Healthcare Cybersecurity – State of the Art
Author: Jose Monteagudo, Editor-in-Chief 1st Global Cybersecurity Observatory
Where is the industry now?
Good health and well-being are one of the UN Sustainable Development Goals, the United Nations’ new roadmap to improve people’s lives by 2030.
In most developed countries healthcare systems are involved in a transition process – the digital transformation – from paper-based to Electronic Health Systems.
In 2017, 8.8 % of the gross domestic product (GDP) of most developed nations (OECD countries) was spent on healthcare – an enormous part of a country’s economy.
This referred digital transformation not only has important implications in terms of operational excellence and costs, but also in terms of Privacy, Confidentiality and Data Integrity.
The healthcare industry still struggles with interoperability challenges.
Here are the six key challenges related to EHR interoperability (US Government Accountability Office – GAO):
- Complex ecosystem with a myriad of stakeholders: the healthcare ecosystem is extremely complex. In figure 1, below, we show a simplified view of the key stakeholders. Please note that the architecture might be much more complex.
- Insufficiencies in interoperability standards. While standards for electronically exchanging information exist, the industry recognizes they are insufficient for achieving full interoperability.
- Privacy rules are varied. Privacy rules vary across states, countries and regions. This represents a burden for the major players involved, including healthcare providers, software and IT companies and other stakeholders.
- Accurately matching patient records. Patient matching presents an issue for interoperability because different systems use different demographic information to match individuals to their health records. Doing so may yield inaccurate results, as patients may have the same names, birthdates and ages. Thus, trying to corroborate identities between systems that use different demographic data is not possible because systems intake different data.
- Prohibitive costs. System costs and legal fees can deter providers from achieving interoperability. Some EHR systems require multiple customized interfaces to work with other platforms, and providers have to pay the costs associated with building those interfaces.
- Lack of governance and trust among entities. Establishing trust between entities that are needed to support interoperability was noted as a challenge, largely because agreements and organizational policies don’t always align between parties.
The diagram below portrays a simplistic view of the healthcare ecosystem including some of the most common messaging standards:
Figure 1: The healthcare ecosystem: key stakeholders and messaging standards
Framework for understanding the levels of Health IT
We have covered the major challenges related to EHR interoperability. Before delving deeper into the major cybersecurity threats faced by the industry, let’s shed some light onto the different levels of health IT.
A general framework for understanding those levels from a technical perspective is as follows:
- Application Level
- Computerized Provider Order Entry (CPOE), Clinical Decision Support (CDS), Electronic Prescribing (e-prescribing), Electronic Medication Administration Records (eMAR), Results Reporting, Electronic Documentation, Interface Engines, and so on
- Communication Level
- Messaging Standards
HL7, ADT, NCPDP, X12, DICOM, ASTM, and so on
- Messaging Standards
- Coding Standards
- LOINC, ICD-9, CPT, NDC, RxNorm, SNOMED CT, and so on
- Process Level
- Health Information Exchange (HIE), Master Patient Index (MPI), HIPAA Security/Privacy, and so on
- Device Level
- Tablet PCs, Application Service Provider (ASP) models, Personal Digital Assistants (PDAs), Bar Coding, and so on
Security, Confidentiality and Privacy
Privacy Standards and Security Standards are necessarily linked. Any health record system requires safeguards to ensure that the data is available when needed and that the information is not used, disclosed, accessed, altered, or deleted inappropriately while being stored or retrieved or transmitted.
Security Standards work together with Privacy Standards to establish appropriate controls and protections. Health sector entities that are required to comply with Privacy Standards must also comply with Security Standards.
We need to pay close attention to the electronic systems which manage Patient Identifiable Information.
Some of those systems are detailed below. Please note that this is not an exhaustive list and there are many others:
- Electronic Health Records and Electronic Medical Records that capture and store patient information
- Laboratory Information Management Systems
- Prescription Information Management Systems
- Patient Registration and Scheduling Systems
- Systems for Aggregation and Reporting Information, Monitoring Health Programs and Tracking Patients’ status
- Clinical Decision Support Systems
- Systems for Medical Research
Figure 2: Major Cybersecurity Threats for the industry
Major cybersecurity threats for the industry
Overall, limited spending on cybersecurity is the number one threat among small to mid-sized health delivery organizations, even among larger systems. Hospitals must make numerous risk management decisions against resource constraints and cybersecurity has historically not been given the attention it requires — for the integrity and availability of their data, the reliability of their clinical operations and most importantly, patient safety.
Some of the protocols and standards discussed in this article were created when cybersecurity wasn’t even a concern.
Nevertheless, considering the huge impact on patient safety and the damages caused, cybersecurity in healthcare must be a top priority.
Another massive threat is ransomware. It is a type of malware that infects systems and files, rendering them inaccessible until a ransom is paid. When this occurs in the healthcare industry, critical processes are slowed down or become completely inoperable.
Typically, ransomware infects victim machines in one of three ways:
- Through phishing emails containing a malicious attachment
- Via a user clicking on a malicious link
- By viewing an advertisement containing malware (malvertising)
Ransomware has become such an issue that in the US, the MS-ISAC, along with their partners at the National Health Information Sharing and Analysis Center (NH-ISAC) and Financial Services Information Sharing and Analysis Center (FS-ISAC), have teamed up to host training sessions around the country on how to defend against it.
As an example, we may consider the WannaCry ransomware attack that hit over 230,000 computers in over 150 countries in May 2017.
Organizations that had not installed a Microsoft security update from April 2017 were affected by the attack.
In the UK, the National Health Service (NHS) was seriously impacted. According to NHS England, the WannaCry ransomware affected at least 80 out of the 236 trusts across England, because they were either infected by the ransomware or turned off their devices as a precaution. A further 603 primary care and other NHS organizations were also infected, including 595 GP practices (Investigation: WannaCry cyber attack and the NHS).
As discussed, cybersecurity events in healthcare are particularly critical due to the impact on patient safety. In the case of the WannaCry attack, although the NHS was not the specific target, the impact was massive. According to the Department of Health investigation, thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments. Between 12 May and 18 May, 6,912 appointments had been cancelled, and it is estimated that more than 19,000 appointments would have been cancelled in total, based on the normal rate of follow-up appointments to first appointments.
Even though the impact was huge, this incident could have caused more disruption if it had not been stopped by a cyber researcher activating a “kill-switch”.
But ransomware is just one of the key cybersecurity threats faced by the industry.
We should add to this dangerous mix:
- High demand for Healthcare Records: as electronic health records (EHR) are far more valuable than financial data, there is huge demand on the black market, fuelling the numerous cyber-attacks that are damaging the reputation and finances of healthcare operators.
- Vulnerable IoT, IIoT and IoMT devices: there is a correlation between the proliferation of IoT, IIoT, IoMT and other connected devices and the increasing risk for the data they collect, manage, store and transmit.
- Unsecured Mobile Devices: considering the ubiquitous presence of mobile devices in the industry, especially with the Bring Your Own Device (BYOD) trend among healthcare companies, once these devices are connected to the healthcare infrastructure, a plethora of new threats arise. This is particularly acute once we add to the cocktail both the fact that healthcare employees have not been traditionally educated in cybersecurity risks and the extremely high sensitivity of the data managed.
- Cloud Security: healthcare organizations are moving to the cloud at full throttle, with some statistics showing that nearly two thirds of the organizations are leveraging the cloud in some capacity.
The top cloud security concerns are the risk of unauthorized access and the risk of malware infiltrations.
In addition to the referred concerns, a key question arises. Who is responsible for the critical data being stored on the cloud?
On the cloud model, there is a shared responsibility. While cloud providers are responsible for protecting their service, responsibility over regulatory compliance, data access and user credentials for the huge trove of medical records and other sensitive data falls to the healthcare IT team. It is crucial for IT teams to fully understand the delineation of this responsibility.
- Under-trained Staff: healthcare employees have easy access to patient sensitive data.
Training your staff is critical, but just as important as training is getting them to truly understand the potential impact of their actions.
It is beneficial to continue to enhance your training to focus on healthcare security as well as specialized role-based training. It is a fine balance to do so when clinicians’ priority is patient care, but through thoughtful, ever-changing awareness training and scheduled phishing exercises, more awareness can be brought forward.
Another angle to this discussion is Insider Threat.
- Malware and phishing:
One of the most significant threat vectors for a cyber event is phishing.
It is essential to train people to recognize common phishing attempts.
Cybersecurity and awareness training cannot be underestimated, even though we continue to implement technical controls in managing phishing threats.
Having said that, we have seen sophisticated attacks lately for which purposely designed phishing awareness programs might prove useless. There are sophisticated solutions on the market to help companies address sophisticated phishing attacks leveraging state-of-the-art artificial intelligence, in particular machine learning and other technologies such as computer vision.
- Third Party Risks: there is a complex ecosystem of third-party vendors and it’s by no means trivial to limit their access to healthcare systems, computers and other devices. While patient data should be highly protected from external personnel, it might be difficult to guard all points of access.
- Lost, stolen or inadequately disposed-of old hardware: lost or stolen devices, as well as inadequately disposed-of old hardware, represent a huge risk. In the first case, the risk comes from the devices still having access to the healthcare network and potentially valuable data. In the case of old hardware, especially that containing storage or hard drives, it is extremely important to destroy them properly in order to assure that sensitive information, for example patient data, cannot be recovered by criminals. Companies should stay up to date on HIPAA compliance to ensure that they are following the most recent guidelines.
This article is part of the Observatory UK, available for download below:
Healthcare Cybersecurity – State of the Art