Cyber Hygiene and Patient Safety: How to Mitigate Healthcare Cyber Attacks that Risk LivesMay 10, 2023
From wearable medical equipment to fitness apps to digitized hospital records, the amount of protected health information (PHI) in cyberspace is staggering. This makes protecting PHI a top cybersecurity concern, as it becomes more than a matter of security, but also patient safety.
That’s right: there is a connection between cyber hygiene and patient safety where leaked health information can actually affect a patient’s health. Thus, the importance of safeguarding this information is paramount.
As hospital data breaches increase and health data becomes more vulnerable to hackers, the demand for cybersecurity professionals in healthcare continues to grow. In this article, healthcare cybersecurity leaders explain what is at stake when health data is compromised, as well as their tips on how to prepare for and prevent future cyberattacks.
Vulnerable Health Data and Patient Risk
When we hear the words “data breach”, we usually think of the financial implications, such as exposed credit card information leading to financial losses and credit history being compromised. What we may not realize is that healthcare data breaches can result in patient harm and even death. How is this possible?
In a research study conducted by the Ponemon Institute, an information use and privacy management research institution, it was discovered that healthcare organizations experienced cyberattacks as often as once per week and “57% also say these attacks are resulting in adverse impacts on patient care.” Additionally, there was an “increase of complications from medical procedures–and 20% reported an increase in mortality rates.” CISO of Intermountain Healthcare, Erik Decker, explains that these attacks result in service outages that can dramatically snowball into canceled appointments, interrupted services, and reduced patient care resources.
Often, these attacks impact the healthcare environment by diverting staff attention and preventing access to crucial data or electronic health records (EHR) for not just days or weeks, but several months. And when busy hospital staff are further unable to perform their duties in a timely manner due to a data breach, this can quickly become a matter of life or death for their patients.
Generally, your Fitbit and Apple Watch aren’t the issue—it’s the more complex information systems that run on third-party servers and software that are primarily vulnerable and contain the most private of health information. Also, life-saving medical equipment that collects biometric and other data can be hacked and stolen. It has been documented by the FBI “that equipment vulnerable to cyberattacks includes insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps.”
In addition to other means of data protection, such as software patches and employee training, medical gear and integrated health systems require specialized technicians such as computer engineers and subject matter experts to manage the complexity of such systems while maintaining security and ensuring continued patient care.
Securing Data Assets by Limiting Data Access
We all know that sharing passwords is bad cyber hygiene. But what about at work, when multiple employees need to access one system, one file, or one shared drive? Darren Lacey, VP and CISO for Johns Hopkins University and Johns Hopkins Medicine states that limiting data access is still one of the most important steps against cyberattacks—the less people with access to the information, the better. Establishing a system within the company’s cyberspace that provides quick, protected access to those who need it and limits access to those who don’t is key to helping prevent password leaks or unauthorized access.
“Data management requires a risk-based approach where data managers in the healthcare space must act as "mindful custodians," Lacey adds, which requires a comprehensive system of risk analysis and organizational action by individuals who understand the complexity and vulnerability of these systems.
Preparedness Against Cyberattacks through Practice
The practical methods of preparedness against cyberattacks include performing technical protocols to defend against malicious offenders.
Some recommended cybersecurity methods for all organizations include:
- Application penetration testing and security exercises to test for real-time vulnerabilities
- Updated antivirus and software patches
- Email security to prevent phishing attacks, malware, and virus downloads
- Multi-factor authentication, encryption and virtual private networks (VPNs) for added levels of protection
- Data and usage logs to maintain records of who accessed what and when
- Data backup in case of breach or loss as well as proper records destruction protocols
These are just a few of the many ways that cybersecurity risks need to be addressed when dealing with healthcare data. Overall, maintaining regular risk assessments, conducting software patches and upgrades, and performing security exercises can help in the organization’s visualization and response to threats before they even happen, in addition to establishing a plan for continued patient care in the face of a breach.
"One of the biggest mistakes is that when people do tabletop exercises, they focus just on the IT area – how to respond to a cyber incident – and less on the resiliency of an organization to be able to conduct patient care in the face of adversity," warns Anahi Santiago, CISO of at Christiana Care. Creating a well-rounded, multi-faceted, and employee-involved plan of action is key to managing PHI and ensuring patient health is not affected.
Healthcare Employee Training and Protocols in Cyber Response
All employees should be trained in good cyber hygiene methods, but not all employees require the same training. What does this mean?
Within the healthcare environment, there are many employment areas, from doctors and nurses to administrative staff and records management to maintenance and safety workers. Some will require specialized IT training to interact with medical equipment connected to computers. Some will require base training, as their data interaction is minimal. And some will require expertise in this field as they manage these threatened systems daily. In addition to limiting data access, knowing what training is required for who is one more step towards a streamlined and secured organization.
The Health Insurance Portability and Accountability Act (HIPAA) details the operational and technical regulations of this information through the HIPAA Security Rule and HIPAA Privacy Rule. These focus on establishing national standards to protect individuals' electronic PHI by setting guidelines and standards for administrative, physical, and technical handling of health information, as well as requiring safeguards and limiting disclosure to protect the privacy of PHI including medical records, insurance information, and other private details.
In addition, the Department of Health and Human Services (DHHS) created the 405(d) Program in 2015 as a collaborative effort to provide the healthcare & public health (HPH) sector with impactful resources, products, and tools to raise awareness and strengthen the sector’s cybersecurity posture against cyber threats.
Human error and negligence are the biggest reasons for data breaches. Employees are the first line of defense in cybersecurity and making sure they are well trained in HIPAA and federally mandated standards, as well as implementing company-specific protocols and role-based cyber education, is crucial in securing PHI systems across all healthcare fields and reducing patient health risks as a result of health data breaches.
Education for Cyber Professionals
The healthcare industry is seeing an increased need for cybersecurity professionals to navigate the perpetual onslaught of cyberattacks that pose a risk to patient health and data every day. Capitol Technology University is a leading institution in cyber education and is a designated NSA and DoD Center of Academic Excellence in Cyber Defense.
Capitol Tech's Cyber and Information Security programs provide a comprehensive curriculum, cutting-edge labs, and expert faculty to ensure students receive the best education in this evolving and important field. Our Center for Women in Cyber (CWC) provides students with access to leaders in the cyber industry for mentorship and networking opportunities. Capitol Tech also offers degrees in the management of technology and occupational safety and health for health and cyber-adjacent career paths. Consider joining Capitol Technology University in pursuing your cybersecurity career goals today.