In early 2015, the Washington Post quite accurately referred to 2015 as the "year of the health care hack," and forecast that the situation would continue to escalate. While the data breaches that followed did not quite match the scale of the infamous Anthem and Premera attacks, health care, as predicted, was hit hard. According to the Identity Theft Resource Center, there were around 250 successful breaches of health care organizations last year.
Unfortunately, a reprieve does not appear to be in the cards. The IDC has estimated that one in three health records will be exposed in 2016. In part this will be driven by an increase in the number of virtual health services, as well as the continued digitization of health records, according to Computerworld.
With the new year underway, and health care trends in the process of being realized - for better or worse - cybersecurity best practices must be the focal point of threatened industries. Below are a few key considerations for health care organizations in particular that may help mitigate threats to the well-being of digital assets in 2016.
Generally speaking, cyberattackers go after health care institutions for personal data such as Social Security numbers, and complementary information including names, dates of birth, contact details and other data that can be sold on the Dark Web for identity theft or other illicit purposes. That said, guarding this protected health information is not the only concern. Another frightening reality is the extraordinary pace at which the number of connected medical devices is increasing thanks to the rise of the Internet of Things.
According to Healthcare IT News contributor Rick Kam, hackers' using connected devices as a portal to cybercrime is swiftly transforming from a "theoretical vulnerability" to a "significant threat." This means that in the very near future, a variety of wireless and remote health monitoring systems will be more at risk than ever before.
A PCWorld feature article published in 2015 noted that a variety of health care systems including MRI scanners, drug-infusion pumps and X-ray machines are already rife with identifiable vulnerabilities to hacking. As the number of health care-related mobile applications and services continues to rise - via smartphones, wearable devices, pace makers and remote monitoring technology - the number of penetrable endpoints also rises. The idea of causing an individual, or even a group of people, physical harm by breaching these systems is increasingly entering the realm of reality.
So how exactly can all of these wireless devices be protected? Like many of the devices connected via the Internet of Things, cloud computing and related cloud networks will be largely responsible for making machine-to-machine communication feasible. Therefore, cloud security will be key. Cloud-based accounts must be thoroughly vetted through measures such as two-factor authentication - at a minimum. Health care systems in particular are ideal candidates for biometric-based, multifactor authentication.
Patient Web portals that show analysis of data gathered by wearable devices or remote health care systems would be better guarded if fingerprinting, voice recognition or retina scanning checkpoints were included in the identity verification process. This can help ensure that only patients or verified medical professionals are accessing delicate medical data via connected devices. Strong encryption of this data as it is transmitted between endpoints and stored in institutional networks will also be hugely important in ensuring that sensitive information remains safe, and that it cannot be leveraged for cybercrime in any measure even if perimeter defenses are breached.
"Health care organizations should not be settling for minimum precautionary requirements."
The insider threat - malicious or otherwise - is increasingly becoming a concern in organizations. While compliance measures such as those established by HIPAA in the U.S. help mitigate many of the cyberthreats that could be introduced by poor practices, health care organizations should not be settling for minimum precautionary requirements. Defending against shadow IT and other forms of employee-introduced cyberthreats demands multifactor authentication.
According to the ITRC, many of the data breaches that occurred in 2015 were paper breaches. Now more than ever, guarding physical spaces is of the utmost importance. Hackers and fraudsters are using multi-pronged approaches to data breaches that may include physical intrusions of workspaces or manipulation of employees that may lead to privilege escalation.
At the tail end of 2015, a married couple managed to steal personal information from approximately 80 patients at a New York hospital - one of the perpetrators was an employee. Accounts must be safeguarded with two-factor authentication, and all sensitive documentation -virtual and physical - must be thoroughly protected.
Specifically in regard to the incorporation of new devices into work settings, the use of digital certificates in order to verify every endpoint connected to a network is vital. In chorus with the use of mobile authentication instruments that can turn smartphones and other mobile devices into authentication tokens for other internal systems, digital certificates will go a long way toward enhancing mobile device management.
Taken all at once, much of this information may seem daunting. Nevertheless, the long list of best practices is nowhere near as daunting as the cyberthreat landscape. The goal now is to prevent a repeat of 2015, also known as "year of the health care hack." In 2016, going the extra mile on authentication and device management is ultimately what it will take to make sure this goal is achieved.