Technology has a multitude of beneficial applications for health care, but increased adoption of new technologies introduces new security challenges across the industry. Protected Health Information (PHI) consisting of personal details, medical histories and other health related data is highly attractive to hackers, but many healthcare organizations lack the robust security protocols required to guard against cyberattacks and need help implementing better access controls.
Healthcare Cybersecurity by the Numbers
In 2016, healthcare organizations were using less than 6% of their budgets for cybersecurity. This lack of investment is likely a major contributor to the massive number of attacks the industry has experienced in recent years. Healthcare organizations were the victims of 88% of all ransomware attacks across industries in the U.S. in 2016, and 89% of organizations have experienced some kind of data breach in the last two years.
By 2020, the total cost of security breaches in healthcare is expected to reach $6 trillion, up from $3 trillion in 2017. Some of this cost goes toward paying hackers to regain access to data after ransomware attacks. Twenty-three percent of healthcare organizations report paying ransoms to avoid the potentially deadly consequences of losing access to patient information and care protocols.
Major Healthcare Security Challenges for 2019
Why are hackers so interested in healthcare? A single PHI record can fetch up to $20,000 in profit on the black market, around 10 times the value of a stolen credit card number. Such a payoff is a big incentive, especially when healthcare networks provide a number of loopholes for hackers to exploit.
Ransomware is of particular concern. In 2017, 34% of attacks on the 10 industries most affected by ransomware were directed at healthcare, and the number of attacks may quadruple by 2020. Locking down a system in a provider’s office or hospital restricts access to patient records, including prescription information, test results and surgical data. Hackers know how important this information is for healthcare providers, which makes the industry a prime target for ransomware.
Migration to cloud-based applications introduces additional vulnerabilities. Of all healthcare firms relying on the cloud, 25% aren’t encrypting information as it travels back and forth, leaving private data vulnerable to attack. Almost 40% have no dedicated staff to manage their cloud-based software, but 81% are allowing employees to bring their own devices to work, many of which simply provide more unsecured endpoints hackers can use to gain network access.
Controlling Access with Better Identity Management
Limiting unauthorized access requires a greater degree of clarity and unification than is currently possible in many healthcare environments. Employees use numerous applications to access patient data and manage care, but no centralized tool or strategy exists to manage identities or login credentials. Access management is made more difficult by complex use cases and permission requirements. Not all providers with a particular role need access to the same information, and access needs may change during the course of patient treatment.
Increasing privileges, however, is not the answer. Sixty-one percent of healthcare organizations cite privileged accounts as their biggest internal threat, so adding more permissions to streamline access is likely to lead to even greater security problems. According to the 2017 IBM X-Force Threat Intelligence Index, insiders account for 71% of cybersecurity threats in healthcare. Susceptibility to phishing scams may explain why 46% of the threats were inadvertent, but 25% resulted from malicious activity by those authorized to access networks.
Automated provisioning may provide a solution. By using predetermined protocols to define access rules and leveraging artificial intelligence (AI) to assess user behaviors, healthcare organizations can provide access to necessary information without compromising other sensitive data or adding unnecessary complexity to workflows.
Applying Improved Access Principles to Healthcare
Because many healthcare procedures require fast decisions and responses, streamlining identity and access management (IAM) is essential. Employees can’t afford to spend too much time logging into applications, especially in situations where multiple platforms are required. Healthcare organizations need to map out their most common use cases, determine who needs access to the network and create protocols designed to allow appropriate levels of access at the right times.
Protocols must include initial and ongoing employee training as well as monitoring to minimize the risk of insider threats. Employees should be able to recognize phishing emails and be aware of proper password storage procedures. In environments where employee-owned devices are allowed, it’s up to organizations to require and implement security measures to protect data from compromise due to unauthorized access.
Although improved access management is essential in healthcare cybersecurity, 39% of organizations say they lack qualified employees to create and manage security strategies. Twenty-seven percent simply can’t find qualified personnel to help. Bringing in experienced third-party cybersecurity experts may be necessary for the industry to get the full benefit of IAM protocols for ensuring appropriate access levels and protecting PHI.