While 2016 was an incredible year for innovation in healthcare technology, from a security standpoint it was a challenging one: last year a healthcare breach happened once a day on average, affecting 27,314,647 patient records, according to a report by Protenus.
The consequences of these breaches are not cheap: over the past few months alone, healthcare organizations in violation of HIPAA have paid millions of dollars in fines. In February, a Miami, Fla.-area non-profit paid $5.5 million to settle a HIPAA case, while a Dallas-area hospital had to pay a $3.2 million HIPAA penalty, MSPmentor reports.
With stakes this high, it makes sense that healthcare providers are treating privacy and security as one of their top priorities in 2017, according to a report released last week by HIMSS at its annual conference.
“The big challenge for all healthcare organizations is protecting patient data,” Jeff Schilling, Armor chief of operations and security said in an interview with Talkin’ Cloud.
“Big pharma, hospitals and people who do critical research are starting to put a lot of investment in cybersecurity and making sure they’re doing the right thing,” Schilling said. “Some because they’ve learned the hard way and paid for huge fines for breaches and some because they are thinking ahead and trying to make those investments.”
Schilling has worked as CSO at Armor since May 2014. Previously, Schilling served as director of global instance response for SecureWorks (formerly Dell SecureWorks), but he got his start in cybersecurity serving in the U.S. military.
“I always like to say that I kind of cut my teeth in security with probably the biggest cybersecurity problem in the world: trying to run the global SOCs for the DoD in the Army,” he said.
Shadow IT Plagues Healthcare CIOs
Armor (formerly FireHost) provides PCI and HIPAA compliant solutions. Some customers cross over both areas, Schilling said, as healthcare providers require PCI compliant payment processing. But a growing area of Armor’s business is securing the “business applications that are popping up to support healthcare,” Schilling said.
Healthcare cloud applications are targeting doctors and nurses directly, and not going through CIOs, which is causing security headaches, Schilling said. Indeed, a quick search for medical office software on SoftwareAdvice.com pulls up more than 300 cloud-based options, many of which can be spun up with nothing more than a credit card number.
“The productivity of doctors and nurses is very high because most of them are walking around with iPads and sometimes even their phones themselves with an app on it that allows them to track patient information and patient data; that data has got to go somewhere and it’s got to be secure and meet all the regulations with HIPAA,” he said.
A survey released in November by Scrypt found that 83 percent of healthcare professionals have sent or received PHI via mobile message, and of those, 70 percent said they had done so using a non-secure application, such as iMessage or WhatsApp. Sixty-nine percent of U.S. healthcare respondents to a recent survey by Thales said that they have used SaaS apps at work.
"Most of these SaaS companies are small startup companies…they’re great at writing applications and improving the productivity of the doctors but what they lack because they’re a small company is the ability to secure that data, and that’s the role that we play,” he said.
With more apps and connected devices targeting healthcare professionals and hospital systems, the healthcare cybersecurity landscape is poised to get a lot more complex, which makes the lengthy deployment times in healthcare IT unrealistic.
“You’ve got to look at the business owners’ point of view and their time to market and improving productivity; sometimes the CIO offices can be very bureaucratic,” Schilling said. “[It] can take anywhere from a year to 18 months for very, very large systems. You’ve got to figure out how the business owner meets the CIO somewhere there in the middle.”
Cybersecurity Challenges in Healthcare
As evidenced by the issue of shadow IT within the healthcare industry, internal threats are a huge issue.
The American Hospital Association (AHA) urges its members to invest in cybersecurity and dedicate a part of the resources to raise awareness and train employees, an important piece in eliminating threats from internal parties. Most hospital staff are not familiar with "elementary good practices and the common mistakes to avoid," according to the State of Cybersecurity & Cyber Threats in Healthcare Organizations report. " In addition, they show a weak risk awareness and understanding of the threat landscape increasing the hospital vulnerability to cyberattacks."
According to Hostway senior manager, corporate IT and security services Peter Marsh, while internal actors have been one of the biggest cybersecurity challenges for healthcare organizations, as more Electronic Health Records (EHRs) go online, this could shift. Hostway recently went through the process of receiving approval from independent external auditors that its solutions meet HIPAA controls.
“Primarily the issues with security in healthcare have been very strongly towards internal actors. Either intentionally or unintentionally the employees of those companies have been by and large the vector through which that information gets out,” Marsh said. “I think that is going to start to shift as the value of that information is considerably higher than say a stolen credit card. The healthcare record is 10-20x more valuable than a credit card on the black market.”
So why are healthcare records so much more valuable than credit cards on the black market?
“The reason that they’re so much more valuable than a simple credit card is because a credit card can easily be cancelled,” Marsh said. "You can’t cancel your personal information that’s in a health record. It’s very costly and very difficult to remediate these sorts of identity thefts."
“Most people are concerned about information in their health records, something that might be embarrassing that they wouldn’t want out, but that’s not really what those compromised records are being used for,” he said. “They’re primarily being used for identity theft, but also identity theft to allow things like insurance fraud, fraudulent health claims against their insurers. You could potentially try to receive drug benefits that are due to them so obviously there is an illicit trade in prescription drugs.”
Talent Gap Provides Opportunity to Security Providers
If you work in cybersecurity or have tried to hire someone in cybersecurity lately, you know just how hard it can be. And for hospitals, it can be even more challenging, Schilling said.
“The biggest challenge for people in healthcare industry is attracting the talent to be a part of their security teams,” he said. So despite the array of tools and controls that can protect patient data available to hospitals and healthcare organizations, many struggle with the strategy and how to employ those capabilities effectively.
“The tools themselves don’t protect the hospitals or the SaaS applications; it’s the people orchestrating those tools that provide the protection for them,” he said.
According to KPMG, in 2015 almost one-fifth of healthcare providers in the U.S. did not have a leader responsible for information technology security and 25 percent of facilities did not have a security operations center to identify and evaluate threats.
Hostway’s Marsh said the talent gap coupled with the costs of managing a 24/7 security operation is pushing many healthcare organizations to look for help from partners.
“There is a massive talent gap within security. The attack surface and the threats are growing constantly and there’s a huge lack of people in the industry. Even extremely seasoned IT people don’t necessarily have the experience necessary to deal with cybersecurity,” Marsh said. “I think that we act as a force multiplier for those companies. They may have people internally but the threats are so constant, it’s a 24/7 operation, you have to be watching it all the time.”
The good news for providers is that the healthcare industry is poised to spend more this year on cybersecurity. According to Thales, 81 percent of U.S. healthcare organizations and 76 percent of global healthcare organizations will increase information security spending in 2017.