Healthcare providers remain firmly focused on dealing with the global pandemic, juggling the often-conflicting demands of providing care while keeping patients and staff safe. The financial impact of the pandemic has left many providers on the brink of bankruptcy amid falling patient visits deferred elective surgeries, and insufficient government aid to “fill the gap.”
The Office of Civil Rights (OCR) has relaxed rules around telehealth to keep some revenue flowing while anxious patients receive the care they need from home. Many healthcare staff are still working from home, using their personal computer networks and firewalls to access protected health information (PHI).
While these are truly unprecedented times, healthcare organizations must continue to ensure maintaining that their technology infrastructure remains immune to accidental or purposeful data breaches.
In a recent interview, the chief information security officer (CISO) at a Los Angeles hospital summed up his security concerns this way: “Organizations with new remote and hybrid workforces will need to adjust their cybersecurity budget and strategy to accommodate this new normal, working to better protect their assets from evolving risks associated with maintaining a decentralized workforce.
“Additionally, they will need to adjust their strategies around training and awareness, asset management, vulnerability management, identity and access management, as well as data loss prevention, backups and supporting policies,” the CISO said.
The cost of a healthcare data breach recently passed $7 million, so organizations cannot afford to take their “eye off the ball” — even in the midst of a pandemic. A third-party risk assessment of technology makes sense to protect vital resources.
Confluence of factors contributes to danger
Cybercriminals can strike in numerous ways, but many intrusions can be linked to weak security protocols such as when employees at healthcare providers unintentionally infect technology infrastructure with malware by using their cell phones or tablets to connect with an EMR system, informatics system or data exchange.
Healthcare apps can be another point of entry. More than 400,000 healthcare apps are currently available through app stores, but only a small percentage go through a security type review before being launched to the consumer.
Connectivity to Internet of Things (IoT) or Internet of Medical Things (IoMT) devices can open up a provider to attack. A recent analysis or more than 5 million IoT, IoMT and unmanaged devices across several industries, including healthcare, found up to 20% of medical devices running on unsupported or outdated Microsoft Windows platforms.
The same analysis showed that nearly 90% of organizations with devices regulated by the Federal Drug Administration had recall notices on 10 or more devices. The FDA issues a device recall when it is defective or could pose a risk to patient safety, enterprise safety — or both.
There also are inherent risks associated with data exchange among various public health departments on the state and federal levels, increasing the risk of PHI being exposed. And because the systems may not be interoperable, the risk of exposing private patient information is high as clinicians, lab techs and other providers act quickly to share crucial information like test results for tracing and quarantining. Human errors will inevitably occur.
Calm before the storm?
Over the first six months of 2020, 10% fewer healthcare breaches were reported to OCR, with 83% fewer breached records. Before healthcare providers take credit for a job well-done, however, security analysts believe that underreporting plays a critical role at present.
As a healthcare strategist commenting on the report says, “With the likely notion that most healthcare organizations are not accurately reporting attacks and breaches, this draws attention to the fact that there will likely be a dramatic increase in discovery in the next six months.”
In addition to the inherent security issues associated with IoT and IoMT devices, their use has increased in conjunction with the meteoric rise in telehealth visits in the wake of COVID-19 facility shutdowns/slowdowns and relaxed privacy standards.
“Many medical devices continue to use outdated operating systems such as Windows 7, making them an easy entry point into a hospital network for a hacker,” says the CIO of a West Coast hospital. “Add to this the expanded use of telehealth and remote patient monitoring and the plane of entry to a hospital's network is widened further. I only see the situation getting worse unless we take remedial action soon.”
Temporary treatment locations due to an influx of patients and temporary testing facilities also can weaken security protocols. Working with new suppliers and quickly onboarding temporary staff often lead to shortcuts that can result in a breach.
How organizations can protect themselves
Even while dealing with the pandemic, healthcare organizations should be working toward the 2021 implementation of the 21st Century Cures Act and the Trusted Exchange Framework and Common Agreement (TEFCA), both of which seek the secure exchange of healthcare data among providers. Opening up computer networks to greater connectivity also opens them up to the potential for a successful cyberattack.
Regardless of competing priorities, it’s crucial for healthcare organizations to manage their overall risk strategies and risk exposure internally and with covered entities and business associates. The risk exposure continues to be high, with organizations taking on more risk than they should be. That’s why having appropriate industry accreditation is so important to promote adherence to standards and best practices while protecting the security, privacy and confidentiality of patient data.
The impact of a cyberattack can cause lasting damage, particularly when it comes to stakeholder credibility and patient impact. Organizations engaged with third-party entities cannot afford to let down their guard and must remain as vigilant now as they were before COVID-19.