Unique Challenges Make Health Care Security a Difficult Task

Cybersecurity is a top-level priority for businesses operating in every sector today. Hackers and other cybercriminals have, in recent years, become far more skilled, numerous and persistent. They recognize the tremendous amount of value that sensitive consumer data holds, and they are eager to get ahold of these resources by any means necessary.

This trend is particularly damaging for organizations in the health care sector. Specifically, medical records and other protected health information are 10 times more valuable to cybercriminals than credit cards and other financial data, according to Raytheon|Websense, because it can be used effectively for identity theft and fraud on a long-term basis. Additionally, there are many unique factors which further complicate cybersecurity efforts in this sector, as CIO contributor Maria Korolov highlighted.

Mobile Matters
One of the biggest issues that health care providers have to grapple with when it comes to IT security is the prevalence of mobile devices. While the use of smartphones, laptops, and tablets is obviously not unique to hospitals and other care providers, employees in this area tend to be particularly frequent users of these technologies. Doctors and nurses will frequently turn to mobile devices in order to access patient data while on the move between examining rooms, offices and their homes.

The problem is not that such activity is so commonplace in the health care sector. Rather, the issue is that mobile devices are not being utilized in a safe, secure fashion, as Korolov pointed out. Specifically, organizations and personnel frequently fail to implement encryption and authentication measures which would limit the liability posed by mobile device use. The writer noted that a Bitglass report found that more than two-thirds of all health care-related data breaches to occur since 2010 were the result of lost or stolen mobile devices.

“We’ve been hearing of far too many stories of laptops being stolen from clinician’s cars or offices,” said Ananth Balasubramanian, head of vertical solutions at CommVault Systems, Korolov reported.

Such incidents would not prove problematic if the devices themselves were secured or could be wiped remotely in the event of loss. But many health care providers lack the resources and expertise needed to ensure that all mobile devices receive this level of protection.

Medical Equipment Vulnerabilities
Another serious, unique IT security issue Korolov highlighted is the inherent vulnerability of certain medical equipment. Carl Wright, a general manager with TrapX, told the writer that medical devices tend to feature closed systems, and this makes them difficult to scan for malware. This means that malware could enter a hospital’s network via a phishing email, then remain hidden when the care provider conducts an organization-wide search for damaging programs. Wright explained that in one such case, a cyberattacker used this method to identify and steal sensitive data from the hospital’s network.

The only way to effectively combat such threats is through careful strategies and rigorous best practices. Again, though, many health care providers have come up short in this area.

Personnel Considerations
Finally, it is important to acknowledge the personnel issues which many health care providers grapple with. Korolov pointed out that for hospitals and other organizations in this sector to function effectively, a wide range of employees need access to Personally Identifiable Information (PII) and Protected Health Information (PHI). Yet it is exceedingly difficult to ensure that this data remains both available and protected from unauthorized use.

Considering the number of health care data breaches that have occurred in recent years, it’s clear that hospitals need new strategies to grapple with these challenges. To this end, partnering with a Health IT services provider than can offer staff augmentation as well as strategic consulting is a good idea.