There’s good news and bad news on the healthcare data privacy and security front: While fewer organizations reported breaches in 2018, according to Bitglass’ 2019 Healthcare Breach Report, the number of records affected by those breaches skyrocketed. And although the number of breaches caused by lost and stolen devices has dropped by almost 70 percent since 2014, improper IT security and hacking have taken over as the top causes.
In other words, fewer organizations are being breached, but those that do get breached are facing bigger and more malicious attacks.
“Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years,” said Rich Campagna, chief marketing officer of Bitglass, in a company release. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems.”
There is, however, one more piece of good news: Even as hackers and cybercriminals are getting more sophisticated, so, too, are the countermeasures hospitals are taking.
“At the end of the day, we’ve got the bad guys trying to get to our data,” Halifax Health Vice President and CIO Tom Stafford said at this year’s HIMSS conference. “And so we have to do novel things and layer technology to make sure we’re protecting our patients’ information.”
AI Alerts IT Teams of Suspicious Activities
Today’s cybercriminals are constantly changing their approaches and using new tools, including artificial intelligence to avoid detection. But healthcare organizations can counter their attempts by fighting fire with fire.
“AI has the power to sift through thousands of transactions to patient data per second, and review different factors relating to each transaction, such as location of access, number of login attempts, and the duration between each login attempt,” notes an article on ITWeb. “In a case where a staff member's account is suddenly accessing 10,000 patients' files at the same time, this unusual behavior would be detected by AI and an alert would be issued.”
According to Jeremy Weiss, a security engineer for CDW Healthcare, tools leveraging artificial intelligence and automation are a “wise investment for information security leaders striving to continuously evolve their protection strategies.”
Cloud-Based Security Solutions Offer Efficiency and Effectiveness
Beyond AI, an increasing number of healthcare organizations are moving to cloud-based security solutions such as security monitoring and email security software, in part because the products have matured. According to Ram Ramadoss, vice president for privacy, information security and electronic health records compliance at CommonSpirit Health, cloud security vendors have a robust infrastructure and are diligent about ensuring their environment is hardened.
Cloud-based security tools are also able to support organizations with tight staff resources since the IT department can centrally manage computing devices and secure data, Frank Dickson, research vice president of IDC’s security products research practice, recently told HealthTech.
“The trend is greater and greater for moving to the cloud,” he said. “You may not have a fully baked IT staff in every location, so the cloud enables simplification and the ability to cover a greater number of facilities. It’s less for you to manage and provides for greater efficiency and effectiveness.”
IT Departments Invest in Humans as Their Top Line of Defense
Though cloud-based and AI technologies are advancing, an equally important part of a well-rounded protection strategy includes a team of highly-skilled and educated security specialists to oversee it. It’s important that these individuals are able to “make critical, real-time decisions where automation cannot resolve a cybersecurity issue,” wrote Brian Hedgeman and Alaap B. Shah of law firm Epstein Becker Green in a post on Lexology.
Today’s phishing emails and fake websites can fool even the experts, which is why hospital IT departments are really stepping up their hiring and education efforts.
In fact, email continues to be the most frequently reported initial point of compromise for the healthcare industry, according to the HIMSS 2019 Cybersecurity Survey, with 59 percent of all organizations surveyed saying they had experienced a breach within the past 12 months that started with phishing.
It is important that healthcare organizations take the time to educate their employees on how to report suspicious links to IT staff when they see them. “Our best deterrent is the end user, hands down, based on the current environment,” Stafford said.