For healthcare organisations, the risks and responsibilities associated with cyber security are greater than ever, as patient health data is some of the most valuable on the black market. For CIOs, losing this information to thieves, carelessness or natural disasters is unthinkable in healthcare — and in many cases punishable by a fine.
The following is a look at five of the most important responsibilities for CIOs when it comes to keeping modern healthcare organisations, and their customers, secure.
1. Have a Plan in Place
The June 2017 cyberattack known as NotPetya was one of the largest attacks of its kind ever conducted. It brought digital systems to a standstill throughout the world, including those used by healthcare organizations and medical transcription services.
Some of these organisations, like Sutter Health, found themselves at a caregiving standstill after their transcription company, Nuance, fell victim to NotPetya.
NotPetya crippled entire companies, ports and government agencies. But Sutter Health learned two things from the experience. The first is that having a plan paid off — they were able to migrate their systems and data off the affected services in very short order. They were still left with a transcription backlog, but they survived — and so did their data.
Having a plan in place to answer and recover from healthcare security issues, including attacks, looks different to different organisations. Many of the fundamentals are the same, however. We’ll mention other points as we go, including having encrypted, up-to-date backups available in case of data loss or theft.
The comprehensive IT security guide for CIOs and CTOs
2. See Artificial Intelligence as a Credible Ally
The second thing Sutter Health learned was that good technology is the only thing that can fight malign technology. For Sutter Health, that meant using artificial intelligence.
AI provided a warning just in time to conduct damage control during the NotPetya incident. The company faced some 87 billion cyberattacks in 2018, meaning no human could detect and prioritise them all. AI is a real ally here, with a company that serves three million patients, as well as any of the other smaller healthcare organisations throughout the world.
After artificial intelligence has identified a potential issue, it flags engineers and coders so they can implement patches, update blocklists and perform other preventive or ameliorative actions. There’s still a huge human element involved, but AI automates the most difficult parts of the defensive process.
3. Know the Risks of Ransomware and Defend Against It
For healthcare environments, ransomware poses one of the scariest types of threats in the entire cyber security arena. Physicians-in-training get a taste of the potential reality during routine training exercises at Maricopa Medical Center.
As trainees attempt to use diagnostic equipment, like CT scanners, in resuscitating “patient” dummies, they’re greeted with ransomware lockout messages onscreen demanding Bitcoin payments before the equipment can be used again. They must use their intuition to treat the patient instead of the correct equipment. The price for this can be (again, this is a dummy patient) serious brain damage.
The Internet of Things (IoT) unlocks huge potential for organisations, including healthcare entities. But this dependence on internet-connected infrastructure also poses a risk. Avoiding ransomware attacks in healthcare requires a multifaceted approach, including:
- Sending test emails regularly to see if employees are likely to respond to typical phishing attempts that arrive by email.
- Backing up and securing all data regularly so that you can restore access even if a third party attempts to lock you out and extort payment.
How businesses can shield their IoT infrastructure from botnets and ransomware
The Department of Health and Human Services recommends that healthcare organisations refuse to pay the ransom, as this only encourages similar attacks in the future.
4. Use Compliant and Secure Communication Methods
The Health Insurance Portability and Accountability Act (HIPAA) was an important step forward for healthcare security and organisations as well as patients. It laid the groundwork for secure, digital, mobile and persistent digital patient records. These records improve coordination between physicians and facilities and “follow” patients no matter their provider or employer.
HIPAA and its five “Titles” help ensure this functionality doesn’t come at the expense of patient security and safety. Title II describes the security measures that healthcare organisations must implement prior to transmitting healthcare data or messages electronically. Healthcare technology providers typically find that Title II is the most frequently violated of the five Titles.
It can be difficult to adapt some legacy equipment, including fax machines, to fit HIPAA’s requirements for handling secure communications and the transmission of PHI (protected health information). It’s more likely that healthcare organisations will have to invest in an e-fax system if they can’t pivot entirely to digital communications.
5. Don’t Forget About Insider Data Breaches
Recent research from Verizon found that the healthcare industry ranked last when it came to stopping insider data breaches. Unfortunately, this is one source of cyber security risk that a lot of CIOs and companies don’t prioritise. There are several types of insider data breaches to know about and plan for:
- Malicious insiders
- Accidental insiders
- Third-parties
97% of IT leaders majorly concerned by insider data breaches
A malicious insider is someone like an employee who uses their legitimate credentials and access to privileged information to steal it.
An accidental insider could be someone like the Heathrow Airport employee who caused a data breach by leaving behind a USB stick with sensitive information on it. It could also be an employee who hasn’t received coaching about avoiding phishing campaigns in emails.
Third-parties are individuals like contractors or others who exploit their access to premises or infrastructure for personal gain.
The most important preventive measures are to focus on training and culture and to implement strong access control protocols. All sensitive information should be identified as such and siloed accordingly, with access granted only to trusted individuals with a need to access it. High-tech solutions include data loss prevention (DLP) software, which automatically monitors networks for unusual and unauthorised activity, including data exfiltration.
As for training and culture, amazingly, nearly one-third of healthcare workers have received no cybersecurity training whatsoever.
New Responsibilities for Healthcare CIOs
Given the responsibilities and the risks, healthcare security has nearly become a full-time job for CIOs. With the right mixture of planning and prevention, and building a culture with security as a top priority, healthcare organisations can prevent themselves from becoming a statistic.
See also: What every healthcare technology leader needs to know about cloud data and security – With most healthcare organisations continuing to digitise services and increasingly move workloads to the cloud, any healthcare technology leader must prioritise cloud data and security in this expanding virtual environment.