Given the fact that nowadays there are serious issues with cybersecurity within various industries, it’s fair to say that high-tech yet susceptible equipment might be hacked at literally any moment. The survey by Ponemon Institute claims that in 2017, the average number of breached records by country reached 24.089, with India topping the chart with over 33.000 compromised files annually.
Cybersecurity in healthcare is all about patient trust and safety concern. But in reality, things are different. According to the other study by Ponemon Institute, 89% of the interviewed executives from the medical industry admitted that their organization had encountered at least one leak in the last two years. Almost half of the respondents (45%) said that more than five leaks had occurred in their very own institution. For instance, in 2017, 112 million medical records were put at risk in the United States alone. Ransomware attacks have also become a serious threat to the industry.
Just recently, a serious vulnerability in the information security systems has been discovered in one of the medical institutions in Israel. According to the Washington Post, as part of an internal experiment, Israeli researchers developed malicious software that allowed automatic changes to be made in CT and MRI results. The program could add realistic malignant tumors to the images or, on the contrary, remove real tumors from them before these images will be studied by doctors.
As part of the study, three qualified radiologists analysed real photographs of the lungs which were modified by the program. In 99% of cases, when examining these images, doctors discovered malignant neoplasms. Besides, when the program removed real cancerous nodules, the same specialists said that the lungs were fine in 94% of cases.
After giving the doctors a different set of pictures, and informing them that half of them were fake, the proportion of erroneous diagnoses decreased, but not significantly. In 60% of cases, radiologists found cancer in healthy patients, and in 87% they could not identify this deadly desease in real patients.
The malware needs to be implemented in the hospital’s local network, which is often isolated from the Internet but the experiment participants managed to do this without considerable effort. In the evening, one of them went to the radiology department of the hospital, and within 30 seconds he infiltrated the device with the virus: during this time, no staff member managed to detect the breach.
This way, cybercriminals can use such attacks to damage the reputation of a medical institution or actually control the fate of a particular patient — for example, to prevent a person with the disease from receiving critical care for him.
Having said that, let’s enumerate the point to consider when talking about security in healthcare:
- Electronic health records and individual medical devices are all subject to attacks;
- The healthcare industry is particularly vulnerable for a number of reasons: no significant investments in cybersecurity, serious vulnerabilities in existing technology and human factor aka staff behavior;
- Breaches usually result in hundreds of stolen health records and may even paralyze the work of the whole structure;
So what are strategies for improving cybersecurity? Professionals from HealthIT.gov, suggest implementing the following practices:
- Start by establishing a security culture
It’s all about education. Organize cybersecurity training for employees so that every member of the organization is aware of how to properly protect patient data.
- Protected mobility
Just like in any other domain, healthcare professionals use mobile devices at work. A variety of protective measures like encryption ensures that any information on these devices is secure.
- Firewall and antivirus software
Although it goes without saying, any devices connected to the Internet have to be protected by a firewall and continuously updated anti-virus software. It’s worth noting that criminals may go as far as to penetrate into connected medical devices such as ventilators, X-ray and MRI machines, medical lasers and even electric wheelchairs.
- Control over protected information
Provide access to protected information only to those employees who need to use it in their tasks. The staff has to be familiar with common attack patterns within the healthcare industry. Secondly, it would be a good habit if one will utilize two-factor authentication for systems and other applications.
- Backed up files
Ancient Romans said that if one wants peace, it’s better to prepare for war. So, whatever breach may (or may not) happen, any important files should be backed up on a regular basis. This way, data could be restored without delay. Besides, it makes perfect sense to back-up this information away from the central system.
- Update (and regularly change) passwords
The Verizon report claims that about 63% of confirmed data breaches happened due to default, weak or stolen passwords. Thus, healthcare professionals should use sophisticated passwords, and update them frequently.
- Install software carefully
No software, application or any additions to existing systems should be installed without prior consent from the IT department or higher authorities.
In regards to all these facts and statistics, cybersecurity has to be an integral part of the patient care pathway in any medical institution. After all, it’s all about human lives. And I don’t exaggerate: some of the attacks are deadly. The ransomware attack on MedStar Health, a large Maryland-based healthcare system, serves as a “perfect” illustration. This case made all national headlines when it has become clear that it had threatened patients’ lives. Therefore, the healthcare industry has no choice but to improve its capabilities regarding security.