Compliance Does Not Equal Security: 3 Emerging Security Themes in Healthcare
Security is a serious issue for healthcare providers — and one that won’t resolve itself. With close to 100 million healthcare records compromised between January and June at a high cost of $363 per record, IBM labeled 2015 the “year of the healthcare security breach.” Ninety-six percent of industry IT security experts feel vulnerable to a data breach, and 63 percent report having suffered one. Despite these concerns, however, 69 percent feel that meeting compliance requirements is “very” or “extremely” effective in safeguarding sensitive data. Is that confidence misplaced?
The Shortcomings of Compliance
The security and privacy rules outlined in HIPAA established national security standards to protect electronically held and transferred healthcare information. Rolled out alongside meaningful use stipulations, these standards were a critical step in the fight to protect highly confidential digitized information from unauthorized access. Cyberthreats and the security landscape evolve rapidly, and industry standards cannot keep pace. As more communications are run over networks and more care-critical applications are virtualized in centralized data centers, ensuring security and uptime will become more important. Providers must protect not only data, but also the continuity of care and the availability and performance of digital tools. End points are expanding and growing ever more complex. New approaches in healthcare, telemedicine, at-home care, and mobile health will only increase over the next decade. These developments will amplify current complexities, making end-to-end security even more critical.
The Biggest Threats to Healthcare Security
Healthcare professionals should concern themselves with three major threats today:
If a dialysis machine is connected to the internet, for example, then it is vulnerable to malware — and the consequences of such an event could be deadly. To avert such catastrophes, healthcare organizations must educate all employees and consistently scan the edges of their own infrastructure for weaknesses. 2. Distributed Denial-of-Service (DDoS) Attacks Imagine an ER doctor consulting with a neurologist as he or she treats a stroke patient. The two are talking via a telemedicine connection when the network suddenly goes down and communication channels close. The result could be devastating, and DDoS attacks can create this kind of situation. A distributed denial-of-service attack is one of the most prevalent types of security threats today, with a 40 percent increase in DDoS attacks in the second half of 2015 — and they don’t require a high level of technical knowledge to pull off. A DDoS attack consists of an attempt to make a machine or network resource unavailable to its intended users by flooding it with access requests from thousands of unique IP addresses. This type of attack is particularly worrisome for healthcare organizations whose care-critical applications and communications rely on uptime and network performance. In early 2016, for instance, a large acute care provider called us after experiencing a DDoS attack that nearly took down its entire IT organization. We were able to identify the threat and mitigate it, but this is just one of countless examples where healthcare organizations are targeted by DDoS attacks and left with no or limited access to care-critical tools and information. As more care-critical applications are virtualized, these attacks will become increasingly devastating.