In this blog post
Cybersecurity Threats and Challenges in the Healthcare Industry
The pandemic has challenged the resilience of the entire global healthcare information system. There has been a sharp increase in cyberattacks on hospitals, pharma companies, the U.S. Department of Health and Human Services (HHS), the WHO and its partners, and several others.
In a webinar organized by GAVS with leaders in the healthcare and cybersecurity space, the leaders discussed why and how this needs to be addressed on a war footing and how to establish future-proof defense mechanisms. This blog captures some of the key discussion points and takeaways from this webinar on ‘Cybersecurity Threats & Challenges in the Healthcare Industry.‘ The link to the entire webinar is available at the end of the blog.
The webinar was moderated by Shivakumar D, a Lead Consultant at GAVS Technologies. Mr. Chandra Shekar Pandey and Ms. Kavitha Srinivasulu joined him to discuss the topic in detail. With over 20 years of experience, Mr. Chandra Pandey works with customers to define and address problems, implications, consequences, and solutions of defending corporate assets in today’s highly connected enterprise. Kavitha Srinivasulu heads cybersecurity services for Healthcare at GAVS and has extensive experience in enterprise cybersecurity, risk management, data privacy, information protection, compliance, etc.
Vulnerabilities in the Healthcare Industry
While several industries globally face the challenge of cyberattacks, the healthcare industry is still not equipped enough with sophisticated tools and strategies that can help prevent various cyber attacks. Of various cyberattacks, ransomware is one of the most common threats for the healthcare industry. Cybercriminals now can swiftly sell patient medical and billing information on the dark web for insurance or other fraud purposes. Evidently, Trustwave reports that a healthcare data record can be valued at up to USD 250 per record on the black market. While other industries also face such threats and attacks, here are some of the reasons why healthcare is targeted on such a grand scale:
- Despite backup, healthcare industry players are willing to pay the ransom amount to retrieve the data from being misused due to sensitivity of the data
- The use of legacy systems increases the vulnerability of data
- Lack of clarity on ownership of data
Role of HIPAA in Healthcare
All players in the healthcare industry are mandated to take appropriate measures to secure the privacy of the personal health information gathered and maintained. Industry regulations came into effect to ensure that there is no confusion of ownership of data and liability in case of a breach. In 1996, The Health Insurance Portability and Accountability Act (HIPAA) was introduced to cover various aspects of data protection, including establishing national standards for electronic healthcare transactions. HIPAA protects sensitive patient health information from being disclosed without the patient’s knowledge or consent. For healthcare players to remain compliant, these are some of the requirements that HIPAA lists:
- Organizational requirement – A compliance committee or compliance officer designated to ensure that the business adheres to the standards and the regulations
- Employee training – Ongoing employee training to spread awareness of highly vulnerable areas for data breaches and prevent attackers from entering through those channels
- Physical safeguards – Proper infrastructure and device safeguards should be maintained while also preventing unauthorized access though tight access controls
- Administrative safeguards – Periodic risk assessment of all clinical applications, medical devices, data centers that store and maintain critical information
- Technical safeguards – Control over the use of information through privileged access that prevents unauthorized access and use of data
Recommendations for Cyber Attack Prevention
Aside from the fact that there is a massive demand for privileged patient information on the dark web, the healthcare industry has not evolved to have strong security controls that protect the data. Despite the growth and use of the Internet of Medical Things (IoMT), hospitals and other medical device companies still have gaps in the security measures that can lead to data misuse. Healthcare players must understand that the cost of investing in building the security controls is much better than paying for ransomware. Some of the recommendations to prevent cyberattacks include:
- Upgrading from legacy systems to the latest cybersecurity technologies to strengthen the environment
- Compliance with privacy acts such as HIPAA, GDPR, CCPR
- Implementing cyber hygiene programs including building firewalls across gateways including web gateway, email gateways, identity management systems, etc.
- Continuous real-time monitoring to proactively detect the threat and automatically prevent the attack before it occurs
- Forensic investigation capability to monitor, detect, and stop attacks based on past information
This blog offers only a high-level gist of the webinar. You can watch the entire discussion, including the poll questions and the experts’ take on audience questions here.
GAVS periodically organizes insightful webinars with GAVS’ tech leaders, the leadership team, and industry thought leaders to explore current and emerging trends. To watch our other webinar recordings, please visit https://www.gavstech.com/videos/
