By Tom Gilheany, Product Manager, Learning@Cisco
Data breaches could be costing the healthcare $6.2 billion, and nearly 90 percent of the healthcare organizations covered in The Ponemon Institute’s May 2016 study endured a data breach in the past two years. Forty-five percent had more than five data breaches in that period with the average costs of a cyberattack totaling $2.2 million. The data contained in EHRs is often cited as the reason healthcare is such an attractive target in the eyes of a hacker.
EHRs A Target
HITECH, or the 2009 Health Information Technology for Economic and Clinical Health Act, made EHRs the norm. These electronic medical records contain a great deal of data, as well as valuable information such as credit card numbers, insurance billing information, and other sensitive information. As a result, they can fetch around $15 each on the black market.
So hacks of hundreds of thousands, or even millions, of patient records yield some pretty big numbers, and thefts of this magnitude are happening all too frequently. Hackers made off with more than 2.2 million patient records from Fort Myers, FL-based 21st Century Oncology in March 2016. A month later, someone stole a laptop with 205,748 unsecured patient records on it from Premier Healthcare LLC.
You might assume all these valuable records would be highly secured. But unfortunately, you’d be wrong.
The speed at which U.S. healthcare organizations moved to digitize health records consumed a great deal IT time and money and there often weren’t many resources left to secure those records. The strain on IT resources could increase as the effects of the repeal of the Affordable Care Act trickle down.
“While it is not clear how, or even if, this will impact security and privacy regulations, it is certainly going to lead to a higher level of uncertainty,” healthcare compliance company Ostendio recently blogged. ”As a result, you may see some regulated organizations continue to be slow in adopting a greater security posture as they wait to see how things will turn out.”
That’s unfortunate because, as the HIMSS notes, “Cybersecurity attacks have the potential to yield disastrous results for healthcare providers and society as a whole.”
Ransomware — an attack in which hackers hijack an organization’s data and charge a ransom to give it back — is yet another problem healthcare needs to address. There was an average of more than 4,000 ransomware attacks per day in the first quarter of 2016 according to a Deloitte report. That was a 300 percent increase from the 1,000 ransomware attacks per day in 2015.
Securing EHRs and guarding against ransomware are just two cybersecurity concerns healthcare needs to address. The growing use of connected devices to treat patients also significantly raises the stakes of cybersecurity related to healthcare.
Hacks of connected devices such as glucose monitors, heart monitors, and tools used in medical procedures are not just troublesome from a cost and data security standpoint, they could have life and death implications. The Federal Communications Commission recently proposed IoT device suppliers design security into their products. Of course, this is just a suggestion and getting the necessary practices and requirements in place will take time.
Addressing device security is only part of the challenge, however. Securing networks that carry data between devices, as well as between devices, databases, and management systems, is also essential.
Rules And Regulations
Of course, there are already some cybersecurity rules in place. The Cybersecurity Act of 2015 encourages voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government. The scope and language of that law is very general.
Now the incoming administration, which voiced interest in cybersecurity during the presidential campaign, has the opportunity to add some meat to these bones. The incoming administration is not expected to be heavy handed with regulations. However, the high-profile subject of cybersecurity could be the exception.
Indeed, President Trump was expected to sign an executive order on cybersecurity. In fact, The Washington Post circulated a draft of the order. But, for unexplained reasons, the president opted not to sign the order as expected on Jan. 31. He did, however, hold a press conference that day talking about the importance of cybersecurity. So we’re likely to hear more about that soon.
But whoever takes the lead, authoring cybersecurity regulation would enable those individuals to make their mark on a high-profile issue that’s getting a whole lot of attention. We’ve already seen a fair amount of movement on this front.
Australia has developed a national strategy through which the government and private sector are working together to address cybersecurity. Last year it issued a white paper describing major risks and initiatives on this front. And a few years ago it created the Australian Cyber Security Centre to make the country’s networks harder to compromise.
Meanwhile, the European Union has approved cybersecurity rules requiring businesses to strengthen their defenses. They require organizations in select verticals to report attacks and talked about how EU nations must cooperate on network security matters. They also have very strong privacy rules which will likely get a boost with the implementation of the EU’s General Data Protection Regulation (GDPR) which goes into effect in May 2018.
And at least 28 U.S. states considered or introduced cybersecurity legislation last year according to The National Conference of State Legislatures. Most of these laws and bills address national infrastructure and governmental agencies. But some of them specifically target the interests of businesses.
For example, California made it a crime to knowingly introduce ransomware into any computer, computer system, or computer network. A new law in Colorado calls for the creation of a state cybersecurity council to provide policy guidance to the governor. That council will also coordinate with the general assembly and the judicial branch regarding cybersecurity. Utah has enacted civil penalties for hackers, and Washington has established the State Cybercrime Act.
That said, organizations with a stake in cybersecurity and related regulations — which is to say most organizations — need to be ready for what’s happening on this front. Businesses that aren’t already involved in the cybersecurity discussion may want to start voicing their opinions and getting hands on now, before cybersecurity regulatory decisions are cemented.
At the same time, businesses should keep in mind regulations typically lag technology by three to four years. That means they need to go beyond simply complying with cybersecurity regulations. Smart organizations will need to take additional steps to ensure their organizations are as secure as their risk assessments suggest they need to be.
About The Author
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and over a dozen years in IT sand Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom holds a CISSP, an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.