COVID-19 Update: Read our messages to employees and clients

COVID-19 UPDATE
March 06, 2018
The Growing Threat of Cyberattacks in Health Care

Hackers see too many hospitals and other healthcare facilities the way a car thief sees a parking lot full of unlocked vehicles.

Easy pickings.

How pervasive is the cybersecurity problem in health care? A Ponemon Institute study found that in the previous two years, 89% of healthcare organizations had dealt with data breaches, and 79% had had two or more. Most, the study found, were the result of criminal attacks.

For a variety of reasons, healthcare facilities are a comparatively easy target, and a very attractive one. As John Halamka, the chief information officer of Boston’s Beth Israel Deaconess Medical Center in Boston, puts it, “If you’re a hacker, you’re going to go where the money is and the safe is the easiest to open.”

But they don’t have to be that easy. There are steps organizations can and should take to effectively lock the doors and take the keys.

Three strikes

Health care is a popular target for three reasons, says the Harvard Business Review:

  • Healthcare data is sure money. Medical information can be used to steal identities or create fake ones. And a complete medical record — one that includes a Social Security number, a driver’s license, credit card details, health plan information and prescriptions — can fetch as much as $1,000 on darknet sites, say experts. If nothing else, data can, and often is, used for extortion — a way to force organizations to pay ransom to regain access to their compromised and encrypted data.
  • Health care has lagged behind other industries in taking steps to secure data. Many medical staff members still don’t understand the risks, and healthcare organizations tend to devote fewer resources to cybersecurity than do other industries. A 2017 survey by the Healthcare Information and Management Systems Society found that nearly three-quarters (72%) of healthcare organizations dedicated only 6% or less of their budgets to cybersecurity, and shockingly, well over a third (40%) dedicated 2% or less.
  • Other industries, most of which devote much greater resources, have gotten better about detecting and blocking cyberattacks, forcing criminals to look for new sources of data.

Missed opportunities

One result of the scant attention paid is that healthcare organizations simply haven’t kept up with security demands. Last year’s devastating WannaCry 2.0 attack could have been largely thwarted by a security patch released by Microsoft several months earlier. But many providers were still using devices that hadn’t been updated.

At Banner Health, which operates 29 hospitals in Arizona, hackers managed to access millions of healthcare-related records by getting in through the hospitals’ food and beverage outlets. Those, of course, should have been controlled by a completely separate network.

And there are plenty of low-tech issues, too. Ransomware typically finds its way to victims in three ways, according to the Center for Internet Security: phishing emails that contain malicious attachments; malicious links opened by unwitting users; and viewing of advertisements that contain malware.

More “Things” to worry about

The increasing number of devices and objects connected to the Internet — the so-called Internet of Things — compounds the challenge for healthcare providers, since each is another potential access point for hackers.

“On average a hospital bed has about 10 to 15 medical devices connected to it at one time,” says Maryanne Woo, a partner at the Reed Smith law firm. “They all need to be able to talk to each other. They all need to be able to share data, share information.”

But that interoperability may be achieved at the expense of security. “If someone from the outside can hack into the MRI machine, hack into the X-ray machine, or can hack into your blood gas analyzer — because none of them are set up to detect malware — then they can go anywhere into the hospital,” says Ms. Woo.

That challenge, she says, has gotten the attention of the FDA, which is increasingly focused on potential hackability in its approval process for medical devices.

Better safeguards

Most users know and understand basic precautions, like keeping operating systems up-to-date, using strong passwords, employing anti-virus and anti-spam applications, and regularly backing up data. Still, it’s a good idea to require training for personnel to helps ensure they won’t fall prey to phishing schemes, or open malicious attachments.

But instead of fighting the same battles in the same ways to try to stay ahead of hackers, organizations should consider fortifying themselves with newer, more sophisticated approaches, such as behavior analysis, tokenization and, perhaps down the road, biometric-based security.

Behavior analysis strengthens security by establishing user patterns and flagging behavior that deviates from the usual, such as logging in from a new location or accessing parts of a system the user doesn’t normally go to. Flagged users may be required to provide further authentication or even get booted from the system until a system administrator can investigate and allow access.

With tokenization, data is stored in the databases of third-party providers, instead of in the systems of healthcare providers. Its big advantage is that it isn’t reversible. As opposed to encrypted data, which can be cracked if a hacker gets his hands on the encryption key or somehow determines the algorithm used to create it, “tokens” are randomly generated and irreversible, so they’re worthless to hackers.

Biometric-based security, which relies on identifying users via unique personal characteristics such as voice patterns, fingerprints, or patterns of the iris or retina, is currently being tested and may turn out to be the ultimate safeguard for medical data.

Care Navigators
As healthcare business models evolve, so should care teams.

Patients who are paired with Care Navigators report feeling less anxiety, and an increased ability to self-manage their conditions between visits. And providers report increased job satisfaction from improved efficiency, and knowing their patients have access to care teams, and strategic support.

LEARN MORE AT CARETHROUGH.COM
Chronic Care Management
With an increased aging population managing two or more chronic illnesses, extending your care teams’ ability to communicate with patients is critical. We take a strategic approach to helping patients chart a path towards their health goals, while self-managing their chronic conditions between clinical visits.

LEARN MORE AT CARETHROUGH.COM
AI Chatbots
We deliver a robust AI Chatbot solution to help manage and sustain effective communication with patients. Care teams implement the conversational text messages and customize patient communication to deliver high quality care.

LEARN MORE AT CARETHROUGH.COM
Nurse Care Team Assistants
Adding a qualified Nurse CTA to the care team increases quality of work-life and reduces stress on nurses. The nursing profession is also experiencing an alarming shortage due to increased clerical burdens and burnout.

LEARN MORE AT CARETHROUGH.COM
Revenue Cycle Management
Transition Revenue Cycle Management into the modern age with a suite of software tools that will transform your billing and coding processes. Transact at lightning speed, with increased transparency and decreased siloes. The QueueLogix software application seamlessly integrates with existing EMRs to ensure the clinical activities and back-office operations are well aligned, monitored and successful.

LEARN MORE AT QUEUELOGIX.COM
Referral Management
Referrals scheduled by navigators in the clinical setting builds long term, patient care integrity across the care continuum. With the authority, along with the provider to search for specialists in network, navigators assess their schedules, and ensure appointment compliance.

LEARN MORE AT QUEUELOGIX.COM
Scribe Services
There’s a reason why we’re the nation’s most frequently used scribe company: we offer professionally trained medical scribes to meet the specific needs of our clients. We offer a variety of scribe programs, as well as technology and personnel solutions that address revenue cycle management, the transition to value-based care, and more through our HealthChannels family of companies.

LEARN MORE AT SCRIBEAMERICA.COM