Securing digital health records and medical devices
With the advent of electronic health records, hospitals and other medical facilities are inundated with data. This includes private health information covered by HIPAA and financial information from patients. Many medical devices are also connected to the Internet of Things, allowing some incredible health advancements but making cybersecurity a major consideration. These digital developments have made life easier for patients and caregivers in many ways, but they do place a burden on providers to protect the most sensitive information their patients could have. The number of people affected by cyberattacks in healthcare rose from 14 million in 2018 to 45 million in 2021, and the average breach costs health systems more than $2 million.
“Whether the attack vector is ransomware, credential harvesting or stealing devices, the healthcare industry is a prime target for attackers to monetize (protected health information) and sell on the Dark Web or hold an entity ransom unable to deliver patient care,” John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at Christus Health, said in a statement.
Electronic Health Records
The HITECH Act of 2009 encouraged a nationwide network of EHRs, and the use of digital records has soared in the last decade. They’ve made the delivery of healthcare better and more efficient. The act also placed more requirements on entities covered by HIPAA and their associates, increasing the fines for violations. It also broadened the definition of a breach and requires facilities covered by HIPAA to notify patients of breaches within 60 days of discovery.
These factors all make data security a huge priority for medical facilities and businesses that partner with them. Patient privacy and confidentiality are paramount; data exposures can often occur unintentionally. Securing patient data requires an enormous amount of care, much more than in other industries. Penetration and vulnerability testing services offered by companies like CDW can identify areas of risk. Networks handling PHI should be equipped with encryption, VPNs should be used when employees are accessing it, and logging in should require two-factor authentication. Servers that hold PHI should be stored in secure locations with access closely guarded.
“Physical, administrative, and technical safeguards can all be implemented to complement the security of health records databases,” write the authors of Health Records Database and Inherent Security Concerns: A Review of the Literature. “While physical safeguards such as physical access to servers and security cameras can prevent theft, technical safeguards such as firewalls and encryption can help prevent electronic breaches even when unauthorized personnel breaches the physical safeguards.”
There are tens of millions of IoT-connected medical devices implanted in patients or that they wear regularly. By 2025, more than 70 million Americans will use remote patient monitoring to transmit real-time medical information. Some of these devices are more secure than others. According to Gartner research, 75% of infusion pumps, which account for nearly half of the deployed medical IoT devices, have unpatched vulnerabilities. The consequences for security breaches can be much more dire than unprotected medical or financial information.
“Unseen vulnerable devices, access based on implicit trust, limited threat protection, and operational complexity make it hard to defend healthcare networks,” writes IoT security firm Palo Alto Networks.
They offer a six-step approach to securing and managing medical IoT devices: identify assets, assess risks, apply risk reduction policies, prevent known threats, detect and respond to unknown threats, and manage IoT-connected medical devices.
As more than half of medium to high severity cyberattacks target medical IoT devices, all measures need to be taken to protect them.
With so many risk factors, cybersecurity insurance is practically a must-have for hospitals and medical facilities. Premiums can be high, and underwriters are hesitant to issue policies without undertaking a thorough vetting of security protocols in place. This is where digital identity platforms come in.
“With insurance requirements becoming more costly and stringent, and cyberattacks more threatening, digital identity is the key to future-proofing healthcare digitalization,” Imprivata CEO Gus Malezis wrote on Hacker News. “It ticks the box for several cyber insurance and federal compliance requirements, in addition to following zero trust principles. Between strained budgets and escalating cyber risks, digital identity can reduce risk while improving compliance, streamlining user access, and bolstering security.”
Digital identity can consolidate several different assets and make sure they’re operating as one. They manage and secure all logins, including from third parties, at all access points with monitoring of all identities. As digitalization takes off across the medical industry, digital identity frameworks can stave off the cyberattacks that are sure to come.
When it comes to patient care, securing their most personal information is a close second to providing excellent treatment.