Healthcare providers are a prime target for cyber criminals, as they house and maintain so much personal information. In the first quarter of 2018 alone, 110 health data breaches resulted in the exposure of 1.13 million patient records.
This data is of a critical nature—another reason that it’s so valuable and why its safety is a priority. But for cybersecurity teams in health care, the job is not only about protecting vital patient data. It’s also about keeping their systems and networks running to protect patients by preventing potentially life-threatening situations.
Though the current cybersecurity environment places a heavy burden on the industry, it also offers new opportunities, both for cybersecurity and healthcare professionals, to advance their careers through training and certifications. But first, it’s important to understand the threats the industry is facing and the skills needed to overcome those threats.
Cybersecurity Challenges in Health Care
An Accenture and the American Medical Association (AMA) survey of U.S. physicians found that 83 percent of physician practices have experienced some form of cyberattack, such as phishing and viruses. Seventy-four percent cited interruption to their clinical practice as a primary concern.
Because attackers know health providers will pay to restore their networks as quickly as possible to avoid patient-care interruption, ransomware has become prevalent. For healthcare institutions, the number of reported major IT hacking events attributed to ransomware increased by 89 percent from 2016 to 2017.
The Internet of Medical Things (IoMT) has introduced similar challenges. Connected medical devices such as pacemakers and insulin pumps are at risk of being held for ransom, particularly because there are currently no security standards in place for these devices. And as they connect to health provider networks, they create an additional avenue of entry for cybercriminals. Both the patients who use these devices and the providers who care for them are at risk for compromise.
At the Crossroads: Cybersecurity and Health Care
For both those already working in health care and those in IT, cybersecurity plays a major role in the modern healthcare industry and presents new opportunities.
Today’s healthcare workers are well-versed in the requirements of HIPAA, the regulatory data privacy framework that all U.S. healthcare providers operate under. They also understand the patient care environment and can determine and prioritize potential risks to patient livelihood, to patient privacy and to other healthcare systems and services. Their familiarity with industry-specific regulations and the patient care environment gives them a strategic head start.
From another vantage point, IT professionals bring unique advantages to the healthcare field, especially an understanding of IoT and endpoint security. This knowledge can serve as a strategic asset when securing the patient environment. Also, when introducing new devices or faced with new threats, IT professionals with security expertise really shine. These are the individuals who can ask the security questions that medical professionals don’t know to ask. However, it’s critical that both IT professionals and existing healthcare professionals bridge their knowledge gaps to fully mitigate security risk.
Security Skills for Health Care
When it comes to implementing a strong security posture in health care, a breadth of skills are needed. Well-rounded healthcare security professionals bring a blend of both industry-specific skills and cybersecurity skills.
In the healthcare industry, it’s important to understand compliance guidelines that impact security, including HIPAA. HIPAA includes data privacy rules and security provisions for safeguarding medical information—and there can be significant penalties if these aren’t followed. Since healthcare organizations often also handle government information (such as Social Security numbers and Medicare and Medicaid details), insurance information and other personal data, it’s essential that these rules are enforced and security provisions are in place.
Another more technical layer of healthcare security involves the actual equipment, underlying software, medical devices and the network that supports patient care. Securing these technologies is critically important—if a ventilator was to lose power or be hacked, it could be potentially life threatening. Applying security patches to device software must also be strategically scheduled to avoid interruption to patient care.
Additionally, it’s important to understand risk management and IoT endpoint security. This is especially critical since mobile devices connected to Wi-Fi, such as patient devices and those of visiting physicians, are prevalent. There are also additional layers of healthcare security that aren’t as intuitively obvious. For example, payment processing security requirements are regulated by the payment card industry association. On top of all of this, there’s a mandate to prevent Medicare fraud and insurance fraud. Combined, these aspects of healthcare security require both technology and highly-skilled talent.
The risk to patient safety and the risk of personal data theft have never been higher. Phishing, ransomware and IoMT devices are just a few of the methods cyber criminals use to breach network security and steal valuable personal information. As this threat looms, it also presents a unique opportunity for cybersecurity professionals and healthcare professionals. Through training and certifications, professionals interested in healthcare security can build the skills they need to mitigate security risk. To ensure the security of patients, their data and their health, individuals from both health care and IT need to come together to gain new knowledge, share expertise and ultimately, create a secure environment.