The healthcare sector has undergone dramatic changes in the past several years, primarily spurred by the adoption of new medical technology. Beginning with the adoption of electronic health records (EHRs) and continuing on into the increased use of medical applications, online patient portals, connected devices, and wearables, the healthcare sector has been capitalizing on digital advancements to improve overall patient experiences and outcomes.
This effort has been well received by patients and physicians alike, as it simplifies communication between doctors and their patients, and between patient’s doctors if they have more than one specialist. Additionally, simplified access to their medical records and care providers means that patients are taking a more proactive role in their own health. Healthcare IT has also made it possible for health providers to reduce operational inefficiencies through technology-enabled data collection and automation, which can offer cost savings.
Moving forward, the continued use of new advanced technologies will be expected by patients and healthcare professionals in order to provide the best care possible. However, as technology use in healthcare grows, so does the risk of cyber attack. Personal health information (PHI) stored in medical records is of incredible value to cybercriminals. This is because it contains highly personal information, such as social security numbers and insurance information, which can easily be used for fraudulent purposes or sold for a profit. As new connected technology pervades the space, there will be increased cyber risks that must be considered in order to preserve patient privacy and meet HIPAA compliance standards.
Reasons for Increased Cyber Risk in Healthcare
One of the most widely adopted advancements in medical technology and patient empowerment –devices connected through the Internet of Medical Things (IoMT) – is also one of the greatest sources of cyber threats for multiple reasons.
- IoMT devices are often not built with security as a primary consideration, and unlike the providers that use these devices, the manufacturers are not typically bound by HIPAA regulations that require security features to protect the PHI of patients. This makes IoMT devices an attractive entryway into healthcare networks for cybercriminals.
- In addition to an initial lack of infrastructural security features, IoMT devices don’t always have simplified mechanisms to distribute or receive security-related updates and patches when a new vulnerability is discovered.
- Finally, these devices, as well as the web applications patients use to interact with them, are often programmed to access to classified information stored on hospital networks. As a result, network security protocols need to be adjusted to deal with the increased number of endpoints, as well as the increasing volume of data requests, to ensure these devices can only access specifically approved information. Unsecured endpoints and applications can act as an easy entryway into the broader network when compromised.
With U.S. hospitals using an average of 10-15 connected devices per bed, inadequate IoMT security significantly expands the potential attack surface and poses a huge risk to healthcare providers and patients.
Frequent, Evolving Ransomware Attacks
Healthcare cyber risks have also increased due to the growing sophistication of cyberattacks. For example, the past two years have seen a drastic increase in the number and severity of ransomware attacks carried out against healthcare providers, most recently with the WannaCry and Petya exploits. Once again, this vulnerability is a direct result of the amount of sensitive and valuable patient data being stored electronically. Cybercriminals are aware that hospitals and healthcare providers rely on critical digital patient information and would rather pay a ransom to regain access to this information than allow a patient to suffer. Many of these attacks are becoming increasingly intelligent, introducing such functions as situational-awareness, which helps them avoid security detection. This growing sophistication of cyber attacks means that healthcare IT teams have to continuously update security processes with current threat intelligence in order to protect confidential information.
Cybersecurity Skills Gap
Finally, there is also a growing skills shortage in the cybersecurity field, which makes it difficult to build an experienced team able to prioritize cybersecurity initiatives and create a cyber-aware environment. As this continues, healthcare organizations will face a challenge around safely implementing new technology, ensuring that new and existing technologies are secured against cyberattacks, and making sure it is all in compliance with HIPAA with limited personnel and funding. As a result, security tools will need to be better integrated and automated in order to quickly and easily adapt to environmental and situational network changes.
Mitigating Healthcare Cyber Risks
As healthcare providers become more technology driven, IT teams need to have a thorough understanding of their cybersecurity processes and capabilities. For example, without knowing where critical information is stored, IT teams run the risk of devoting resources to the wrong types of protection in the wrong locations. This is why they must conduct regular cyber threat assessments to ensure they have clear visibility and understanding into current cybersecurity protocols, potential data security gaps, and areas that require more in-depth security.
Conducting a cyber threat assessment, in addition to being required by HIPAA, helps give IT teams clarity into every technology asset operating within their network. Fortinet provides healthcare organizations with free cyber threat assessments that provide deep visibility into vulnerable applications attacking the network, as well as identify at-risk devices operating within the network.
Benefits of Conducting a Cyber Threat Assessment
A Fortinet Cyber Threat Assessment gives health IT teams the ability to see how their staff uses certain applications, and how well they abide by prescribed acceptable use policies. If it seems like the staff is regularly circumventing security protocols, it might mean that those rules are restrictive and impede the speed at which hospital staff need to do their jobs. With this information health IT teams can alter their policies to make them more in-line with employee needs while ensuring that necessary security measures are not being ignored.
As more devices connect to your network, IT teams have to ensure that they have the bandwidth and controls in place to prioritize traffic without compromising user experience or security. This ensures that your security protocols are scalable and optimized, especially for peak traffic hours.
With the information obtained through a cyber threat assessment, healthcare IT teams can make more informed decisions about the types of cybersecurity solutions they require based on gaps in their current security posture. This visibility can help ensure and enhance HIPAA compliance and patient protection, while removing the risk that limited security resources are being misapplied or used in the wrong areas.
To provide patients with the best possible care, healthcare providers have to continue to adopt the latest medical technologies to improve communication and efficiency. However, they must also recognize that the use of these technologies, such as IoMT devices, also increases their susceptibility cyber risks, such as ransomware. To help healthcare IT teams prioritize their security efforts and implement strong and effective security protocols, they must perform a cyber threat assessment to gain visibility into the effectiveness of their cybersecurity program and identify and mitigate any gaps in security.
To meet the demand for better and more accurate insight into the state of the network, Fortinet has launched the beta version of our FortiGuard Threat Intelligence Service (TIS).
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.