The healthcare industry has had a remarkably tough couple of years when it comes to security. Hacks of hospitals and health plans are now occurring almost daily, according to the U.S. Department of Health and Human Service’s online database. Over 100 million patient records were reportedly breached in 2015 — equivalent to a third of the U.S. population. This year is not any better: nearly 80 percent of providers experienced a “significant security incident,” according to a recent survey conducted by the Healthcare Information and Management Systems Society (HIMSS), a trade group for the health IT industry.
The issue is not going away. Medical records and devices are only going to become more connected — on a massive scale and at a rapid pace. And while this move toward more connected systems is a positive one, it will also make it even easier for health care providers to be hacked if the industry does not prioritize cybersecurity.
The good news is: both providers and the government are starting to recognize there’s a serious problem. That same HIMSS study showed that health care providers are making information security a higher priority — specifically, 87% of acute providers and 81% of non-acute providers. Meanwhile, HHS launched a Cybersecurity Task Force, and, earlier this month, announced they will now investigate breaches of less than 500 records — acknowledging that, when it comes to medical records, no breach is too small to warrant action.
But the healthcare industry still faces some big, persistent problems that have made it an easy target for hackers. Most providers still use legacy systems that weren’t designed with security in mind. They often lack the funding to upgrade to more secure systems, or to hire specialized personnel. And as the struggle to get electronic health records in place demonstrates, health care is an industry that generally lags the rest when it comes to technology.
Health records are also one of the most lucrative types of information that a hacker could steal—gathering significantly more money on black markets than stolen card credits or lone social security numbers. With a health record, you have access to a person’s entire identity—and in many cases, their family’s identities too.
All of this gets at why we – healthcare providers, cybersecurity firms, government – need to make healthcare cybersecurity a top priority. So what’s the solution?
Put simply, get the basics right and make healthcare systems more resilient as upgrades occur. Before joining Tanium, I spent six years investigating cyber breaches. Many of the companies I worked with then — and 61% of the HIMSS study respondents today — were worried about “advanced threats.” But the vast majority of breaches — even those involving advanced threats — could be prevented with basic security hygiene.
Here are five ways the industry can improve its cyber hygiene:
The health care industry is at a critical point. In the next five years, it will look remarkably different than it does today. Patients will have easier and broader access to care, as providers connect more of their systems to the Internet of Things. As upgrades occur, this is the precise time to implement a more secure, resilient architecture.
Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.*
About the author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.