How healthcare tech professionals can protect sensitive data in the new era of cyberthreats.
The healthcare industry is undergoing a pivotal digital transformation, moving from antiquated methods of storing patient information to adopting new data-intensive diagnostic and treatment applications. At the same time, healthcare institutions face enormous pressure to grow profits, comply with privacy regulations, optimize patient care, and improve interoperability with payers, suppliers,
delivery partners, academic institutions, and patients.
The sheer volume of sensitive healthcare data is growing and spreading across physical locations, computing devices, and networks (including private and public clouds).
Important new healthcare applications like telemedicine, remote patient monitoring, and virtual- and assisted reality-based training are adding to the flood of data.
Other emerging technologies like artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT), and blockchain further complicate the puzzle – all as more users clamor to access that data. Meanwhile, the industry is besieged by a flood of new cyberthreats, including privacy breaches, ransomware attacks, and cryptojacking campaigns. It has never been a more complex time to try to maintain the availability, accessibility, and privacy of healthcare data.
Cybercriminals and hostile state actors have aggressively targeted the healthcare industry,
exploiting the fact that malware attacks like ransomware are especially effective when access
to sensitive data is a matter of life and death. This explains the rash of high-profile ransomware
attacks on hospitals in recent years, including the National Health Service in the UK, Hancock Health,
Adams Memorial Hospital, MedStar Health, Erie County Medical, and many others. Data breaches in the sector are a regular news item, with hundreds of millions of sensitive patient records and payment records stolen every year. The industry also sits in the crosshairs of compliance authorities focused on privacy regulations including the USA’s Health Insurance Portability and Accountability Act
(HIPAA) and the European Union’s General Data Protection Regulation (GDPR).
Industry players are also at risk of violating credit-card regulatory standards like the Payment Card
Industry Data Security Standard (PCI DSS).
The growing reliance on electronic patient data has further heightened the importance of non-stop
availability. In addition to the obvious threat to patient safety that downtime represents, it can be
costly enough to pose an existential threat to the viability of healthcare institutions. Meanwhile, IT departments at healthcare institutions suffer the same challenges that afflict all industries: growing infrastructure complexity, the difficulty of recruiting and retaining skilled staff, the ongoing migration of applications to private and public clouds, the proliferation of mobile devices like smartphones and tablets, the advent of IoT sensors, asset trackers, and web cameras, the need to conduct near-real-time analytics on new data, and pandemic-driven challenges like the need to secure the data of remote staffers working from home and increased use of telemedicine applications.
Survival in the face of these challenges requires a new Cyber Protection approach to safeguarding data:
– Data Safety: Ensuring that a reliable copy of data is always available
– Accessibility of Data: Making data easily available from anywhere at any time
– Privacy: Controlling who has visibility and access to your data
– Authenticity: Creating undeniable proof that copies of data exactly replicate the originals
– Security: Protecting data, applications, and systems from malicious threats
Cyber protection principles in the face of seven key challenges to the healthcare industry:
1. Addressing data breaches
2. Protecting against malware threats like ransomware and cryptojacking
3. Meeting compliance requirements
4. Migrating critical applications and storage to public and private clouds
5. Delivering constant data availability
6. Incorporating mobile devices
7. Strengthening data protection without adding infrastructure complexity
THE STATE OF HEALTHCARE IT
Data protection and security remain a top priority for today’s healthcare organizations. In its study of data breaches, the cybersecurity firm Protenus found that the pace of healthcare industry attacks was more than one breach per day in 2017. The same year, 5.6 million patient records were breached and it took an average of 308 days for an institution to even discover that a breach had occurred.
Curtailing the number of healthcare data breaches requires layers of IT infrastructure security around
physical servers, virtual machines (VMs), cloud services, desktops, laptops and other mobile devices. Basic countermeasures include anti-malware protection on endpoints, defenses against external network threats using firewalls, and network segmentation via vLANs or software-defined networking
to limit the propagation of attacks across internal networks. Data protection in the form of backup and
disaster recovery is essential in the event that an attack damages, destroys, or denies access to sensitive data. This requires secure, ideally encrypted backup and storage both on premises and in the cloud.
According to most security researchers, the two most pervasive malware threats in recent years to
afflict the healthcare industry are ransomware and cryptojacking.
Ransomware infects healthcare servers, desktops, and mobile devices (usually by a user clicking on a malicious link or attachment in a phishing email), encrypts any data it finds, and then demands an online payment for the decryption key necessary to unlock the victim’s files. Without countermeasures to detect and terminate ransomware attacks, or the ability to restore from a recent backup, many healthcare institutions have suffered downtime that has threatened patients’ lives and cost millions of dollars in lost productivity and remediation costs.
Cryptojacking is a less overt but growing type of cyberattack in which infected healthcare machines
become zombies in botnets that mine cryptocurrency on behalf of cybercriminals. The malware only steals resources from its victims – computing cycles, memory, electricity, and cooling – but the resulting energy costs and wear and tear on systems add up. In addition, cryptomining malware often injects other threats such as ransomware into the system it infects.
Regulatory scrutiny of the healthcare industry has helped make it a favorite target of cybercriminals
wielding malware like ransomware. The risk of compliance violations caused by sensitive patient data
being locked up by a ransomware attack makes victims likelier to promptly pay the extortion in order to regain access to the data. For the second straight year, ransomware attacks accounted for over 70% of all malware incidents in the healthcare sector, according to the “2019 Verizon Breach Investigations Report.” Ransomware attacks are now often preceded by data exfiltration (the so-called “double extortion attack”) so cybercriminals can threaten to leak sensitive data online if the ransom is not swiftly paid.
APPLICATION AND STORAGE MIGRATION CLOUD
Like most industries, healthcare is in the middle of a long journey to migrate its core applications and data to a mix of public and private cloud infrastructure. The goal is to cut costs, swap depreciating capital assets for predictable service costs, and improve data accessibility and sharing from any location or device. However, many institutions struggle with the challenges of safely moving
storage and data protection resources to the cloud while maintaining data privacy and regulatory compliance.
For the second straight year, ransomware attacks accounted for over 70% of all malware incidents in the healthcare sector, according to the “2019 Verizon
Breach Investigations Report.”
The healthcare industry has obvious reasons to value high and continuous data availability: patient
health and survival often depend on it. From a backup and recovery perspective, this requires
that healthcare IT professionals pay close attention to two metrics: the Recovery Point Objective (RPO) and Restore Time Objective (RTO). RPO defines how much information an institution can afford to lose at any given moment: in effect, how frequently it needs to create backups of
its critical data. RTO reflects the amount of downtime an institution can endure between the time of a data failure event and successful recovery from it. Most institutions can easily identify which applications require more stringent RPOs and RTOs, and which ones can abide greater data loss and longer recovery times.
The advent of ubiquitous employee-owned devices in healthcare has reaped several benefits to the industry, including improved staff productivity and collaboration. Increases in staffers working from home also exposes work devices to risks from consumer devices that share the same home networks. Working from home also means that sensitive data is now likelier to be stored on non-company devices that are more easily compromised, lost, or stolen.
SIMPLIFIED CYBER PROTECTION
As in many industries, healthcare IT managers are struggling to staff their operations with skilled
professionals, so eliminating operational complexity has become a top priority. This is particularly important for routine operational issues like data protection. Deploying multiple systems to manage a diverse IT environment and requiring highly-skilled engineers to run it is sub-optimal.
Many successful data breaches occur because an outdated version of an operating system, database or application was exploited by malware. Addressing known cybersecurity vulnerabilities by regular vulnerability scanning, identifying what software needs to be upgraded or patched, and then automating the process of installing those upgrades and patches, has also become paramount.
The combination of rapid digital transformation, surging data volumes, growing interoperability needs, increased scrutiny from shareholders and regulators, pandemic-driven remote-work and cybersecurity issues with telemedicine make this a precarious time for the healthcare industry. Balancing the simultaneous delivery of data safety, accessibility, privacy, authenticity, and security is a delicate one, especially when faced with armies of cybercriminals determined to steal valuable healthcare data and hold it for ransom. Healthcare institutions are expected to enable complex new applications, drive down costs, and improve patient outcomes – all while fighting off broad IT and cybersecurity challenges like staff retention, cloud migration, and the proliferation of mobile and IoT devices. Healthcare business and tech leaders should seek cyber protection solutions that can simultaneously address backup, disaster recovery, anti-malware, vulnerability scanning and patch management issues and effectively leverage the power of AI, integration, automation and blockchain technologies.