Why is the healthcare industry lagging behind in cybersecurity?
Although it might seem as of late that government agencies have become the prime target for hackers, both domestic and foreign, we must not lose sight of the healthcare industry. Health care data breaches are growing exponentially, according to a report released by the Government Accountability Office. While Anthem and Banner Health are two of the most notable breaches, a steady stream of healthcare breaches have since followed. Healthcare organizations of every size, patients and providers are all at risk. How severe is the situation? According to Scott Friesen and David Meier from Newport Credentialing Solutions, with whom I had the privilege to speak, “the threat is serious as the healthcare industry is significantly behind other industry’s when it comes to the field of cybersecurity, and only recently began playing catch up. As a result, healthcare organizations, patients and providers are all left vulnerable against today’s sophisticated attackers.”
Newport is a premier provider of cloud-based software and IT enabled services dedicated to the credentialing life cycle. The company provides cloud-based workflow, analytics software and IT enabled credentialing services to some of the largest academic medical centers, health systems, and multi-specialty group practices in the United States. NetLib has been working with Newport for many years to provide comprehensive security across their systems. Using NetLib’s database encryption technology, Encryptionizer, all information stored on Newport’s cloud-based CARE platform is encrypted so that only authorized parties can access it.
The third party factor
Health IT Outcomes reports that almost 90 percent of ransomware attacks during the second quarter of 2016 were aimed at healthcare. Moreover, a recent Ponemon Institute study revealed that in 2015, 91 percent of healthcare entities and 59 percent of affiliated businesses were hit with data breaches.
These findings confirm that business associates/third party vendors are not exempt from attack. Affiliated businesses must take equal care and responsibility for health data protection, and maintain comprehensive agreements with covered providers. Encryption plays a key role in ensuring patient and provider data, at rest and during transit, remains secure even when shared via a third party.
According to Friesen, “If you were to do an assessment of the small to mid-tier hospitals out there, many of them are so focused on meeting patient and financial centered benchmarks, that they have not spent the time, effort, and resources to protect their patient’s health information. Not only are these hospitals not encrypting their in-house servers, they aren’t encrypting their staff’s laptops as well.”
The value of PHI
Why is protected health information (PHI) such a prime target these days? As mentioned previously, healthcare as an industry has lagged behind in data security. Therefore PHI is easier to get to in comparison to data in other industries such as the banking or credit card industries. Although electronic health records (EHR) are increasingly becoming the norm, encryption isn’t always considered a priority which makes PHI an easy target. From a hacker’s perspective, PHI promises a big reward for the least effort. PHI, which includes patient health information, is deemed very valuable on the black market.
Luckily, we are seeing a change as the healthcare industry begins to take data security more seriously. As we’ve discussed recently, this involves an increase in healthcare organizations implementing more preventative measures.
For companies looking to secure their customers’ data, Meier recommends “educating employees so they are aware of PHI’s appeal to hackers, training (employees) so they know what to look for and to report things that are suspicious to IT staff. Education is key, given that 9 times out of 10 hackers are gaining access to a system through unsuspecting employees.” And while new laws and compliance standards, courtesy of HIPAA, certainly help drive these initiatives, Meier observes the real impetus is executives wanting to avoid becoming the next case study in a large scale breach. After all, who wants that hit to their reputation?
Neil Weicher, Founder and CTO of NetLib Security Inc., one of the providers to Newport’s security infrastructure said, “the healthcare industry is now having to cope with what the financial industry has had to deal with for over a decade; the healthcare industry is just now coming up to speed. Of course we all want the healthcare industry to focus on their primary mission, delivering exceptional patient care, which is why NetLib has spent the past 20 years developing data security solutions that are easy-to-deploy and maintain and cost effective.”
Newport has noticed an increased focus in security among its client base, which includes hospitals and large health systems. Meier has a salient anecdote, “Four or five years ago, the questionnaires that they would send out for security were maybe a handful of questions on ‘Do you have passwords?’, ‘Is your data encrypted in transit?’ Today these security questionnaires are several pages in length and very in-depth. So, organizations are taking it more seriously, as they should.”