Skip to main content

Article

Guardian of Health: Cybersecurity Landscape in Healthcare

Securing Patient Data in the Digital Age: A Deep Dive into Cybersecurity in Healthcare

March 21st, 2024

Cybersecurity has a critical role in safeguarding sensitive patient information and strengthening the digital infrastructure of healthcare systems.
The intersection of technology and healthcare is shedding a light on the paramount importance of cybersecurity.
From the growing threat landscape to innovative solutions and best practices, cybersecurity serves as the guardian of health, ensuring the integrity, confidentiality, and availability of sensitive information in healthcare systems.

The main points when discussing cybersecurity would be the following:
Why is healthcare vulnerable?
Why is healthcare targeted?
What threats and consequences is healthcare currently experiencing?
What is the role of legislation and standards?
How can the healthcare sector move forward?

Why is healthcare vulnerable?

Healthcare cybersecurity faces numerous challenges, contributing to an escalating vulnerability over time. The growing integration of technology, aimed at enhancing patient care results in an expanding network of connected medical devices. Unfortunately, these devices are often easily accessible, heightening the risk of potential attackers finding exploitable entry points.

An issue arises as a single compromised device could serve as a gateway (evading firewalls) to larger hospital networks. Furthermore, there is often a time lag between the occurrence of an attack and the detection of the breach, amplifying the overall susceptibility.

The increasing emphasis on maintaining patient well-being encourages continuous monitoring outside clinical settings, introducing a multitude of devices in the broader healthcare landscape and consequently elevating the risk of security breaches.

Additionally, the widespread adoption of mobile consumer devices, such as smartphones, adds complexity to the safeguarding health data, as these general-purpose devices pose inherent risks.

Why is healthcare targeted?

Healthcare has weaknesses that can be exploited, but attackers need motivation to launch attacks. Potential for political and financial gain, as well as the ability to murder people through cyberwarfare, are all sources of motivation. Out of all these incentives, financial gain is the strongest. Compared to other types of data, healthcare data has a significantly higher value. A complete set of medical credentials, for example, can cost more than $1000 on the dark web.

What threats and consequences are healthcare currently experiencing?

Starting in 2015, hacking has emerged as the primary contributor to health data breaches, with the added complication of malware, including ransomware. Exploiting insufficient security measures, hackers persist in stealing medical health records, obstructing access to health services, and causing intentional harm.

The healthcare sector has witnessed a significant surge in both the frequency and scale of data breaches in recent years, leading to financial losses, damage to reputation, and compromised patient safety.

Unless cybersecurity is integrated from the inception of product or project lifecycles, the risks associated with such breaches are poised to escalate further.

What is the role of legislation and standards?

The General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe to protect against privacy and data breaches. GDPR applies to all personal data held by an organization. ‘All breaches which may result in a risk to peoples’ rights and freedoms’ must be reported to the Data Protection Authorities (DPA).

Breaches of health data fall into this category; therefore, they will need to be reported to the DPA within 72 hours of the breach occurring. Noncompliance risks fines of up to €20m. Other changes include the need for all healthcare practices to have a data protection officer and the introduction of extra ‘transparency and fair processing’ legislation which need to be included in patient privacy notices.

The legislation significantly increases the cost of breaches (due to implemented fines) and may help to increase awareness around privacy issues and the need for improved cybersecurity.

As part of the national data opt-out scheme, patients must be given the choice to opt out of their personal data being shared for purposes other than their individual care. Under GDPR, any request for data from an external organization must be given in clear and easily accessible language, including the purpose for requiring the data. This will allow clinicians to uphold patients’ data preferences.

When it comes to medical devices, the US Food and Drug Administration (FDA) places responsibility for cybersecurity with the medical product manufacturer. The FDA has published pre-market and post-market guidelines that contain recommendations for management of medical device cybersecurity risks throughout the product life cycle. This includes encouraging people to report cybersecurity issues and making it mandatory for manufacturers and device user facilities to report any device malfunction if it poses a risk to health.

How can the healthcare sector move forward?

There is no 100% effective way to prevent all cybersecurity breaches, but cybersecurity must form part of the risk management process and cyber resilience must be ensured. Cyber resilience is a holistic view of cyber risk, which looks at culture, people, and processes, as well as technology.

Several factors have been identified to reduce risk (click on each factor to know more):

Basic cyber-hygiene must be maintained, see the 10 steps from the National Cyber Security Centre. This includes regular, secure backups (essential to maintain resilience and be able to recover quickly if attacked) and keeping software up to date to ensure security patches are in place. Confidentiality must be maintained.

Security must be a core part of the product lifecycle. This requires considering the trade-offs between security and other requirements from the start. Appropriate incentives should ensure that future devices and networks have robust security designed in from the start and that these are not added later in a ‘bolt on’ fashion.

This could be driven by security standards for information management, which take into consideration the unique healthcare context that tends to prioritize availability over confidentiality. Any standards, regulations or rules must ease burdensomeness and prevent temptation for staff to engage in insecure workarounds.

Cybersecurity should be a key part of the patient care culture as insecure processes must be replaced with more secure, substantive approaches. This means not simply being seen to be secure (for example to comply with regulations) but building security into the culture.

An effective security culture has the potential to enhance employees acting in effect as a ‘human firewall’ that can help to protect electronic assets. This includes staff not being logged in as a domain administrator; no sharing of login credentials; and regular staff training to communicate the risks presented by insecure behaviors and how security can be attained without compromising patient care.

It is possible that more sophisticated security logins (e.g., retinal imaging, fingerprints, face identification) could be used to prevent the sharing of logins and passwords.

Conclusions

Cybersecurity is an essential part of maintaining the safety, privacy, and trust of patients. More money and effort must be invested into ensuring the security of healthcare technologies and patient information. Security must be designed into the product from conception and not be an afterthought. Cybersecurity must become part of the patient care culture.

Within the dialogue of risk in the healthcare industry, there are arguments to be made for many solutions. Increasing budget, screening for compromised credentials, and providing security awareness training for all personnel are among them.

Credential screening is perhaps the most efficient because it protects users as well as organizations, and because compromised credentials are an origin point for so many security concerns, whether attacks come in the form of phishing emails or through brute force attacks.

Credential screening would also be highly effective for healthcare organizations as it would allow employee passwords to be screened continuously, without changing the user interface. This would increase the overall cybersecurity posture of the system, while still allowing healthcare professions to focus on patient care.

AUTHOR:

Alexandra Georgeta Sidei

Data Protection Manager

REVIEWER:

Graham Southgate

DPO and Service Quality & Improvement Lead

We are supporting our clients in all topics related Data Protection & Privacy. Our team of experts can support you in a lot of local regulations. If you are interested, feel free to reach out to our team for support.

Contact us