“Houston, we have a problem.” This is not news to healthcare organizations, whether they are in Houston, Boston, St. Louis or San Francisco. 2015 was a banner year in healthcare, for all the wrong reasons. The increasing number of attacks on healthcare systems exposed security shortcomings: many unsecured attack vectors, compromised sensitive data and the possibility of catastrophic consequences.
2016 will bring more of the same. Healthcare organizations must speed up their security efforts to avoid putting their patients, and themselves, at risk. There were multiple data breaches in 2015—Anthem and Premera among them—as well as a well-publicized ransomware attack on Hollywood Presbyterian Medical Center. 2016 will continue those trends. In fact, the Hollywood Presbyterian attack could have been the proving ground for that ransomware, which may be put into larger, more costly attacks in 2016.
Fortunately, there is growing recognition among healthcare leaders that security needs to be at the top of their “must do” list. Firewalls are no longer enough to protect patient information. The expansion of the Internet of Medical Things has resulted in a borderless network perimeter. There are devices in use in multiple locations that must be secured, including:
Any one of these devices could provide a vector for attack. The FDA is looking more at medical devices and security needs. It said in January that, "A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.”
Patients care about their privacy and want to make sure their information is protected. That being said, attitudes are changing around healthcare outcomes. If the outcome is valued, then compromising data privacy is much more readily accepted. Think about it from a non-healthcare context. Content-aware search engines that deliver banner ads related to a recent search query drives the feeling that “big brother” is watching and very few people value this level of compromise. The same content-aware search engine, however, can also tell you that it’s time to check in for your recently purchased flight and many people find this feature valuable. It’s the same data privacy invasion, but with entirely different outcomes. That makes privacy more challenging for healthcare organizations. Expect more conversations on this in 2016 too.
The reality is that the risks inherent in data breaches and attacks are real and they are severe. Once an attacker has access to the main system, they could install malware, slow system access to a crawl, gather sensitive patient information or take control of devices and put patient lives at risk. The best way to protect all of the sensitive information (and, by extension, the people in sensitive situations behind that data) is a layered security architecture. There need to be advanced threat protection tools, segmentation firewalls, malware/antivirus protections and more.
This year’s HIMSS conference continued the discussions and work that kicked off last year. Security was a huge focus, with many conversations in presentations and the show floor about attack risks and security options. Now, action must be taken. I encourage healthcare providers to try not to be overwhelmed when thinking about and planning for security. Engage some experts and take their recommendations seriously. Implement as many security measures as you possibly can, including internal segmentation and multiple layers of security. And continue adding, revisiting and tweaking your security to ensure the best possible protection against the continuing complex and sophisticated attacks.