From the Bon Secours Health System data breach impacting nearly 700,000 individuals to the $17,000 in ransom that Hollywood Presbyterian Medical Center paid hackers, 2016 wasn’t the best year for healthcare security. So what’s in store for 2017?
The healthcare industry is always going to be a target for hackers, yet security continues to be a challenge due to the overwhelming volume of security alerts generated each day, many of which are false positives, combined with a lack of internal resources. Even with the right technology, many IT teams simply don’t have enough hours in the day to investigate each threat thoroughly. This is why on average it takes over 200 days to identify a breach.
The industry is making great strides to improve their security measures and better protect their patients; yet each year, while some areas show steady improvement, there are new threats emerging that put hospitals at risk. The sheer volume of attacks that occurred in 2016 has elevated cybersecurity to the top of the priority list. An appropriate security solution has become an “absolute necessity” – especially given the lack of in-house resources and skilled security personnel that many organizations face.
Here are some things healthcare organizations should be on the lookout for in 2017:
- Money Money Money: Cyber criminals are profit motivated, and will always be drawn to the easy money. With lower ROI on stolen patient records thanks to a surplus on the black market, hackers will seek out more profitable channels of attack, such as ransomware, that allows hackers to block access to key systems or data until the victim pays a ransom. If 2016 is any indication, we will see more of these types of attacks in 2017.
- Hospitals Keep Paying: Hospitals are perfect ransomware targets. Patient care is highly dependent on information technology and they cannot risk the liability of negative outcomes as the result of critical systems being unavailable. So, there’s a high likelihood that a hospital will pay the ransom, despite the fact there’s no guarantee they’ll gain access back to their systems. Although the industry is making progress on preventing ransomware attacks, as long as hospitals continue to pay, hackers will keep attempting it.
- The Real Stakes: The risk posed by medical device vulnerabilities is unsettling. Thankfully, there have not been any reports of patient harm due to hackers altering dosage parameters or masking medical alerts – but the threat is real and it only takes one successful attempt to endanger a life (or many). Given the risk and the abundance of malevolent actors, this is more likely to happen in 2017.
- On Cloud Nine: Healthcare organizations, like many other industries, are beginning to adopt cloud-based infrastructures. Unfortunately, storing data in the cloud is not secure by itself. Similar to traditional data centers, security systems and policies need to be put in place to protect cloud-based data and applications. Since cyber criminals focus on opportunity and profit, we can expect to hear more data thefts involving the cloud. Nonetheless, the $3.73 billion in 2016 healthcare spending on cloud services is likely to keep increasing.
- Data Encryption Matters: Today, there are still healthcare providers that allow unencrypted patient data to be stored on laptops and mobile devices. In 2017, we expect more healthcare organizations will adopt stricter data encryption policies based on PHI disclosures out of fear from what could happen with a stolen laptop. The Ponemon Institute found “identity management” as the number one security strategy deemed most effective in 2016, but until all organizations adopt these policies, these types of disclosers and breaches coming from a stolen laptop are inevitable.
Healthcare organizations continue to be a prime target for hackers; if they’re not prepared, they could be very susceptible to attacks. Hospitals and healthcare organizations must remain vigilant and be aware of the threats to their environment.