The healthcare landscape looks very different than it did even five or six years ago. From mobile health apps and connected medical devices, to remote patient monitoring and automated health information systems — digital technology is forever changing the way providers interact with and treat patients, enabling them to deliver around-the-clock connected care from any location.
But with these new opportunities come new healthcare IT challenges. The medical industry handles some of the world’s most sensitive data and devices. In the wrong hands, this information poses a threat to patient privacy, and life-saving technology could instead put lives at stake.
That’s why cybersecurity is one of the “Top Health Industry Issues of 2016,” according to PwC’s Health Research Institute’s annual report.
What are the industry’s greatest vulnerabilities? And what can healthcare organizations do to keep patients — and their data — safe?
What’s at Stake?
Healthcare hasn’t been a major hacking target for long, but that is changing quickly. An estimated 85 percent of large health organizations experienced data breaches in 2014, according to PwC’s report, and 18 percent of those breaches cost more than $1 million to remediate.
So far, cybercriminals have only targeted medical information. But connected medical devices could eventually become targets as well. Last year, U.S. federal regulators issued the first-ever government warning that a medical device was vulnerable to hacking — an insulin pump that could be modified to deliver a fatal dose of medication.
Patient trust is also on the line. When PwC asked consumers how they would feel about using connected medical devices after a hacking incident:
-
50 percent said they would think twice about using any connected device
-
51 percent would think twice about using that manufacturer’s devices
-
38 percent would be wary of using hospitals associated with the hacked devices
While these are fairly new challenges for the healthcare industry, HIPAA regulations have been regularly updated to include security recommendations and requirements that anticipate these scenarios. The FDA has also issued new warnings and guidance documents about cybersecurity for connected medical devices.
But as security breaches become more common and costly, healthcare providers will need to step up their game and take action to prevent security breaches that could cripple the industry.
Security Best Practices for Healthcare IT
To protect patient privacy and safety, healthcare organizations — including IT teams and end users — need to understand how to use connected devices securely. This includes both medical devices and any mobile devices that access sensitive data.
Below are a few key steps in the right direction:
1. Separate connected medical devices from other hospital devices and servers
Devices should be kept updated, behind firewalls and on dedicated networks. If medical devices need other mobile devices, such smartphones or tablets, to manage data, those devices should also be properly secured and not used for any other purposes.
PwC notes that password management is also a key concern. Hospitals often don’t change default device passwords, making them more vulnerable to hacking.
2. Work with device manufacturers that take security seriously
All medical device manufacturers are not created equal. Before partnering with technology companies, healthcare providers must do their due diligence to ensure security is front and center. PwC recommends working with companies that conduct routine assessments to review device vulnerabilities.
3. Ensure security on mobile devices that access health information systems
Providing care teams with mobile access to electronic health records systems enables them to streamline communication, better engage patients and work more efficiently. But unsecured mobile devices could introduce malware and viruses to the organization’s IT infrastructure and potentially lead to data security breaches.
To keep data secure, healthcare organizations can use mobile device management platforms to monitor all devices that are connected to protected databases. Containerization solutions, such as Samsung’s Knox Workspace, allow users to separate work data from personal data on the device.
4. Educate end users
Tyler Cohen Wood, former DIA Senior Intelligence Officer and Cyber Deputy Division Chief, recommends teaching security awareness to employees at all levels of the healthcare organization.
Data security “is no longer just an IT or developer problem,” she explains. “Everybody has to understand the basic concepts, and by putting together a mandatory education program, it teaches these concepts. You’re going to greatly reduce the risk to your organization and to your company.”
Find more innovative ways to enhance patient healthcare on the Samsung healthcare solutions page.