This article has been written by Meenakshi Mishra pursuing a Diploma in Business English Communication for International Professionals and Remote Workers course from Skill Arbitrage.

This article has been edited and published by Shashwat Kaushik.

Introduction

We are living in a digital world. Today, from locking our house to making a payment or listening to music to purchasing a product, we are using technology. Everything is at our fingertips but great power comes with great responsibilities. The risk of getting fetched in one or another forgery or scam is always there. Daily, through our activities, we leave a high volume of digital footprints. The more we share our data, the greater the risk of getting the attention of cybercriminals. Now and then scammers are inventing new ways of blackmailing and cheating. However, keeping a distance from technology is not the solution. 

Download Now

Cyber security is critical for protecting our data and personal information like name, address, tax file numbers, Aadhar no., and credit card information. This data acts as a lifeblood to cybercriminals. From our daily household chores to our business, we heavily rely on technology. Almost every business maintains its financial records, employee data, and customer information on its network. Imagine the situation if information gets leaked into the wrong hands.

Types of cyber attacks

Cybersecurity includes planning and implementing strategies and measures to protect, detect, and respond to malicious attacks that can steal confidentiality, integrity, and availability of information.

Cyberattacks can be of many varieties. Some of them are mentioned here:

  • Malware-Malicious programs which can damage and infiltrate systems.
  • Ransomware: It is a cryptovirological malware that permanently blocks access to data unless a ransom amount is paid.
  • Phishing: Attempts to send links through emails or texts to malicious websites for stealing confidential information.
  • Brute-force attacks: Repetitive trial-and-error method to guess passwords.
  • The DDoS system is made inaccessible by the system overload.
  • Code injection is an attack in which malicious code is injected into an application, altering execution and granting unauthorised access.
  • Zero-day attack: when a software or device owner has zero days to fix the attack or security flow.

The growing importance of cybersecurity within the healthcare sector

Our health sector is also not untouched by this danger. It has been using technology to a vast extent, from MRI to infusion pumps and from CCTV to HVAC systems. They handle sensitive information related to their patients and become a sector prone to cyber-attacks. Electronic information needs to be protected from unauthorised access or disclosure. Patients share the data with trust with the healthcare organisations and they have to 

To remove the issues with the conventional healthcare system, the creation of new IoT-based healthcare software applications has helped manage the security of healthcare data for a modern healthcare system—PMC (nih.gov). MIS is a system developed to maintain healthcare data. The efficiency of e-healthcare services is enhanced by providing quality treatment to patients, boosting cooperation and patient outcomes with lower costs. IoT has changed the scenario. The approach of healthcare organisations has changed from disease-centric to patient-centric and from a volume-based approach to a value-based strategy for healthcare delivery. Healthcare organisations are moving towards patient safety controls, widespread access to data, remote inpatient monitoring, quick intervention strategies, and decentralised EMR, which is electronic medical records.

After the advent of AI, the healthcare sector has made significant progress. AI tools have machine learning algorithms, natural language processing, and computer vision, which are making healthcare organisations analyse, discover intricate patterns, draw insights, and enhance treatment and optimise treatment strategies. Healthcare organisations are open to new technologies but certain issues are putting breakers in the field, like AI model training due to insufficient medical data available for training. Also, there are risks of data breaches. Research is ongoing for security loopholes in the implementation pipeline.  

According to the research conducted by IBM and Ponemon Institute, healthcare suffers a loss of $408 per stolen record. Another report revealed that globally, in the first half of 2022, cyber security threats increased by 51% compared to 2021. In India alone, the healthcare industry suffered 1.9 million cyber attacks in 2022, according to data published by the cyber security think tank Cyber Peace Foundation and Autobot Infosec Private Limited.

Healthcare industry targets hackers

Healthcare organisations are most often targeted because

  • Digitisation provides a route for attack.
  • Interconnection of various medical devices at different physical locations.
  • Lack of security.
  • High volume and value of data availability.
  • Including emergency services so chances of getting the ransom amount quickly (as they have to pay the high cost of downtime and regulatory pressure there).
  • Lack of trained staff.

Case studies and potential impact of data breaches on patients and providers

According to IBM’s 2023 Cost of Data Breach Report, in the U.S., the average healthcare data breach cost of 10.93 million dollars USD is continuously climbing at a rate of 53% in the past three years with a frequency of incidents. Healthcare saw over 500 incidents in 2023 as stated by Verizon.

On November 23, an attack paralysed the servers of AIIMS and a case of cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of Delhi police. The incidence was investigated by the Computer Emergency Response Team (CERT-In), Delhi Cybercrime Special Cell, Indian Cybercrime Coordination Centre, Intelligence Bureau, CBI, and National Investigation Agency. During this cyberattack, its data got encrypted, involving patient records, financial information, and medical images, resulting in the shutdown of their IT cell. During the hacking, internet services were blocked according to the recommendations of the investigating agencies. The hospital’s outpatient and inpatient digital services, the smart laboratory, billing, report generation, and the appointment system were affected. Similarly, Sun Pharmaceuticals and Safdarganj Hospital also suffered cyber attacks. These attacks result in the leakage of their data and financial losses. The goodwill of the hospitals was affected.

The biggest cyber security attack was in the July 2023 breach of a Tennessee-based hospital and clinic operator, HCA. Hackers accessed and took data from an external storage location of 11 million patients. They formatted emails and calendar reminders used to remind patients. Many people filed multiple class action lawsuits alleging HCA was responsible for this data leakage.

Medibank data breach: As published in https://www.bbc.com/news/world-australia-68064850 Australia faced the worst data breach in 2022, in which 9.7 million patients’ data was stolen. Australian intelligence authorities blamed a Russian man, Aleksandr Ermakov, for the cyberattack who believed to have ties with the Russian cybercrime gang REvil, which was linked to attacks across Europe, the US, and the UK. It was understood as the single most devastating cyber-attack experienced as a nation. Cyber sanctions like financial penalties and a travel ban for Aleksandr Ermakov were imposed.  The cybercriminals demanded a $10 million ransom, which Medibank refused to pay, resulting in the online publishing of sensitive documents, including abortion records. Hackers stole the login details and accessed Medibank’s customer data, including athletes, media figures, and Prime Minister Anthony Albanese.

Recently, the US suffered two major cyber attacks this year whose effects are hard to quantify, tens of millions have been paid in ransom only. One was on Change Healthcare and another on Ascension, a network of 140 hospitals in the US. In February, Change Healthcare was attacked by a hacker group called BlackCat and they paid a ransom amount of $22 million. This was an attack in which ransomware broke the network and stole the data as much as possible. They demanded money to keep the data encrypted and not leak it.

Among other attacks was the one that affected a hospital in France, where 61 gigabytes of data were stolen and leaked by another hacker group. In another incident, a pathology company in the U.K. was hacked, preventing surgeries and blood donation from happening.

Key challenges in healthcare cybersecurity

Healthcare organisations are increasingly becoming targets of cyberattacks due to the wealth of sensitive patient data they possess. This data includes personally identifiable information (PII), protected health information (PHI), and financial records, all of which are valuable to hackers. In addition, healthcare systems are often complex and interconnected, making them difficult to secure.

Lack of awareness and education

One of the biggest challenges in healthcare cybersecurity is the lack of awareness and education among healthcare professionals about the importance of cybersecurity. Many healthcare professionals are not aware of the risks posed by cyberattacks, and they may not be taking the necessary steps to protect their organisations.

Unpatched software and systems

Another challenge is the prevalence of unpatched software and systems in healthcare organisations. Unpatched software contains known vulnerabilities that can be exploited by attackers. Healthcare organisations need to make sure that all of their software and systems are up to date with the latest security patches.

Insider threats

Insider threats are a significant risk to healthcare cybersecurity. Insider threats can be employees, contractors, or even patients who have access to sensitive data. These individuals may intentionally or unintentionally compromise the security of healthcare data.

Limited resources

Healthcare organisations often have limited resources to invest in cybersecurity. This can make it difficult for them to implement the necessary security measures to protect their data.

Regulatory compliance

Healthcare organisations are subject to a variety of regulations that require them to protect patient data. These regulations can be complex and difficult to comply with, and they can add to the cost of cybersecurity.

Evolving threats

The cybersecurity threat landscape is constantly evolving, and healthcare organizations need to be prepared for new threats. This requires them to have a strong cybersecurity program that is able to adapt to changing threats.

Connected medical devices

The increasing use of connected medical devices in healthcare poses a new set of cybersecurity risks. These devices can be vulnerable to attack, and they can be used to gain access to patient data. Healthcare organisations need to make sure that these devices are properly secured.

Lack of collaboration

Another challenge in healhcare cybersecurity is the lack of collaboration between healthcare organizations. Healthcare organisations often work in silos, and they may not be sharing information about cybersecurity threats and best practices. This can make it difficult for healthcare organisations to protect themselves from cyberattacks.

Solutions for cyber security

In today’s digital age, healthcare organisations are increasingly reliant on technology to store, transmit, and access sensitive patient information. This has made them a prime target for cybercriminals, who are constantly looking for ways to exploit vulnerabilities in healthcare IT systems. To protect themselves from these threats, healthcare organisations need to have a robust cybersecurity strategy in place.

There are a number of essential steps that healthcare organisations should undertake to procure, implement, and optimise their cybersecurity strategies and solutions. These steps include:

  • Conduct a risk assessment: The first step is to conduct a risk assessment to identify the potential threats to your organisation’s IT systems. This assessment should include an analysis of your organisation’s vulnerabilities as well as the likelihood and impact of potential cyberattacks.
  • Develop a cybersecurity strategy: Once you have identified the risks to your organisation, you need to develop a cybersecurity strategy that addresses those risks. This strategy should include specific goals and objectives, as well as the steps that you will take to achieve those goals.
  • Implement cybersecurity solutions: The next step is to implement the cybersecurity solutions that you have identified in your strategy. These solutions may include firewalls, intrusion detection systems, and endpoint protection software.
  • Educate your employees: One of the most important steps in protecting your organisation from cyberattacks is to educate your employees about cybersecurity risks. Your employees need to be aware of the latest threats and how to protect themselves from them.
  • Monitor your IT systems: Once you have implemented your cybersecurity solutions, you need to monitor your IT systems for suspicious activity. This monitoring should be conducted on a regular basis and be used to identify and respond to any potential threats.
  • Incident response planning: Finally, you need to have an incident response plan in place in case of a cyberattack. This plan should include the steps that you will take to contain the attack, mitigate the damage, and restore your IT systems.

By following these steps, healthcare organisations can improve their cybersecurity posture and protect themselves from the growing threat of cyberattacks.

Regulatory compliance

Understanding the problems and sensitiveness of data breaches in the healthcare sector, there is a need for some robust data protection regulation. Protected Health Information (PHI) is a regulation that offers great value to cybercriminals. The U.S. has the most robust healthcare regulations to protect health data: the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). For applying data protection for healthcare, HIPAA sets a framework since 1996 with many timely updates. For defining PHI, there are 18 identifiers that cover everything from name and geography to biometrics. The HIPAA Security Rule covers the integrity, confidentiality, and availability of consumer data. Protection for encryption and robust authentication for data access have to be maintained. Electronic or other data under the 18 identifiers come under the remit of the law. All organisations covered by HIPAA must follow administrative, physical, and technical safeguards.

HITECH enacted in 2009, has focused on electronic health records (EHR) to cover the proposed increase in the use of electronic versions of PHI, that is, ePHI.

Organisations that have a set Electronic Health Record system require that users can

  • Gain access to their ePHI.
  • Assign their ePHI to a third-party recipient.
  • Give consent or deny the use except under the exclusions like treatment, payment, or healthcare operations.

Federal and state regulations, accreditation standards, internal policies and procedures, financial requirements, and OSHA standards are some healthcare regulations other than HIPAA.

Compliance in healthcare is to comply with industry standards and regulations to provide safe, secure, high-quality patient health care. According to SAI Global’s 2018 Healthcare Compliance Benchmark Report, 20% of healthcare companies have a staff person managing compliance, while 13% rely on one part-time worker. However, compliance is the responsibility of every person involved in the organisation. Every person has to perform duties ethically and legally. This can develop a culture of accountability and responsibility. Compliance plays a vital role in a highly regulated and high-risk healthcare industry. It is necessary to cover HIPAA and drug regulations to prevent trust issues.

Consequences of non-compliance for healthcare entities

If an organisation is non-compliant with HIPAA guidelines, it has to suffer significant financial penalties, legal fees, reputation damage, patient attrition, corrective action plan costs, and data breach expenses, increased regulatory oversight, loss of government funding, exclusion from federal programs, lawsuits, and operational disruptions. On the other hand, there are many benefits of following HIPAA guidelines, such as enhanced patient trust, improved data security, reduced risk of legal and financial penalties, streamlined operations, and adherence to ethical and regulatory standards, which leads to better patient care and a stronger healthcare ecosystem. The cost of HIPAA compliance is quite significant as it requires investment in infrastructure and ongoing training and monitoring, but the benefits of compliance are more than the costs.

This study of 46 organisations by the Poneomon Institute observed the cost of non-compliance to be about 3.5 times higher than compliance, with an average of $9.6 million for non-compliant organisations. Costs can go beyond this also. Non-compliance can result in the risk of financial losses, security breaches, license revocations, lawsuits and settlements, business disruptions, poor patient care, erosion of trust, and a damaged reputation.

Best practices for cybersecurity

A strong healthcare data protection program depends on compliance. Protecting healthcare sector data is a tough job, as there is a need to balance patient care, safety and privacy with meeting regulatory requirements. Some measures to prevent data breaches can be

Cyber safety education for healthcare and staff for handling sensitive information securely

Simple human errors can have a disastrous effect on the healthcare sector. So staff members should be properly trained and skilled to act judiciously in times of emergency.

Protecting access to data and applications

Only reliable people should gain access to patient data and there should be a limit on what they can do with it. Some authentication methods, such as user IDs and passwords, smart cards, or biometrics, should be implemented to ensure that only authorised individuals can access patient data. An overview of SCIM provisioning can guide the automation of managing user identities in cloud-based applications and services.

Data usage controls should be used.

Protective data controls ensure that risky or malicious data activity is flagged and blocked in real time. Healthcare organisations should use data controls to block specific actions involving sensitive data, such as web uploads, unauthorised email sends, copying to external drives, printing, and downloading. Data discovery and classification can be done by ensuring that sensitive data can be identified and tagged for the proper protection level.

Monitoring the incidences of logging in and usage.

The process should involve technical controls such as intrusion detection systems, and security information and event management (SIEM) systems and should control, monitor, and log access to data. Organisations should respond to any suspicious activity or unauthorised access promptly. There should be proper testing of the security of the systems and regular vulnerability assessments.

Using data encryption

Encryption should be part of a comprehensive security strategy combined with other security measures such as firewalls, intrusion detection systems, and access controls. Encryption means converting data into a code readable only by authorised individuals.

Healthcare professionals should identify the data that needs to be encrypted. It should include personal health information (PHI) and personal identifying information (PII). Some methods of encryption are symmetric encryption, asymmetric encryption, and hashing. Each method has its own set of evens and odds. The organisation should choose the most appropriate method according to their specific needs.

Taking care of the security of devices

Today, mobile devices used by us may lead to data leakage. We should manage all devices, settings, and configurations and keep them updated. Strong passwords with the encrypted application data should be used. Features of lock lost or stolen devices should be on. Email accounts and attachments should be monitored to prevent malware infections or unauthorised data exfiltration. Educating staff members about updates on mobile device security is best practice. App installation should be done from authentic sources only. Mobile security software should be installed.

Understanding connected device risks

In the healthcare sector, there are various devices that are connected to the same network; they need to be properly secured. Organisations should maintain IoT devices on their separate network, which should be continuously monitored to detect any suspicious activity or change that may indicate a breach. Non-essential services should be disabled or removed if possible. All devices should be up-to-date with strong passwords and authentication methods used.

Regular risk assessments

Regular risk assessments help identify potential vulnerabilities and threats to patient data and give time to develop strategies to mitigate or eliminate them. Risks of data breaches and unauthorised access can be controlled.

Off-site data backup

Data backup is essential to avoid loss in case of data breach, system failure, or other disasters. Data backup can be scheduled for varying frequencies and intervals. Full, incremental, and differential backups can be used as needed.

Careful evaluation of business associates’ compliance.

Healthcare sector data is transmitted between collaborators for payments, patient care etc. continuously, so proper evaluation of all entities is essential. The HIPAA Omnibus Rule strengthened the guidelines and gave a clear idea of business associates, guiding the relationships needing contracts. The HIPAA Survival Guide explains the business associates and relationships with them.

Implementing a security management system.

A set of policies, procedures, and guidelines for confidentiality, integrity, and availability of patient data should be present.

An incident response plan should be there- An incident response plan is a set of procedures and processes that are put in place to respond to and manage data breaches, system failures, or other security incidents.

A team should be arranged to manage data breaches, system failures, or other security incidents. A response plan should be ready with them. There should be proper communication between the team and all other parties. Incident response should be properly checked and updated from time to time.

Compliance with legal and regulatory guidelines

Healthcare organisations should comply with healthcare data protection laws and public authority regulations, such as HIPAA (Health Insurance Portability and Accountability Act) in the US and GDPR (General Data Protection Regulation) in the EU. If a healthcare person runs a social media account, he must follow HIPAA guidelines and should take care of the challenges of misinformation, cyberbullying, and privacy concerns.

Emerging technologies

Cybersecurity is important in any sector; in healthcare, it becomes of utmost importance as it involves the personal information of patients. Steps need to be taken by healthcare professionals to maintain trust. Security has to be maintained at every step, from the firewall to accessibility and USB port blocking.

After healthcare’s technological advancement, AI has a significant role in cyber security. AI has opened new doors in the field of healthcare along with security. As we know, AI is adapted to machine learning and has developed by absorbing the behaviour of users and machine logs. AI can become beneficial by detecting behavioural patterns and building security algorithms dynamically. Data stored by many big organisations is vast and can be studied more easily by AI compared to humans. The data processed by NLP (natural language processing), computer vision, and acoustic AI has a deep neural network (DNN) architecture for identifying the need for security, complexity, and variations of attacks.

Hackers are using cutting-edge technologies and adopting new ways for cyber attacks so we need to make advancements at the same pace.

Blockchain has appeared as the game changer in providing cyber security. Blockchain technology facilitates every piece of data entered as a block in a decentralised and immutable ledge so that chances of potential fraud and errors can also be minimised.  There are many advantages to using blockchain in healthcare organisations, like data integrity, transparency, traceability, and security in clinical trials. It improves medical record access and record keeping, cutting costs and time. With the help of an API, individuals can access relevant information without knowing the patient’s identity. Patients have full access and control over their data.

Tele-surgery technology with 6G-enabled Tactile Internet (TI) has arrived and it is said that healthcare 5.0 has begun. It uses blockchain to provide real-time and highly responsive healthcare facilities  A vulnerability check was also done for it. In 2021, a blockchain model was developed for the Internet of Medical Things (IoMT). Hyperledger Fabric technology has proven efficient in providing cyber security to the healthcare industry.

Recently, studies have suggested a new way of encrypting data: the LRO-S Lionised Remora Optimisation-based Serpentine Encryption Method based on improved security logarithm and hybrid metaheuristic optimisation. Researchers are done to reduce privacy breaches and cyber-attacks from unauthorised access.

Google has many projects and collaborations with the Health Information Sharing and Analysis Centre (Health-ISAC). 

Cybersecurity is causing a loss of $1.3 million per cyberattack. Healthcare organisations should follow the latest trends and search for a secure posture. These organisations should carefully monitor third-party vendors and educate themselves about the risks and data leakages. 

Conclusion         

Many people are continuously innovating in the field of health technology. Many tech giants are interested in taking the healthcare industry to new heights. After the pandemic, the need for digitalisation of the healthcare sector is the need of time. Healthcare and technology have a symbiotic relationship where AI, IoT and blockchain play an important role. Cybersecurity has become of paramount importance in this generation. By putting in our effort, we can create a secure and resilient digital landscape to enable innovation, growth, and peace of mind for all.

References

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here