Top Cybersecurity Threats to Healthcare Practices and Ways to Avoid Them
Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm and Cheryl Reifsnyder, PhD
This is our second article in our series for the U.S.’s 20th annual Cybersecurity Awareness Month, taking a look at the top cybersecurity threats facing healthcare practices today and how to avoid them.
According to reports submitted to the U.S. Department of Health and Human Service’s (HHS’s) Office for Civil Rights, more than 170 million American health records have been exposed since 2009—and those numbers have been increasing steadily in recent years. The number of data breaches has doubled since 2014; in 2020, healthcare data breaches of 500 or more records were reported at a rate of over 1.76 per day, yielding more than 29 million exposed healthcare records.
There are a number of reasons why the healthcare sector has been the victim of so much cybercrime. According to an IBM report, stolen healthcare data is the most valuable in any industry. In 2021, the average cost of a healthcare data breach was $9.2 million. The Health Insurance Portability and Accountability Act (HIPAA) Protected Health Information (PHI) found in electronic health records (EHRs) provides criminals with more information than any other type of breached record—information such as names, dates, telephone numbers, geographic data, social security numbers, email addresses, medical record numbers, biometric identifiers (e.g., retinal scans and fingerprints), and more. Health data is static and cannot easily be changed or “cancelled” like a stolen credit card—so once a fraudster steals health information, it remains valuable to them for longer.
Medical records contain a wealth of PHI that cyber-attackers can use for profit in numerous ways, including:
- Sale on the dark web or black market
- Extortion via ransomware—forcing the medical practice or organization to pay before they regain access to encrypted and compromised computer systems and data
- Fraud
- Medical identity theft
- Traditional identity theft, as medical records may contain information needed to open a credit card, bank account, or take out a loan in the victim’s name
- Hacktivism/promoting a political agenda
Healthcare practices are also frequently targeted because healthcare organizations may lack the necessary resources to adopt the cybersecurity procedures implemented in other critical infrastructure sectors. For instance, physician practices often have smaller security budgets and teams than banks and other financial services organizations.
The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication, 2023 Edition, from the HHS 405 (d) Cybersecurity Task Force lists 5 top cybersecurity threats facing healthcare practices today:
- Social engineering attacks (including email phishing)
- Ransomware attacks
- Loss or theft of equipment or data
- Internal, accidental, or intentional data loss
- Attacks against connected medical devices
We looked at email phishing and ransomware attacks and strategies for defending against them in our previous articles; in this article, we review the other 3 top threats and some steps you can take to prevent them from breaching your cybersecurity defenses.
Lost and stolen computer equipment
Lost and stolen computer equipment is one of the primary avenues cybercriminals use to compromise medical practices’ cybersecurity. Laptops, smartphones, USB/thumb drives, and other devices are often lost or stolen and, from there, may find their way into hackers’ hands. For instance, say a physician logs into his laptop at a coffee shop, then leaves it unattended for 30 seconds to pick up something at the counter. A passing thief might lift the computer while the physician’s back is turned.
Staff training
Training practice members in basic equipment security practices is critical. For example, they should:
- Never leave laptops or computers unattended in public
- Ensure laptops and computers have basic security measures in place, such as
- Antivirus software
- Full disk encryption
- Up-to-date software patches to eliminate any system vulnerabilities
- Never use unencrypted devices, such as thumb drives or unencrypted mobile phones. Require mobile phone encryption before using devices to access sensitive data
- Notify a supervisor or IT professional immediately of any lost or stolen equipment
Benefits of cloud hosting
On the other hand, laptops and other devices are much less of a security risk if they do not contain any patient PHI. This is one of the benefits of Veradigm’s cloud-hosted EHR platform: Physicians can access patient information using their laptop, smart phone, or other mobile device, but PHI is not stored on the provider’s device when they access information using the EHR mobile application. Devices that fail to contain actual health information become less valuable to hackers. In addition, theft of a device that does not store PHI is not considered reportable under the HIPAA Breach Notification Rule.
Using Veradigm cloud-hosted solutions provides clients with the additional protection of the top-notch security features integrated with cloud hosting. All Veradigm-hosted solutions are hosted using the Microsoft Azure platform, and Microsoft Azure provides users with the latest encryption technologies to protect both internal data and data in transit to or from external sources. Microsoft services are reliable and secure, giving practices the peace of mind of knowing their Protected Health Information (PHI) and other sensitive information is protected.
Internal, accidental, or intentional data loss
Unfortunately, equipment is not solely at risk to external thieves and hackers: Insider threats exist in any medical practice or organization where employees, contractors, third-party partners, or others have network or infrastructure access.
- Every practice employee has access to 20% of their organization’s total files
- More than 1 in 10 sensitive files are open to every practice employee
- 77% of medical organizations have 500 or more accounts with never-expiring passwords
Protecting against this type of insider threat requires implementing security measures analogous to using photo ID badges to identify staff in the physical environment. You need to establish cybersecurity access management protocols that help ensure users are properly identified in the digital environment. This includes steps such as:
- Removing unnecessary administrative accounts; most users don’t need to be authorized as system administrators with extended system access and capabilities
- Establishing a unique account, with a unique password, for each user
- Training users never to share passwords or user credentials
- Limiting or eliminating shared or generic user accounts; if one is necessary, train users to sign out when finished or when leaving the device, even briefly
- Implementing the use of multi-factor authentication (MFA) for any cloud-based systems used to store or process sensitive data
It’s worth noting that organizations that willfully neglect HIPAA rules and make no effort to protect sensitive patient data may be fined up to $1.5 million annually.
Veradigm products provide protection against this type of threat by utilizing security features to meet applicable requirements under the Office of the National Coordinator (ONC) Certification rule, including:
- Authentication and access control
- Authorization
- Auditing
- Encryption features
The ONC Certification rule requirements serve only as a base for defining the security features of Veradigm products: Many Veradigm products incorporate security features that go beyond these base requirements. In addition, Veradigm incorporates a secure development lifecycle. We work to protect our clients by incorporating risk-based threat modeling, automated code reviews, and security testing for every product and product update.
Attacks against connected medical devices
In the healthcare environment, there are a growing number of IP-enabled medical devices, and they are becoming increasingly connected through the Internet to other medical devices, patients, and practice or hospital networks. This network of interconnected objects is also known as the Internet of Medical Things. These connected medical devices can be vulnerable to security breaches—which can significantly impact the safety and effectiveness of individual instruments. It also makes them subject to cybersecurity risks such as denial-of-service attacks and patient data theft, jeopardizing patients’ treatment and privacy, and posing threats to patient safety.
If compromised, connected devices can be a significant source of vulnerability to your network. Attackers can even directly alter readings or operations for devices such as Magnetic Resonance Imaging (MRI) equipment, Positron Emission Tomography (PET) scans, and vital signs monitors.
Establishing a protocol in case of a potential attack against your practice’s medical devices is essential. You should be able to answer questions such as the following:
- Who should be notified if a medical device attack occurs?
- Who is in charge of working with vendors or manufacturers to ensure devices are updated with the most current security settings and software patches?
- Are there additional security measures or monitors you can put in place to protect each device?
The primary process by which organizations protect medical devices against attack is known as IT Asset Management (ITAM). ITAM is critical to ensure that proper cybersecurity hygiene controls are in place for all IT assets in the organization, including medical devices. You may also need to contact vendors or manufacturers of medical devices to obtain up-to-date information on individual devices’ vulnerabilities, risks, and appropriate protection and response measures. Establishing and maintaining communication with each product’s security team is essential in case an event should occur.
The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication lists individual threats with threat-specific mitigation practices for each, including threats against connected medical devices. Each mitigation practice is covered in greater detail in the technical volumes included in the publication.
Optimizing your cybersecurity defenses
The Department of Health and Human Services (HHS) 405(d) Program and Task Group was created to help HHS build cybersecurity resiliency across the Healthcare and Public Health Sector. They have developed numerous resources helpful for improving cybersecurity practices in healthcare, most notably:
- The full Health Industry Cybersecurity Practices Publication: Managing Threats and Protecting Patients (HICP)
- HICP Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
- HICP Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations
- Resources and Templates
HHS has also developed a free downloadable Security Risk Assessment (SRA) Tool that can be used to assess your practice or organization’s security risk. This tool is especially valuable if you are responsible for the security of ePHI. It’s important to routinely assess your overall security risk, as the security risk management process is iterative and ongoing. The SRA Tool can help organizations meet HIPAA Security Rule requirements by uncovering potential weaknesses in their security systems, processes, and policies.
Contact us today to learn more about the security offered by Veradigm products and cloud-hosted services.