Personal health information are now more valuable than credit card data on the black market. Sara Jost shares three ways the healthcare sector can use to protect against cyberattacks and their terrible consequences.
Last year saw some of the world’s most high-profile cybersecurity attacks in the history of the Internet. In a study done on data breaches experienced by its clients, insurance firm Beazley reported that the healthcare sector saw an increase of more than 100 percent in ransomware demands in the first half of 2017 alone.
This has continued to escalate in 2018 with no sign of letting up. The world is witnessing public data breaches across multiple industries almost daily, especially in healthcare. Recently in July, Singapore experienced a cyber-attack on SingHealth, Singapore’s largest group of healthcare institutions, reporting that personal data from around 1.5 million patients may be compromised. Any number of factors can result in security breaches such as untrained staff, old machines and networks, outdated software and small hospital IT budgets, sometimes less than 2 percent of overall operating expenditure. Whether large or small, is clear that no single organisation is immune to these attacks.
With personal health information now more valuable than credit card data on the black market, these factors underline the critical need for healthcare institutions to have the right protocols in place to protect patient data.
Furthermore, ‘smart’ connected healthcare devices are gaining traction at a rapid pace in Asia and around the world. BlackBerry defines this network of intelligent connections as the Enterprise of Things (EoT), where devices, computers, sensors, trackers, equipment and other ‘things’ change the way the healthcare sector operates and cares for patients. In countries like Singapore and Hong Kong which have ‘Smart Nation’ goals on their national agenda, local hospitals are deploying the latest in healthcare technology, and people are using wearable devices to track their health status.
The benefits of incorporating connected ‘things’ into healthcare ecosystems and the ability to share and collaborate using patient information are clear. They all have the same goal to enhance the quality of life. Yet, it opens the doors and windows to threats that compromise sensitive, Protected Health Information (PHI). Ultimately, this can cause reputational damage in the millions of dollars, harm to humans or even death if for example, a heart monitor, pacemaker, or insulin pump is hacked.
As our digital and physical worlds converge, cyberattacks will impact both the online and offline spheres. The management of secure and reliable connectivity must improve at the same pace of change as new connected endpoints are being added. And when it comes to security, we need to stay a step ahead.
Here are three ways the healthcare sector can use to minimise the risks to information, people and the institutions that care for them.
1. Train your first line of defence, your employees
Employees are often the weakest link in the defence against cybersecurity threats. Research has shown that employees remain oblivious when their actions lead to a data breach. A recent study found that around 500,000 employees in England’s National Health Service used consumer instant messaging (IM) applications to communicate. This included discussing sensitive patient information, such as patient care plans.
A PwC survey also found that only 31 percent of healthcare management are working to provide cybersecurity training for their employees and only another 31 percent mentioned that they have plans to implement protocols for Internet of Things (IoT) devices.
Training employees about the cybersecurity risks of their actions, organisational protocols regarding data management and the rationale for these policies remain key. Healthcare providers should possibly consider hacking themselves, and involve employees in a simulated real-world attack. This will increase awareness among employees of their role in the institution’s cybersecurity defence.
2. Proactively seek out best practices
Apart from ensuring that employees are educated about their role to play, healthcare institutions should be proactive in seeking best practices in the industry. Conducting cybersecurity audit processes to understand how they can better secure their systems is essential to ensure that they are updated on the latest developments and tools.
One approach is to use Extend-Endpoint-Management and ‘Unified-Endpoint Management’ (UEM) capabilities. This provides the capability to manage any phone, tablet or connected device, offering simplified, secure management and more control. With strong inter-operability, it can also help to connect and protect legacy systems, reducing costs and the complexity of completely replacing them.
Data encryption is at the heart of any best practice strategy, with the aim to bar malicious hackers from accessing private patient data. A good example of this is the Melanoma Institute Australia which has successfully trialled BlackBerry Workspaces, a secure data storage and collaboration platform. It has been implemented to help researchers and doctors collaborate and share data in a trusted, encrypted environment to help advance research on the killer disease.
While such data encryption protocols are vital to the protection of confidential data, healthcare providers must not overlook day-to-day operations that may increase data breach risks. This is as simple as healthcare workers storing passwords in a spreadsheet that is accessible to non-privileged workers or hackers.
Any cybersecurity audit conducted by healthcare institutions should consider all possible points in which data could be compromised, and work towards securing them.
3. Manage your vendors
Going beyond what healthcare management can do to secure their systems, it may also be worthwhile to look outward and consider how vendors can contribute to the process. Vendors of smart health devices should be held accountable to make their devices easy to secure. On top of that, healthcare practitioners are encouraged to work language in the vendor contracts that require vendors to provide security updates and timely support.
The responsibility of protecting patient data rests on both parties. Vendors should implement cybersecurity practices into their manufacturing, while healthcare practitioners should advocate cyber-secure practices that allow them to share information quickly and securely.
Despite the potential threats posed by IoT in the healthcare sector, we must continue to rapidly embrace new connected technologies, whilst protecting them. Just think about robotic equipment already assisting millions of surgeries, and the collaboration of patient data transfer and research results around the globe.
The potential for the ‘Enterprise of Things’ in healthcare is infinite – and we have come so far, which makes the future even more exciting. For the EoT to flourish, adequate protocols – from regulation to software tools to training and sharing best practices, must be prioritised by the industry to improve care for humanity, both physically and digitally.
Sara Jost is the global healthcare industry lead at BlackBerry