As healthcare industry leaders, we’re well past the point where we can discuss cybersecurity as a fragmented topic. From the presidential election to recent announcements from DHS, it’s clear that cybersecurity is now an issue that permeates all of healthcare and we must make security awareness a major priority in 2017. Thankfully, HIT leaders are taking notice: A recent HIMSS survey revealed that 85 percent of IT security leaders are looking to improve their cybersecurity awareness.
There was once a time when, for example, the mobile health security question was relatively separate from any discussion of medical devices. However, as we move into 2017, it’s essential that all healthcare and HIT leaders shift their perspectives toward risk assessment and building a comprehensive security awareness program that addresses the most vulnerable points in our healthcare technology environment.
Perhaps the most important point in building an effective security awareness program is understanding where HIPAA fits within today’s cybersecurity environment.
Earlier this year, the Government Accountability Office (GAO) released the report Electronic Health Information: HHS Needs to Strengthen Security and Privacy Guidance and Oversight as a response to a request from Congress. The report reviewed the current state of the health information cybersecurity infrastructure, and made recommendations based on its findings. It found that HIPAA does provide guidance on cyberthreats and that existing gaps could contribute to incomplete risk assessment and risk management plans, in addition to problems in the implementation of security controls.
Overall, the report reveals that meeting HIPAA requirements as they stand isn’t sufficient for any proactive healthcare organization.
Mobile as an Existing Threat
One of the most logical starting points for healthcare leaders looking to understand cybersecurity threats today is mobile health.
The rise of mobile, in the form of BYOD policies, wearables and even some telemedicine solutions, means that security can no longer be understood within the neat, physical walls that it could be before. Healthcare networks and patient files are now vulnerable to every smartphone, tablet and fitness tracker with which they connect, and as we’ve seen recently, these access points pose a genuine threat.
It’s been reported that the average consolidated total cost of a data breach climbed from $3.8 million in 2015 to $4 million this year, according to the 2016 Ponemon Cost of Data Breach Study. As mobile health tools, which are increasingly the targets of ransomware attacks, demand more fluid data exchange and become more popular with the people connecting with healthcare systems, those numbers are almost guaranteed to climb.
This leaves most healthcare organizations in a situation where endpoint protection won’t be enough, which is why HIT security leaders like Chris Sullivan of Core Security are recommending high-end network monitoring and network anomaly detection. This approach gives IT leaders and staff insight into suspicious changes and patterns in day-to-day behavior around devices and access.
Tackling the App Problem
Of course, the child of the mobile health issue is the sheer volume of apps that run on many of these devices, both for patients and for clinicians. Health and fitness apps dominate both Android and iOS downloads, and consumers are making increasingly heavy use of their devices to exchange health information: One out of every four U.S. consumers has emailed or texted a photo of a medical issue to a doctor, and 58 percent of those same consumers with smartphones have used the internet to share information with a caregiver.
Now more than ever, healthcare organizations need to implement a mobile security platform that addresses the cybersecurity risks at the application layer — an area that’s particularly vulnerable to ransomware and hasn’t received much financial attention — while performing risk assessment and building a security awareness program. In a study of 71 popular mobile health applications commissioned by Arxan Technologies, 86 percent were shown to have at least two OWASP (Open Web Application Security Project) mobile risks. Notably, 19 of the mobile health apps had been approved by the US Food and Drug Administration (FDA) and 15 of the mobile health apps had been approved by the UK National Health Service (NHS). As Arxan Technologies concluded, “such vulnerabilities could allow the apps to be tampered and reverse-engineered, put sensitive health information in the wrong hands and, even worse, potentially force critical health apps to malfunction.”
To address this issue and the broader need for higher levels of security on mobile devices, Samsung has developed Knox, a defense-grade security platform that is built into Samsung’s latest smartphones and tablets. The Knox platform provides multifaceted security that is rooted in the hardware itself, so that if malware infects the device at the application layer, core security certificates will remain encrypted and access to the device will be shut off. For two consecutive years, Knox has received the most “Strong” ratings of any mobile platform in a mobile security comparison study from Gartner.
Why the IoT Makes Things Even More Complicated
While the IoT or IoMT (Internet of Medical Things) is still in its early stages, unlike most mobile health and app solutions, the devices that are now joining the healthcare cybersecurity ecosystem contain considerably greater information and capabilities.
Johnson & Johnson recently announced that its digital insulin pumps are vulnerable to hacking. While the chances of hacking are reportedly low, products like these are a growing and influential component of healthcare technology networks, and represent a new risk in a class of devices (insulin pumps, pacemakers, defibrillators, etc.) that tie into mobile health as well as EHRs and EMRs.
Addressing the IoT issue will require several steps, including the application of a zero-trust networking architecture, shoring up basic security hygiene procedures, implementing a clinical risk management framework and categorizing existing devices based on risk. As we move deeper into an Internet of Healthcare Things specifically, the question of authenticating who is using all these devices will become even more important. Secure authentication, as it stands, is still very much password-centered, but the industry has seen a bigger move toward new alternatives such as biometrics. While many consider biometrics to be inherently secure, they are, in fact, only inherently unique and unfortunately, inherently public. Hackers have already engineered ways to spoof biometric authentication. For example, the Office of Personnel Management was hacked last year, compromising the fingerprints of 5.6 million people. Healthcare is equally vulnerable, and while biometrics is a viable secure authentication solution, it will have to meet the same high standards of security that the industry is continually working to refine.
Healthcare threats are constantly shifting. But they can be managed with the implementation of a security strategy that uses regulations as a guideline on which to build adaptive and proactive cybersecurity initiatives.
In order to combat healthcare security risks, it’s critical to secure authentication in healthcare systems and technology.