Top Cybersecurity Risks and Problems in Healthcare

The healthcare industry is struggling, and not just with high costs or a shortage of practitioners. Healthcare has a cybersecurity problem. Reports and studies indicate that the healthcare industry is currently bearing the brunt of ransomware attacks while U.S. authorities in 2017 stated that cybersecurity in healthcare was in “critical condition.”

While cyberthreats to national power grids, financial institutions and even individual businesses are certainly troublesome and dangerous, the vulnerabilities in healthcare don’t just result in financial loss or political fallout; they could even result in the death of patients. So why aren’t things getting better? The constant small-scale attacks on healthcare systems that are usually prevented may go unnoticed, but there have also been several high-profile cases that have stressed the need for improvement, so what’s the holdup?

Well, just as the consequences of poor cybersecurity in healthcare are unique, so too are the challenges that must be overcome to make improvements. Here are some of the key risks and problems that have to be tackled:

• Privacy vs. Safety – It’s not that healthcare institutions don’t have cybersecurity measures in place, many of them do. But, more often than not, they’re only focusing on half of the problem. Strict regulations on the privacy of patient data have many institutions implementing robust systems of defense to keep personal data safe. The same cannot be said for protecting the connected devices and networks in clinics themselves that help doctors treat patients. Regulation in this area is lax and/or vague, partly because of some of the other challenges in this list.
• Everything is connected – Modern medicine relies on a countless number of separate, yet connected medical devices. Did you know that even pacemakers can be hacked? This proliferation of connected, but non-unified devices make it difficult for clinics and hospitals to keep everything updated with the latest security measures or to monitor everything for signs of an attack. What’s more, medical devices are expensive. Even compromised devices are not easily replaceable. And what happens if an outdated or compromised device is the only possible tool available to save a life?
• Focused on the patients – All practitioners are highly trained, but not in cybersecurity, which they often see as an administrative issue. No, they specialize in patient care and generally rely on others to give them the tools they need to work. Why does that matter? Because even hospitals with robust cybersecurity measures in place rely on doctors to update devices and spot suspicious cyber activity. All too often, practitioners aren’t trained in either of these skills.
• Personal devices – More and more doctors and nurses are being encouraged to bring their own personal devices to work as necessary. That includes personal smartphones, tablets, computers and other devices. This lowers administrative costs for the hospital and can make practitioners more flexible in their work, but every unsecured device that connects to any larger network is a vulnerable point, one that often isn’t accounted for.
• Black market economics – Medical records sell for big bucks on the black market, painting a huge target on healthcare institutions. While these may sell for $50 apiece, a social security number or credit card number may only be worth $1. A hacker with money on the mind and a buyer is going to hit a poorly-guarded medical facility for data before trying anywhere else.

Finally, the industry needs to acknowledge the consequences of inaction. The worst-case scenario sees a massive attack taking down computers and devices at multiple hospitals at the same time, disrupting urgent operations or leading to mistaken, potentially fatal, diagnoses. But even what may seem to be a relatively minor attack could be disastrous. Even if an attack manages to simply disrupt the workflow in a clinic or hospital for a few hours, statistics show that death rates increase during that time period, the same way they increase when a marathon stops traffic and cuts down response time.

Many institutions have some form of protection in place. But an increased investment in training staff by cybersecurity experts will help guide institutions down a safer and more secure path. The only other option is an insecure future.