A recent New England Journal of Medicine article provides healthcare cybersecurity guidance.
If you think of keeping your healthcare organization’s data secure as an “administrative nuisance,” then you need to think again.
That’s the message of a recent Perspective article that appears in the July issue of The New England Journal of Medicine. The recent attacks against the National Health Service and a Pennsylvania-based organization highlight how cybersecurity needs to be at the forefront of industry leaders’ minds, the article authors wrote.
The threat against healthcare systems, they said, is mounting. Citing a study by the independent Ponemon Institute, the authors said that about 90% of surveyed healthcare organizations have experienced data breaches during the past two years, with 64% saying the attacks were directed toward medical files in 2016. That’s a year-over-year increase in medical-file attacks of 9%.
There’s a reason why medical files are especially valuable to hackers, the authors explained. That’s because the information contained in those files is “durable.” Unlike social security numbers, credit card numbers and insurance information can all be changed. A patient’s medical records cannot. This means hackers can sell this type of information at a premium. The authors cited the example of a hacker who sold 600,000 medical records on the dark web in June 2016.
Many of these attacks, the authors wrote, are of the denial of service (DoS) variety. Hackers behind DoS attacks often demand a ransom for the healthcare system to retrieve its data. They don’t necessarily result in exposure of patient data, but they usually derail business. Hollywood (California) Presbyterian Medical Center recently paid hackers $17,000 to free its data.
There’s also the possibility of outright manipulation of patient files and devices, the authors wrote. They cited a 2015 Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team alert about an infusion system that could be controlled remotely by hackers.
So what should healthcare system administrators do? The authors have two recommendations: