersecurity Report ranked Healthcare 15th out of 18 industries, a drop of six spots since the previous report in 2016.
Interestingly, Patrick Nohe at The SSL Store's Hashed Out blog recently wrote that the industry's drop in those rankings might be a byproduct of the relative slap on the wrist Anthem received as the result of its huge breach in 2015, which exposed nearly 80 million patient records. Combine a lack of motivation to prevent such breaches (Anthem, which brought in $89 billion in revenue in 2017, paid a $115 million settlement for the breach) with the proliferation of connected devices, the rise in social engineering attacks and a lax approach to patches, and its no wonder healthcare has become such an attractive target for hackers.
As Nohe notes, a single medical record can get up to $100 on the Dark Web, depending on how much information it has, making a haul like the Anthem attack a robust payday. That means the threat to hospitals, physicians' groups and other healthcare organizations isn't going away. It's up to the industry to build up its cybersecurity capabilities and ensure that patient data is safe.
Meanwhile, another recent report from Kaspersky Labs found that more than one in four healthcare industry workers in the U.S. and Canada are aware that their organizations were hit by ransomware attacks in the last year, and one-third of those workers said it happened multiple times.
These kinds of findings illustrate that there are some major holes to fill when it comes to healthcare cybersecurity. But lest this all make the industry's attitude toward security seem casual, folks like Mark Garrett, senior VP, chief quality officer and associate chief medical officer for Northwell Health, New York's largest health care provider, want people to know that it's an incredibly complex problem.
During an on-camera interview at Information Security Media Group's Healthcare Security Summit in New York, Garrett argued that the wide range of organizations in healthcare make achieving a secure data environment daunting. Hospitals, clinics and physician practices come in all types and sizes, each with widely varying amounts of cybersecurity expertise.
Garrett said he and other healthcare leaders are working on a set of recommendations designed to bring more standardization across the industry. These include things like creating a healthcare cybersecurity playbook filled with practical advice from industry leaders, suggestions on how to address the shortage of skilled cybersecurity workers, and figuring out how to get cutting edge tools such as biometric technology into the hands of smaller entities that lack the necessary infrastructure.
Garrett pointed out that any efforts by larger healthcare organizations to help smaller ones improve their security are critical. He said that the weakest links — which are most likely to be the smallest operations — create problems for everyone in an environment in which electronic health records are increasingly moving around. And he stressed that the industry has to be mindful of the fact that its not just data it's protecting.
Cybersecurity "is not just a technological problem," said Garrett. "It truly affects patient care."
Although the evidence may say otherwise, it's not as if the industry is completely tone-deaf when it comes to trying to learn from its missteps. In fact, Health IT Security recently asked an array of healthcare cybersecurity experts how they'd be looking to avoid repeating some of the painful themes from 2018. The answers ranged from spending more time and resources educating employees about social engineering and phishing attacks to preparing for more attacks on the growing numbers of connected medical devices.
Despite the uphill battle the industry faces, there is good news to be gleaned from healthcare's bleak cybersecurity landscape: Cybersecurity is clearly a higher priority than at any time in the healthcare industry's history.
Health Data Management recently published a list of trends it expects to dominate healthcare IT in 2019, and security is baked into much of the list. In addition to an explicit mention of data security, the list includes digital health, AI and data visualization, electronic health records optimization, and the growing use of cloud computing, all of which bring clear security implications — and thus mandates.
As healthcare providers march into a future in which technology is enabling them to do things previously thought to be undoable, it's beholden upon them to keep the security of patients and their data top of mind. Otherwise, we'll be back here next year, pointing out the industry's failures yet again.