There are three essential things to know about data security in healthcare: First, there are many more attacks than reported. Second, healthcare data may be the most valuable data. And third, a breach in a healthcare setting could literally mean life or death.
Without a federal standard, each state sets its own rules about what constitutes a data breach, so law enforcement only becomes aware of breaches that meet each state’s criteria. Cyber Defense Labs CEO and former FBI executive Robert Anderson estimates that the public is made aware of just one in 10 cyber-attacks. “I was the No. 3 guy in the FBI, briefing Congress, the Senate, the Attorney General, and the Vice President, and I had no idea what was going on,” Anderson says. “That’s the reality.”
There’s also a lack of awareness about the risks to healthcare facilities. They make ripe targets for attacks because they hold important information. Beyond personally identifiable data (social security, driver’s license numbers, and the like), healthcare facilities maintain personal health information (demographics, diagnoses, medication), and payment card information (credit and debit card numbers). This combination is extremely valuable to those who have it and can sell it on the dark web.
When millions of files are stolen and sold, they can be used to cross-reference or confirm other stolen data sets and allow bad actors to build complete profiles of potential victims. If hackers have an address and add a driver’s license or a credit card number, they can start to make fraudulent purchases, apply for new cards, or worse.
So, why don’t healthcare facilities address their data security weaknesses and lock everything down like a digital Fort Knox? It primarily has to do with the need for healthcare professionals to be able to access systems quickly. “We create friction for the adversary or those who want to do harm and create less friction for the experience,” says Texas Health Resources Chief Information Security Officer Ron Mehring. “We must ensure that clinicians can get into systems quickly and treat patients. It’s about how to maintain an equilibrium and a balance.”
Crucially, attacking data in a health system could impact the facility’s ability to function and care for patients. If a bank gets hacked, accounts may be locked. Although it may be a hassle, it is improbable that anyone will die as a result. If a hospital is compromised and bad actors can access technology in the facility, the damage could be catastrophic. “It’s a notch up from a traditional breach because now you have lives in danger,” Anderson says.
Healthcare systems are also notoriously slow-moving when it comes to technology and don’t always prioritize the latest security platforms. Due to consolidation in the electronic health record market, most systems use one of two medical record software programs. For hackers, this is an ideal scenario. Identifying a weakness in one of the EHR programs could mean a pathway to accessing thousands of facilities and the information they hold.
Third-party vendors are another weak link that has led to data breaches. The entire system is at risk if the vendor that sends emails or transfers files does not have adequate data security safeguards. Recent data breaches at UT Southwestern Medical Center and Medical City Healthcare’s parent company, HCA Healthcare, resulted from third-party vendor data security weaknesses.
“We are trying to make sure that the third parties that interact with the different entities in our extended ecosystem are at the same water line,” Mehring says. “That we’re all taking security seriously, playing by similar rules with similar expectations.”
Healthcare facilities were already prime targets for data breaches, but the pandemic made them more vulnerable. COVID-19 pushed care into the digital realm, which was transformational for the industry but created exponentially more access points for hackers, as providers and patients entered sensitive information from home and remote sites. With every email, login, or other digital interaction, risk increases.
Like other businesses, healthcare companies are learning that a culture of data security and well-trained employees can go a long way to prevent breaches. Being savvy about avoiding phishing emails, deploying solid passwords, and ensuring that partners and vendors are on the same page regarding data security can curtail many of the threats. Consistency is critical. “The practitioner has to be right all the time, but the attacker only has to get one right,” Mehring says. “The blocking and tackling of cybersecurity matters.”
Staying ahead of the hackers is a monumental task. Breach opportunities are vast, and incentives are lucrative, especially when foreign governments sponsor hackers. Caring for patients and running a business are the priorities for healthcare leaders, but the potential impact of cyberattacks could be devastating. “Hospitals are particularly vulnerable and typically do not have the money to deploy the right talent and technology necessary to fight these sophisticated groups,” says Matthew Yarbrough, a partner at Michelman & Robinson, who specializes in cybersecurity “Hospitals are the No. 1 target, and we will only continue to see more Texas hospitals attacked.”