Category: Healthcare

How Canada’s Healthcare Overhaul Led to a 15% Increase in Security Breaches

In 2019, Canada’s healthcare system underwent an overhaul. Taking place in Canada’s most populated province Ontario, the changes have been described as the most significant health system update in 50 years.
Ontario was attempting to merge its health agencies to create local coordination organizations and maximize efficiencies. Combining the systems brought complications however and resulted in a 15% increase in the number of cybersecurity breaches. Hacker’s targeted three Ontario hospitals in October and paralyzed its operations using the Ryuk ransomware – now the most profitable ransomware family in the last six years. Ryuk is a common culprit known for shutting down local governments, school systems, and most recently, oil and gas facilities.
Ryuk Ransomware
Ransomware is commonly used in healthcare due to the sensitive and valuable nature of the information organizations hold. Hackers will often first use ransomware to gather information about a hospital’s finances, to figure out how large of a ransom to ask for. Then, hackers will use the ransomware to lock up a hospital’s information, effectively holding it hostage until a payment is given.
In October, the Canadian Centre for Cyber Security issued a nationwide alert for Ryuk ransomware. One security company stated that almost 50% of all breaches by the ransomware was targeted towards healthcare. One of its hospital clients reported over 3,200 exploit attempts in October alone.
Across healthcare, Ryuk isn’t limited to only Canadian hospitals. Last October, three Alabama hospitals had access to its patient lists blocked. Several hospitals in Australia also had a similar ransomware attack that crippled its systems.
Prevention is the best defense against ransomware
If ransomware has infected your organization’s systems, there’s a good chance that it won’t be easily removed. System administrators have attempted to reimage computers to reset them to their previous configurations before the attack, only to have the ransomware come right back shortly after the systems returned.
Rather than waiting until its too late and being forced to make the choice of paying a hefty ransom or not, a better approach is to start by taking preventative measures to protect your systems.
Typical points of entry for healthcare attacks
Here are a few common points of entry that hackers often try to exploit:

Endpoints via outdated or unpatched applications
Medical Internet of Things (IoT) devices
Unknowing users who click on malicious links on a webpage or in an email

Ways to help prevent ransomware attacks
To secure and manage your sensitive healthcare devices, data and applications, start by staying in control with a resilient connection to all your endpoints.

Block TCP port 3389 on the firewall if possible.
Employ content filtering and scanning on mail servers.
Scan incoming and outgoing emails for threats.
Educate employees on how to recognize suspicious links and attachments, even if it seems to be coming from someone they know.
Minimize the number of users with admin privileges who can install software.
Ensure systems and software are updated regularly with up-to-date patches.
Have daily backups of all critical systems with offline and offsite copies.
Disable Remote Desktop Services if not required.
Disable macros for documents received via email.
Respond to incidents quickly with automatic location and deletion of data when needed

Conclusion
In 2020, to stay ahead of hackers and ransomware attacks like Ryuk and others, endpoint resilience is increasingly important. Because you can’t secure what you can’t see, uncompromised visibility into every device, whether it’s on or off the network is the first step. And because security tools inevitably degrade and fail over time, as research has proven, you also need a persistent, self-healing connection that will alert you to potential problems.
To find out how Apria Healthcare uses Absolute to gain visibility into device location and activity, secure patient data and improve access to patient care in the field, check out the case study or read up on Absolute healthcare solutions.

HIPAA Compliance Checklist for 2020

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
In 2018, Anthem, one of the nation’s largest health benefits companies, paid what is still the largest HIPAA fine in history of $16 million in for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals. Earlier this year, we learned hackers compromised two employees’ email accounts at a Michigan healthcare group which exposed patient data and went undetected for six months.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

New Year, New Cybersecurity Goals

This article originally appeared on the VMWare blog.
While the cybersecurity landscape may look daunting as the new year progresses, organizations should focus on building the proper strategies for protecting our valuable data and mitigating the endpoint security risks that 2020 promises to bring. This means taking a critical look at the past 12 months, and identifying the changes a security team can make now, that will be most impactful in the 12 months to follow.
Let’s explore some important enterprise security goals for an organization to consider, as 2020 advances.
Measuring Success within the New Year
One of the big buzz words of 2019 was “Zero Trust” – with the thought that the end user should have as little access to the device they are working on as necessary. We as an industry need to start measuring and scoring the trustworthiness of the products that we install in our environments. Exactly how do these products perform in the real world and not just in a lab? How do we know from day one that we can trust a product to perform in production? It is easy enough to allow security technology to win through traditional commerce, but truly successful products will win because customers decide to invest in renewals, and the poorly performing products will die. I expect that in 2020, we will start looking at the trustworthiness of applications and de-emphasize the focus on being impressed by marketing costs.
Calling a Time-out on Security Spending
When discussing the importance of a time-out on security spending, the following questions are important to consider: “Am I utilizing my security dollars efficiently,” and “How do I ensure that my organization is resilient based on the acquisition of new security?”
Companies have stuck to the same old playbook for years now, and it has one directive: buy more products. This isn’t going to result in the protection that enterprises require to combat hackers. As the new year approaches, businesses need to ensure that what they are already spending money on and deploying in the enterprise is actually working and protecting the environment. Today, organizations can expect to be compromised, but their ability to bounce back from such an attack will matter most to the company, its customers and partners.
This resiliency will also affect how the role of the CIO and CISO will develop within the next few years. CIOs are going to have to prove exactly how existing products are living up to their full potential. If they can’t show how current products will prevent and repair damage due to a cyberattack, then future investments will become even more scrutinized. As a result, we’re going to witness the introduction of protection level agreements guaranteeing that the strategies implemented will protect against certain severity levels of a cyber attack. With this in mind, it will become essential that CIOs and CISOs put a hold on any security spending, and take the time to reevaluate their security landscape to ensure the products they currently use are actually worth the investment.
Overcoming Vulnerabilities within the Education Industry
The most significant challenge for the education industry will rely on the identification and attraction of security professionals into the K-12 field. Budget constraints and advancement opportunities within the education sector for security specialists are generally not a great combination for attracting talented security professionals. Budget constraints may lead to the industry purchasing products that are tailored specifically to education use cases, but fail to follow secure development processes. This causes additional problems for the IT professional in the education system.
With this in mind, the education industry will also need to invest in personal development as 2020 continues. The industry as a whole is grossly under investing in its employees, and its IT department is no exception. Training courses must become a priority, not only to ensure all employees are keeping cybersecurity top of mind, but to help promote IT careers in the education sector. Without this focus, key IT players will soon discover better opportunities within another industry.
Striking a Balance Between Patient Care and Cybersecurity
In 2020, it’s going to be important for the healthcare industry to focus on building significant trust among healthcare professionals and IT security/privacy best practices. The balance of a patient’s life, accessing data quickly but accurately, and privacy concerns can be very conflicting, which puts cybersecurity on the backburner. In the new year, healthcare IT will need to provide greater and more robust security and privacy practices within their environments and better identify who requires certain privileges and access to patient data and systems.
It will also be important for the healthcare industry to better understand their environment and validate that their existing purchases are performing as expected – allowing better budget spend moving forward. Once this foundation is established, there is an opportunity for the industry to build on it, using tools that have already proved their worth and ensure a more seamless experience for the patient.
For more on the state of endpoint security, download the Endpoint Security Trends Report. 

Apria Healthcare Sees and Secures 8,000 Devices with Absolute

Healthcare technology — which includes everything from medical staff tablets to patient monitoring devices and even prosthetics — is increasingly reliant on an interconnected network. This interconnectedness enables improved patient care, but it also opens the door for added risk. As cyber crime skyrockets across the healthcare industry, one of the nation’s leading home respiratory services and medical equipment providers, Apria Healthcare, recognized the risks early on and implemented Absolute to better secure patient data.
Apria operates more than 300 locations and provides service to 1.8 million patients annually with in-home care and 24/7 clinical services. In order to support home-healthcare — by far the fastest growing healthcare sector due to its potential for improved care at a reduced cost — Apria employees rely heavily on more than 8,000 devices.
Read: Why Data Privacy in Healthcare Matters
Unbreakable Visibility & Control
To ensure the highest levels of security, protect private and corporate information, and ensure HIPAA compliance, Apria needed a way to track their endpoint devices. They wanted a solution that would deliver zero-touch IT asset management, provide self-healing endpoint security, and employ always-on data visibility and protection. They needed intelligence on every device, with the ability to control every endpoint whether it was on or off their corporate network.
With Absolute Persistence®  already installed in the BIOS of their endpoint devices, Apria found unbreakable endpoint visibility and control by simply turning Persistence on. As a result, they now have a reliable, two-way connection to each device and can remotely monitor the status of their devices to avoid a healthcare data breach. They gained critical asset intelligence they could not find with any other security provider.
“Persistence [located] in the BIOS was the number one item that I think really sets Absolute apart from other companies touting that they can do asset tracking better,” said Janet Hunt, Senior Director, IT User Support, at Apria Healthcare. “They really can’t, they don’t have that piece – that persistent piece is so important to me. I am always looking for opportunity and different technologies as they come up, and I haven’t found anything that’s as good as Absolute… nothing can compare.”
With Persistence activated on every device, Apria Healthcare is assured that no matter what happens to a device – whether it is lost, stolen, or breached – no one can turn that Persistence off. The device will continue to report back to Apria, who then has the power to wipe a device clean or shut it down even if the user installs a new OS.
Absolute also provides dashboard status on all devices that updates every 15 minutes. With a complete history of the device, security managers can demonstrate encryption, geolocation, usage, and device history. Absolute provides unprecedented asset intelligence, giving healthcare organizations a crystal-clear understanding of the value every asset is delivering to inform security and purchase decisions.
“If Absolute disappeared, I would retire because I would have no idea where anything was,” said Hunt. “That was the greatest thing about bringing Absolute in: I know where a device is.”
To find out how the Apria Healthcare uses Absolute to secure patient information, gain visibility into device location and activity and improve access to patient care in the field, check out the case study or read up on Absolute healthcare solutions.
 

Escalating Risks to Healthcare Data

The challenges of securing medical devices from cyberattacks made headlines again last week as the U.S. Food and Drug Administration (FDA) warned that some insulin pumps made by Medtronic MiniMed may be at risk for a cybersecurity breach. In response, Medtronic recalled the affected Minipumps and is providing patients with alternative pumps.
As the healthcare industry quickens its pace toward incorporating more IoT devices and wearables for the sake of improved patient care, there is also a clear downside to the trend. The connectivity inherent in these same medical devices can also pose a serious threat to patients and providers. Device vulnerabilities can lead to security breaches that could potentially impact the safety and effectiveness of the device. Due to the high value of healthcare data, the risks are escalating rapidly.
Weighing Risks and Rewards
Healthcare organizations and patients alike must weigh the risks and rewards of relying on such medical devices the same way they already consider the pros and cons of their network connected endpoints. Laptops, tablets and phones have proven to be a critically important piece to delivering cutting-edge patient care as well as growing organizational efficiency. For large hospitals, small doctors’ offices and every healthcare provider in between, mobile medical technology is how modern patient care is delivered.
But securing patient data — including personal information, payment details, health histories and more — on vulnerable endpoints has long been a real problem for the industry. More than 2 million people saw their information exposed via a healthcare data breach in May alone.
Government regulations that oversee the protection of personal information — including HIPAA and a host of others — are busy trying to keep up with breach investigations. Large fines are regularly doled out, yet the pilfering by hackers continues at a relentless clip. At the same time, security spend is also on the rise, motivated by organizations scrambling to fend off attackers.
Read: The State of Endpoint Health in 2019
Now What?
A strong security posture must start with unparalleled visibility — because you can’t secure what you can’t see. This is the approach Allina Health, the major healthcare provider for the state of Minnesota took when they implemented Absolute across their more than 10,000 devices.
With Absolute, Allina Health can see all of their devices, whether they are on the network or not, identify devices that are missing or not being used, and prove that security controls such as patch management, antivirus and encryption are always in place. In addition, Allina Health has been able to save over one million dollars by identifying underutilized assets, prove compliance with HIPAA by validating that encryption is in place on all devices, at all times, and achieve 95 percent laptop auditing accuracy.
“I sleep better at night knowing that if a device goes missing, we have the tools and services that Absolute provides to track it down…and validate that encryption was in place [when the incident occurred],” said Danielle Bong, IT Asset Manager, Allina Health.
Healthcare endpoints are key to providing better patient care and improving organizational efficiency – security improvements must be made for the benefit of everyone but the hackers.
To learn more about how Allina Health uses Absolute, download our case study: Allina Health Ensures HIPAA Compliance.
 

5 Cybersecurity Healthcare Tips

HIPAA Compliance Awareness During National Nurses Week 2019
If saving lives and caring for the sick aren’t already steep enough responsibilities, today, the sophisticated world of cybercrime has thrust the healthcare industry, and the medical professionals that work within it, into its crosshairs.
Healthcare and the Digital Workspace
That means on-the-go nurses — with laptops and tablets in hand that often contain sensitive, HIPAA-regulated data — are subject to all the cyber risks that apply to those devices. Healthcare organizations, like all businesses that are adapting to the modern digital workplace, need to see and understand the risks to endpoint devices and the data on them.
In recognition of National Nurses Week and to support all that is asked of these hard-working, caring professionals, here are a 5 tips for how healthcare organizations can apply a cybersecurity-centric mentality to the job.
5 Cybersecurity Healthcare Tips

Educate all staff — To mitigate the risk of employee mishap and misuse, train staff on the importance of data security. Implement a well-communicated policy on how and when to report missing devices, suspicious email trends and device irregularities and maintain enforceable repercussions for intentional infractions. Read: Healthcare Cybersecurity and Data Security in 2019 for insight into this year’s top threats.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for your organization’s data security. This person should oversee HIPAA compliance initiatives and ensure data security is a regular topic at Board meetings.
Take back control of your endpoints — When endpoints go rogue or become invisible due to faulty security agents, you need to act fast. Absolute’s proprietary Persistence® technology is embedded in the firmware of more than 70 percent of the world’s endpoint devices. Because it’s the only embedded security solution, it is the only cloud-based platform that maintains a persistent connection to devices, regardless of user behavior or device performance.
Add resiliency to security solutions — The 2019 Endpoint Security Trends Report found that more security does not equate to more secure devices. In fact, much of organizational endpoint security spend is wasted on solutions that simply don’t work due to missing or broken agents or disabled controls. Rather than throwing good money after bad, IT and security teams should instead strive to reduce complexity on the endpoint and focus on ensuring that existing security tools are fortified, more resilient, and less inclined to fail.
Get real about real-time evaluation and response — Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution. According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives.

Focus on What Works
There isn’t a single checkbox healthcare organizations can make to secure data. Layering on all the security tools in the world won’t guarantee total data security either. Instead, maximize the resources you already have – your people, your processes and your controls. A concerted effort across each of these five areas listed above will provide a solid foundation from which to build for the benefit of patients, medical staff and the organization as a whole.
If you’d like to learn more about how to protect your organization and medical staff from today’s cyber threats, get our latest case study, Apria Healthcare Delivers Secure Health Solutions with Absolute.  And, in great appreciation for all healthcare professionals, we extend our heartfelt thanks.

In Clinic or In a Patient’s Home, Apria Healthcare Keeps Data Secure

Healthcare technology — which includes everything from medical staff tablets to monitoring devices, patient sensors and even prosthetics — is increasingly reliant on an interconnected network. The interconnectedness enables improved patient care but it also opens the door for added vulnerabilities. As cyber crime skyrockets across the healthcare industry, one of the nation’s leading home respiratory services and medical equipment provider, Apria Healthcare recognized the risks early on and implemented Absolute to better secure their patient data.
Headquartered in Lake Forest, California, Apria operates more than 400 locations servicing 1.8 million patients per year through in-home care and 24/7 clinical services. In order to support home-healthcare — by far the fastest growing healthcare sector at an annual growth rate of 7% largely due to its potential for improved care at a reduced cost — Apria’s 8,000 employees rely heavily on mobile devices. For Apria therapists to better access critical patient data while in a patient’s home and therefore deliver improved care, the organization deployed a fleet of tablets protected with Absolute.
Read: Why Data Privacy in Healthcare Matters
Unbreakable Visibility & Control
With Absolute Persistence® technology installed, Apria gained unbreakable endpoint visibility and control. They now have a reliable, two-way connection to each device and can remotely monitor the status of their devices to avoid a healthcare data breach. They can also track device location if one was ever lost or stolen.
To make that data meaningful, Apria has created several groups of employees based on their location and function, with automated alerts if details (like username or location) change unexpectedly. Apria is then able to investigate and remotely freeze or wipe the device, as needed.
“Each of our devices is tied to an individual,” said Janet Hunt, Senior Director, IT Quality & Support Services, at Apria. “With Absolute, we can establish groups that we categorize by employee, location, and function.”
Apria is now confident in their ability to see and control all of their devices and secure sensitive information, keeping them in compliance with HIPAA and other health regulations. They can track and report on inventory, device location and activity — no matter where the device is located.
“Absolute is the number one priority for our CIO,” Hunt said. I can’t verbalize how important this is to my company and how much more effective we’ve become at securing our healthcare data.”
To find out how the Apria Healthcare uses Absolute to secure patient information, gain visibility into device location and activity and improve access to patient care in the field, check out the case study or read up on our healthcare solutions.

10 Future-Proof Cybersecurity Tips for Healthcare

The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries – including critical infrastructure, government, financial services and others –healthcare has the biggest target on its back today. These threats have been steadily rising for many years and last year was no exception. See the 15 largest health data breaches of 2018. What can you do to bolster stay safe in 2019? Here are 10 future-proof cybersecurity tips for your healthcare organization.
Individual Impact
The impact of data breaches on organizations is significant, with healthcare data breach costs ranking the highest of any industry at $408 per breached record. But what about the impact to a patient? What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Risky Technology
Healthcare technology is continually advancing with the goal of improving patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve this escalating situation?

Review all contracts — Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
Formalize breach notification process — Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours. Read: 5 Tips for Compliance Officers Dealing with GDPR.
Rehearse your data breach plans — Make sure your organization can report on the consequences of a breach in a timely manner.
Maintain endpoint visibility — Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
Protect legacy technology — The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
Automate detection and response capabilities — A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
Add resiliency to security solutions — How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? This resiliency is available through Absolute’s persistence technology.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
Educate staff — Train them on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
Conduct regular compliance reviews — GDPR lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues. Read: HIPAA Compliance Checklist for 2019

Patient medical records are now the #1 target for cyber criminals. And healthcare organizations are legally required to protect their PHI, even as it leaves their systems and goes to other covered entities.
For more on how you can prevent data breaches, read about actionable strategies in the whitepaper, Data Breach Prevention for Healthcare: A Best Practice Guide.

Why Data Privacy in Healthcare Matters

Data privacy in healthcare is much more than a regulation checkbox. It directly correlates to a sustainable, successful global healthcare system. In the continuous battle for better patient care and a business model that makes healthcare more affordable, information is king.
The Rising Cost of Healthcare
According to a study published by the Journal of American Medical Association (JAMA), the rising cost of healthcare is due to five primary factors:

Population growth
Population aging
Chronic disease prevalence
Use of medical services
Service price and intensity (i.e. pharmaceutical drug prices)

These factors drive healthcare spending – which is skyrocketing. By 2022, global healthcare spending is expected to reach to just over $10 trillion annually worldwide. In the U.S. alone, healthcare spending rose nearly a trillion dollars over the past ten years.
The rising costs hurt consumers of course (as anyone who has been to the doctor lately can tell you), but they are also a painful reality for healthcare organizations. Administrators must determine how to deliver the best possible patient care, while remaining in the black.
Data is the New Healthcare Currency
In the search for a more sustainable business model to meet these competing demands, many geographies, the U.S. included, are now seeing an industry shift from the volume-based, fee-for-service model to a more patient-centric, value-based approach. The rationale behind it is that a sick person is already an expense; whereas to focus on wellness, prevention and early intervention is a mutually-beneficial partnership that reduces costs over the long-term.

To deliver on value, healthcare organizations must rely heavily on digital technologies, clinical innovations, virtual care and plenty of patient information. At this intersection, we find the increasingly-common phrase, ‘data is the new healthcare currency.’ For this reason, data privacy belongs at the center of any conversation about the business of health care.
Patients expect it. Regulators require it. Your reputation depends on it.
Valuable Data in a Growing Attack Vector
Beyond the value healthcare providers assign data for the purpose of patient care, cybercriminals also find great value in healthcare data records. One report says electronic healthcare records (EHR) are valued at $250 per record on the black market compared to the next highest priced record – a credit card – at just $5.40. With that kind of money in play, healthcare is a particularly attractive target for most hackers. It makes sense, then, that healthcare organizations see an average of 32,000 intrusion attacks per day, per organization as compared to 14,300 attacks per organization in other industries.
And the possibilities for cybercriminals to attack are growing as healthcare organizations’ threat surface expands. Caregivers and employees are more mobile, partnerships with third parties are more common, and medical devices are increasingly complex with new IoT technology.
Read: Are Hacked Medical IoT Devices Ransomware’s Next Target?
Cost of a Healthcare Data Breach
An attempt at your data is likely, and once breached, it will be costly. In their Annual Cost of a Data Breach Study 2018, the Ponemon Institute identified breach resolution costs (including detection and escalation, notification, post data breach response and lost business) to be highest for the healthcare out of any industry by far at $408 per record. The industry ranked second is financial services at a considerably lower price point of $206 per record.
These numbers don’t include regulatory fines that inevitably result with a confirmed breach. How non-compliance is handled is unique county-to-country but none of the fines come cheap. As regulations continually evolve and penalties multiply, it’s clear that data privacy needs to remain a top priority.
To learn more about how to avoid a costly breach and embrace the digital healthcare revolution, download the whitepaper: The Cost of a Data Breach in Healthcare.
 

Healthcare Cybersecurity and Data Security in 2019

Healthcare has rapidly evolved from a traditionally paper-based industry to one that has embraced digital in almost every way. The growth of technology and patient care has subsequently thrust the industry into the spotlight when it comes to protecting sensitive information.  Healthcare cybersecurity and data security in 2019 is one of the top issues facing the healthcare industry.
State of Cybersecurity in the Healthcare Industry
The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.
To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.
The need for better endpoint visibility and control has never been greater.
Why is Data Security the Biggest IT Concern for Healthcare Organizations?
While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.
By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.
The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.
The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.
According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.
Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.
Most Common Cybersecurity Threats in Healthcare
The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.
Ransomware
We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.
Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.
Insider Threats
This one may not seem as obvious, but the threat is real.
So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data. 
IoT Healthcare Attacks
As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.
In fact, hacked medical IoT devices may be used to launch ransomware attacks.
Due to the severity of risks involved, IoT security mustn’t be overlooked.
Supply Chain Attacks
You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.
A supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.
Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”

3 Ways to Improve Healthcare Data Security
Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.
1. Take Back Control Of Your Endpoints
When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.
The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.
2. Strengthen Your Security Posture
Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.
Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
3. Get Real About Real-Time Evaluation and Response
Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.
According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.
Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.
We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.

Loading

Categories