With the healthcare sector investing heavily on the latest state-of-the-art information technology solutions, healthcare delivery and access have improved significantly even in the remote, far-flung corners of the globe. Data sharing and dissemination have become very easy and to a large extent it also led to empowerment of the patients to take control and manage their own health conditions. Networked technology solutions in the healthcare sector have also greatly improvement the management, administrative and financial processes and have created a highly collaborative and cohesive environment leading to increased patient satisfaction and better treatment outcomes. However, a critical trade-off due to this overdependence on cyber technology is the ever increasing threat of cyberattacks. Increased connectivity has greatly elevated the level of cybersecurity threats in the healthcare sector and hospitals are forced to carry out a thorough evaluation of their systems and contemplate strategies to manage the risks. Given the ubiquity of information technology in the 21st century healthcare industry, cybersecurity risks are no longer trivial or unique problems but mainstream concerns of the healthcare governance and risk management teams.
For cyber attackers, the sensitive data related to a person's medical history, identity and finance is very lucrative and since healthcare organizations have almost become completely dependent on information technology for even their high sensitive and critical operations, the perception of threat has never been greater like today. According to Filkins (2014) around 61% of the respondents who took part in a 2014 cybersecurity survey by the SANS institute believe that electronic medical record systems are facing a huge risk of intrusion in the recent times. The threat is understandable given the phenomenal adoption of health information technology solutions such as EMR (electronic medical records) by healthcare centers. Electronic medical records store and manage information such as the birth dates, medical history, addresses, social security details and even insurance claim details of patients and these data centers have become major targets for cyber attackers looking to gain access to highly sensitive information for commercial exploitation. According to the US department of health, around 1.6 million people lost their medical information in 2014 alone due to the compromise of data centers maintained by their healthcare providers (Kalis, Combs & Nickell, 2015). Current data point towards a glaring proposition that says that by 2019 one in every thirteen patients will have their medical data compromised and this will have severe financial implications not just for the patient but for the healthcare provider as well.
Compromise of electronic medical records can lead to personal final losses for the patients and given their unique nature, it may be very difficult to recover the amounts lost legally. According to a study carried out by the Ponemon Institute, patients could be tricked to paying medical bills that are not incurred by them or even forced to pay insurance premiums because someone had stolen their insurance details and used them to claim medical benefits. Patients may also have to bear substantial out-of-pocket costs while fighting legal cases to prove their cybersecurity claims in the court of law. It is estimated that around 65% of the patients who are victims of cyber thefts are forced to bear out-of-pocket costs in the range of $13000 per individual and according to Accenture, the out-of-pocket cost burden on the patients will rise up to $56 billion by the year 2019 (Kalis, Combs & Nickell, 2015). The Federal Bureau of Investigation has already issued warning against potential cybersecurity threats that seek to gain access to sensitive protected healthcare information and digital medical record. These malicious agents also target industries and manufacturers in the healthcare sector, seeking to gain access to blueprints of medical devices so that they can be compromised to steal data (Infosec, 2014). The survey study carried out by the Ponemon Institute also highlighted that the use of wireless and mobile communication protocols such as health clouds also significantly increases the threat levels of data security breach. The new mobile paradigms of data sharing creates new loopholes that can be exploited by hackers to compromise data and steal personal information for commercial gains (Filkins, 2015). While patients pay substantial out-of-pockets costs due to compromise of data, the healthcare providers also pay a very heavy price for failing to protect the information and more importantly, for failing to retain the trust of the patients. According to a study carried out by Accenture, almost half of the patients who became victims of cyber theft expressed that they will definitely opt for a different care provider. When viewed from a broader value perspective of a single patient loss for the healthcare providers they are looking at a loss of around $305 billion within a period of 5 years (Kalis, Combs & Nickell, 2015).
The cyber security issues in the healthcare sector:
While it is easier to blame poor and outdated IT infrastructure for security lapses and data compromise, a thorough analysis will reveal that the real underlying issues are inability to fully appreciate the security concerns, assumptions that the in-house security measures are completely adequate to handle all kinds of intrusions and of course, very minimal investment in procuring the right infrastructure. Lack of outside specialist opinion on the current state of the IT infrastructure and over reliance on organizational expertise create ample grounds for major security lapses in the healthcare sector. According to a study carried out by Information Systems Audit and Control Association an overwhelming majority of healthcare service providers have indicated that they face serious shortage of skilled IT professionals who can properly deal with cyber intrusions (Curran & Hinde, 2016). It has also been reported that healthcare organizations and insurance providers use less than 20% of their IT budget in procuring infrastructure that can help prevent cyber intrusions (Taylor, 2015).
Roadmap to deal with cyber security threats:
In the present time the healthcare service providers are focussing too much on legislation compliance rather than investing in proper cybersecurity measures. It is very important for the healthcare providers to understand that letting legislations such as HIPAA to dictate what type of security measures are to be taken to protect patient data is a major mistake. Protection of sensitive patient data is the sole responsibility of the healthcare provider and the focus should rather be on how the security protocols are implemented without compromising organizational compliance to security/privacy legislations such as HIPAA (Curran & Hinde, 2016). Healthcare providers much also realize that they may have a highly sophisticated IT infrastructure in place but if there is no specific protocol or policy in place to deal with cyber security threats, the vulnerability of their systems will only increase over a period of time. Currently there are numerous third party cyber security consultants available in the market that can present the most appropriate solutions to preventing data security breach. They can also help channelize the resources in the right direction in a manner that it will not just make the infrastructure more robust but will also take a lot of burden away from the internal IT staff. Healthcare providers can also benefit a lot by assigning a dedicated executive to specifically monitor cyber security threats and take necessary steps in the event of an attack. Cyber security concerns are no more confined to technology alone and their ramification on the future business prospects is equally huge. For this reason it will be more helpful if the executives assigned with the task of monitoring and managing cybersecurity risks totally understand both the business and technical aspects (Bell & Ebert, 2015).
It will be wrong to expect that incidences of data security breach will reduce in the coming months and with the emergence of innovative paradigms such as mobile health applications and health clouds, more security loopholes will appear in the coming days. It is about time that cyber security concerns in the healthcare sector gets the due recognition and importance and the need to secure patient data becomes more important than compliance with legislation. Healthcare administrators must also realize that adequate funding is provided to the IT sector to deal with cybersecurity threats and even though there is no guarantee that cyber attacks will never happen in future an adequately secure system is definitely a less desirable target than an unsecured one.
Bell, G., & Ebert, M. (2015).
HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities.
Retrieved 22 March 2016, from https://advisory.kpmg.us/content/dam/kpmg-advisory...
Curran, S., & Hinde, W. (2016).
Top cybersecurity mistakes health organizations make
Managed Healthcare Executive.
Retrieved 25 March 2016, from http://managedhealthcareexecutive.modernmedicine.c...
Filkins, B. (2015).
New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations
(1st ed.). SANS Institute.
Retrieved from https://www.sans.org/reading-room/whitepapers/anal...
Kalis, B., Combs, J., & Nickell, J. (2015).
$300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction
(1st ed.). Accenture.
Retrieved from https://www.accenture.com/t20150911T013034__w__/us...
Risks and Cyber Threats to the Healthcare Industry - InfoSec Resources
. (2014). InfoSec Resources.
Retrieved 23 March 2016, from http://resources.infosecinstitute.com/risks-cyber-...
Taylor, H. (2015).
The key industry that's way behind on data security
Retrieved 26 March 2016, from http://www.cnbc.com/2015/11/11/us-health-care-way-...