Data breaches could be costing the healthcare industry $6.2 billion per year, and nearly 90 percent of the healthcare organizations covered in a May 2016 study by Ponemon Institute had endured a data breach during the previous two years. Forty-five percent had more than five data breaches in that period with the average cost of a cyberattack totaling $2.2 million. The data contained in electronic health records (EHRs) is often cited as the reason healthcare is such an attractive target in the eyes of a hacker.
EHRs a Target
In 2009, the HITECH, or Health Information Technology for Economic and Clinical Health, Act made EHRs the norm. These electronic medical records contain a great deal of data, as well as valuable information such as credit card numbers, insurance billing details, and other sensitive content. As a result, they can fetch around $15 each on the black market.
So, hacks of hundreds of thousands, or even millions, of patient records yield some pretty big numbers, and thefts of this magnitude are happening all too frequently. Hackers made off with more than 2.2 million patient records from Fort Myers, Florida-based 21st Century Oncology in March 2016. A month later, someone stole a laptop with 205,748 unsecured patient records on it from Premier Healthcare, LLC.
You might assume all these valuable records would be highly secured. But, unfortunately, you’d be wrong.
The speed at which U.S. healthcare organizations moved to digitize health records consumed a great deal of IT time and money, and there often weren’t many resources left to secure those records. The strain on IT resources could increase as the effects of the repeal of the Affordable Care Act trickle down.
“While it is not clear how, or even if, this will impact security and privacy regulations, it is certainly going to lead to a higher level of uncertainty,” healthcare compliance company Ostendio recently blogged. ”As a result, you may see some regulated organizations continue to be slow in adopting a greater security posture as they wait to see how things will turn out.”
That’s unfortunate because, as the Healthcare Information Management Systems Society (HIMSS) notes, “Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole.”
Ransomware—an attack in which hackers hijack an organization’s data and charge a ransom to give it back—is yet another problem that healthcare needs to address. There was an average of more than 4,000 ransomware attacks per day in the first quarter of 2016, according to a Deloitte report. That was a 300 percent increase from the 1,000 ransomware attacks per day in 2015.
Securing EHRs and guarding against ransomware are just two cybersecurity concerns that healthcare needs to address. The growing use of connected devices to treat patients also significantly raises the stakes of cybersecurity related to healthcare.
Hacks of connected devices such as glucose monitors, heart monitors, and tools used in medical procedures are not just troublesome from a cost and data security standpoint, they could have life-and-death implications. The Federal Communications Commission recently proposed that IoT device suppliers design security into their products. Of course, this is just a suggestion and getting the necessary practices and requirements in place will take time.
Addressing device security is only part of the challenge, however. Securing networks that carry data between devices, as well as between databases and management systems, is also essential.
Rules and Regulations
Of course, there are already some cybersecurity rules in place. The Cybersecurity Act of 2015 encourages voluntary sharing of cyberthreat information between private entities and the federal government, as well as within agencies of the federal government. The scope and language of that law is very general, however.
Now the new U.S. administration, which voiced interest in cybersecurity during the presidential campaign, has the opportunity to add some meat to these bones. While the incoming administration is not expected to be heavy-handed with regulations, the high-profile subject of cybersecurity could be the exception.
Indeed, President Trump was expected to sign an executive order on cybersecurity. In fact, The Washington Post circulated a draft of the order. But, for unexplained reasons, the president opted not to sign the order as expected on January 31. He did, however, hold a press conference that day talking about the importance of cybersecurity. So, we’re likely to hear more about that soon.
But whoever takes the lead, authoring cybersecurity regulations would enable those individuals to make their mark on a high-profile issue that’s getting a whole lot of attention. We’ve already seen a fair amount of movement on this front.
Australia has developed a national strategy through which the government and private sector are working together to address cybersecurity. Last year, it issued a white paper describing major risks and initiatives on this front. And a few years ago, it created the Australian Cyber Security Centre (ACSC) to make the country’s networks harder to compromise.
Meanwhile, the European Union has approved cybersecurity rules requiring businesses to strengthen their defenses. It requires organizations in select verticals to report attacks and has emphasized how EU nations must cooperate on network security matters. The EU also has very strong privacy rules, which will likely get a boost with the implementation of its General Data Protection Regulation (GDPR), which goes into effect in May 2018.
And at least 28 U.S. states have considered or introduced cybersecurity legislation last year according to the National Conference of State Legislatures. Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of businesses.
For example, California has made it a crime to knowingly introduce ransomware into any computer, computer system, or computer network. A new law in Colorado calls for the creation of a state cybersecurity council to provide policy guidance to the governor. That council will also coordinate with the general assembly and the judicial branch regarding cybersecurity. Utah has enacted civil penalties for hackers, and Washington has established the Washington Cybercrime Act.
That said, organizations with a stake in cybersecurity and related regulations—which is to say most organizations—need to be ready for what’s happening on this front. Businesses that aren’t already involved in the cybersecurity discussion may want to start voicing their opinions and getting hands on now, before cybersecurity regulatory decisions are cemented.
At the same time, businesses should keep in mind that regulations typically lag behind technology by three to four years. That means they need to go beyond simply complying with cybersecurity regulations. Smart organizations will need to take additional steps to ensure their organizations are as secure as their risk assessments suggest they need to be.
What's your personal state of health when it comes to cybersecurity? Click here to learn more about Cisco's Cyber Ops training option.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.