Healthcare data is an alluring target for cybercriminals. Electronic health records are valuable and can be used to file fraudulent health claims, obtain prescription drugs, and steal identities. The health records of newborns and toddlers are particularly lucrative because criminals are hoping that use of stolen identities will go unnoticed for years. HIPAA (Health Insurance Portability and Accountability Act of 1996) protects your health information when it’s held by healthcare providers and health insurers; however, personal health information (PHI) is only as secure as the weakest link.
According to an August 2020 Forbes Technology Council article, healthcare cybersecurity is generally weak and lacks the ability to quickly adapt to threat evolution. More than 80% of medical practices have been the victims of cyberattacks according to a joint report from Accenture and the American Medical Association. The report further states that most practices do not have internal security support and rely on outside vendors. Data breaches can lead to service outages and jeopardize patient safety. According to a July 2020 USA Today article, large institutions are getting better at protecting themselves but may still be vulnerable if a supplier or small medical clinic is hacked. Mid-sized medical practices with a large number of health records often aren’t big enough to hire dedicated IT staff making them especially worthwhile targets.
Ransomware is malware that blocks access to a system with the intention of extorting money from the owner. Typically, hackers encrypt data and hold it hostage promising to decrypt and restore access upon payment of a ransom. Due to the urgency associated with accessing records and systems, the likelihood of paying a ransom increases making healthcare an enticing target. In September a Dusseldorf hospital was forced to turn away emergency patients due to a ransomware attack that caused systems to crash.
Medical devices including implants, health-tracking wearables, and diagnostic devices present additional attack vectors. Most medical devices in hospitals are connected to a network. Until recently medical manufacturers were not required to account for device cybersecurity according to a February 2020 Symantec blog.
Earlier this year society was jettisoned into the era of telemedicine further complicating the threat landscape. Almost overnight we became dependent on the use of technologies, such as computers and mobile devices, to access healthcare services remotely. Providers were suddenly relying on telemedicine to diagnose and deliver care. Though reduced threat of infection, increased access to treatment, enhanced ability to closely monitor chronic conditions are some of the benefits, there are also risks. Medical practitioners are accessing telehealth apps and patient data via personal devices, home networks, and personal cloud services from a variety of locations. In addition to security concerns, privacy is at risk if housemates or family members overhear conversations.
In conjunction with Cybersecurity Awareness Month (CSAM), the National Cybersecurity Alliance (NCSA) shares some of the most common ways patients and medical practitioners access health data using technology:
Telemedicine: The use of technologies, such as computers and mobile devices, to access health care services remotely. Be sure your software is up-to-date and connect via a secure Wi-Fi connection.
Health & Wellness Apps: Review the details and read reviews of any health app before downloading, and only download from trusted sources. Immediately configure privacy and security settings to limit how much information you share.
Electronic Health Records: Digital version of a patient’s paper chart making information available instantly and securely to authorized individuals. Make long, unique passwords/passphrases, create a different one for each device/account, and do not re-use them. And always use multi-factor authentication (MFA) whenever available.
Though we have no control over the security measures employed by healthcare providers, it’s important to be vigilant about protecting your identity and personal health information (PHI).