Why Healthcare IT Systems Are Vulnerable and What Institutions Can Do to Protect Themselves

0
104

By Alex Margovsky

The healthcare industry is the “grandparent” of the IT security world. Despite having the potential to collectively save $60 billion with investments in digital technologies, the healthcare industry remains infested with old, expensive to replace, legacy technologies filled with vulnerabilities.

2016 saw a 63% increase in healthcare focused cyber attacks, and earlier this year NHS hospitals in the UK were forced to turn away non life-threatening patients when various hospital systems were crippled by the cryptolocker virus WannaCry. Despite all of the evidence that suggests hackers are specifically targeting healthcare institutions, proposed HHS budget cuts mean health organizations in the US will be facing this growing threat equipped with less resources than in previous years.

Assuming the government isn’t suddenly going to start throwing money at healthcare, what specific IT vulnerabilities should healthcare institutions be aware of, and how can providers keep their systems secure?

What are the biggest stumbling blocks for healthcare IT security?

To combat attacks, healthcare providers need to be more savvy about the risks, and the new tools available to protect their environment.

The healthcare industry’s continued dependence on old technology means many devices in use are no longer supported by security updates and are susceptible to medjacking and other backdoor hacking. Some healthcare organizations aren’t even aware that as of April 11, 2017, Windows Vista is no longer supported by Microsoft, making Windows 7 the oldest operating system you should have installed on your computers.

Because of the valuable and confidential nature of the information held by healthcare institutions, the federal and state security regulations are rightfully extensive, but their rapidly evolving complexity has made it increasingly difficult for healthcare companies to keep up with compliance.

There is an elevated motivation for hackers to target healthcare institutions because they are more likely to pay hacker’s demands since the consequences of a hospital’s system going offline (even for a brief time) are quite literally a life or death situation. To avoid human suffering and circumvent malpractice and liability risks, hospitals have higher pressure to recover stolen information and to unlock blocked data.

What’s necessary to solve health IT’s chronic security problems?

Looking at the big picture, major changes will need to take place to improve security and widespread adoption of best practices in the healthcare industry.

Recently, the Bipartisan Policy Center (BPC) released a report focused on the relationship between patient safety and improving health IT implementation. The report’s top suggestions to advance the development and adoption of health IT run parallel to the advancements needed regarding IT security. The report calls for:

  1. The development of coordinated leadership to set and guide health IT priorities.

  2. The promotion, dissemination, and regulation of best practices that address priority health IT issues.

  3. The continued advancement and adoption of strategies and standards across healthcare institutions.

What are the best practices to keep health IT environments secure?

On an individual basis, there are many steps healthcare institutions should take to protect themselves from cyber threats. In our technological age, data is only increasing in value, and the big red target painted on healthcare organizations necessitates that institutions be proactive when it comes to the security of their IT environments. Here are some basic things organizations can do to increase security:

  • Change passwords quarterly and retain a high difficulty level.

  • Always install updates and patches from Microsoft and Apple for your appliances.

  • Retire legacy machines and outdated technology.

  • Remove dormant users.

  • Separate public and private networks.

  • Setup an active directory for centralized user management.

  • Enforce mobile security with mobile device management.

  • Adopt multi-factor authentication (i.e. Duo).

  • At a minimum, abide by the HIPAA guidelines.

  • Ensure all users have individual accounts.

  • Structure user accounts with restrictions and hierarchies for classified information. (Janitors, receptionists, and clinicians, shouldn’t all have the same level of clearance to access information.)

  • Finally, backup, backup, backup! In this day and age, it is critical to have a tested backup, separate from your network, to ensure data integrity, confidentiality, and availability. These backups should be regularly updated, and saved either on a secure cloud system, or on a closed server which is left disconnected from the internet when not in use.

In case of a disaster (i.e. a weather induced power outage or a cyberattack), institutions need to have a plan B. Whether they like it or not, healthcare institutions are in the target line and need to evolve to combat the increasing threat to their sensitive information and take real action to ensure the security of their health IT environments. The damage incurred after a breach varies widely on a case-by-case basis, but the potential financial costs, incurred fines, negative media coverage, and loss in consumer confidence, leave enough at stake that healthcare institutions need to start focusing on preventative measures, not remediation.

Alex Margovsky is founder of Alpha Ridge, a leading healthcare IT consultancy firm that combines a deep knowledge of healthcare and technology to optimize the security and efficiency of medical environments.