The fragmented healthcare ecosystem has long been rife with potential cybersecurity and privacy vulnerabilities. Long before the coronavirus pandemic began to unfurl across the globe, healthcare organizations were struggling to manage the mounting risks and costs of cybersecurity and privacy incidents. Today, however, the risks are higher than ever as organizations have rushed to implement new technologies to provide healthcare during the COVID-19 crisis. Medical visits have shifted from in-person to virtual, but the underlying technology is still in the waiting room. 

Hasty deployment of technologies and processes, often without proper consideration of cybersecurity and privacy threats, can introduce new risks to providers. As operations shift from an organization-controlled IT environment to the questionably secure home networks of individual providers and patients, the threat landscape increases exponentially. Underscoring that risk is the need for interoperability among the disparate systems and data that support virtual care.

Meanwhile, cybercriminals have been quick to design social engineering-based campaigns that use COVID-19-themed lures to prey on public anxiety about the pandemic, and ransomware continues to be one of the most severe threats. These attacks can leave healthcare providers facing theft of information such as medical data related to COVID-19 vaccines, patient records, treatment plans, and financial information, which are all needed for hospitals to continue their business. 

Consider, for instance, a recent attack on the University of California San Francisco’s School of Medicine, which is developing COVID-19 antibody testing and clinical trials. In early June, hackers stole data from UCSF and then launched malware that encrypted certain servers within the School of Medicine, making them temporarily inaccessible, the university said in a release. The cybercriminals demanded a ransom, and UCSF paid a portion, approximately $1.14 million, to unlock and return the data. 

In a widened playing field, healthcare organizations need all the help they can get in protecting themselves and their assets. Read on for an overview of current threats and steps to take toward better managing them. 

Virtual care under the pressure of a pandemic

As governments and businesses began to issue work-from-home mandates in March, many healthcare organizations scrambled to establish remote-work processes and technologies for nonclinical employees and telemedicine. 

In a study conducted by the Ponemon Institute and IBM Security, 54% of responding organizations across industries had required remote work in response to the pandemic,  and 70% of those respondents said that remote work would increase the cost of data breaches. This percentage is staggering, especially when you consider that the study found the average cost of a data breach in the healthcare industry to be $7.13 million, a 10.5% increase over last year’s study and the highest average breach cost of any industry included in the study. 

It seems likely that both remote work and telemedicine will remain staples of healthcare long after COVID-19 subsides, yet many organizations have not implemented a secure remote-work program to help protect against breaches and other risks. Healthcare employees and privileged providers, including certain physicians working at a hospital, as well as subcontractors and consultants, may be using personal devices to access videoconferencing and cloud-based applications across unsecured internet and Wi-Fi networks. Doing so can allow criminals to intercept protected medical treatment records and prescriptions in transit. 

Similarly, the spike in demand for telemedicine has spurred healthcare organizations to adopt new technologies that may not support security for sensitive health data, and that can expose them to regulatory fines and penalties. 

New technology demands have increased the use of Internet of Medical Things (IoMT) devices like insulin pumps, pacemakers, and home health-monitoring tools as part of treatment plans. It’s a market that’s poised to grow; Fortune Business Insights projected in February that the global market would grow from $18.75 billion in 2018 to $142.45 billion by 2026.  

These devices and applications are embedded in or worn by patients to monitor their health, and they connect via the internet to deliver clinical patient data to the care provider. IoMT equipment are yet another vector by which nefarious actors can access information they shouldn’t be able to. These devices are often used by patients with limited technical know-how and remain unsupported by their manufacturers. Concerns grow even more serious due to exploitations that could allow bad actors to intercept sensitive medical data, implant malware, or cause device malfunctions – all of which could have life-threatening consequences. 

The complexity of interoperability 

Exacerbating the risk to organizations is the need to improve interoperability and end-to-end integration of all systems and data across the ecosystem. That’s a challenge because healthcare comprises a sprawling jumble of patients, providers, payers, and regulators that often have unaligned, and even conflicting, priorities. Compounding matters, each organization typically uses multiple different technologies and incompatible data types.  

In its simplest form, interoperability is the ability of information to flow freely throughout the healthcare system and to deliver patient data in an easy-to-understand format. It enables disparate systems to communicate information to one another. Supporting interoperability will require that all healthcare players adhere to the same rules and the same data standards.  

The trouble is, sharing and processing data across systems can be an extraordinarily complex undertaking. One reason is that vendors of connected devices and equipment often do not provide technical support and security patches for their products. Consider, for instance, that 83% of connected medical-imaging devices run on outdated, unsupported operating systems, according to a 2020 report from Palo Alto Networks’ global threat intelligence team Unit 42. 

Managing healthcare risks in a remote environment

To manage new risks and keep pace with evolving healthcare threats and vulnerabilities in the current environment, healthcare organizations should consider these focus areas to improve their cybersecurity and privacy capabilities and enhance operational efficiencies: 

• Enterprise risk management: Understand the long-term risk-management impact of new technology solutions. 
• IT security audit: Thoroughly assess the organization’s IT security technologies, processes, and people skills to identify gaps and opportunities for improvement, assess the interoperability of IT systems and data, and integrate IT solutions with finance systems.
• Cyber-risk assessment: Assess current risks based on the organization’s most valuable assets to understand current security controls, processes, and technologies. 
• Regulatory compliance: Review and confirm compliance with data protection mandates required by laws such as the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and the Health Information Portability and Accountability Act (HIPAA).  

• Device security: Identify all devices connected to your network and the risks they may introduce.
• Patient access to records: Improve the usability and security of patient portals to streamline access to medical information, as aligned with the federal government’s direction and requirements from the CMS Interoperability and Patient Access final rule. 
• Employee training: Establish a tailored employee awareness and training program to educate users on current cybersecurity threats, data-governance practices, and good cybersecurity hygiene.

Contact

Caroline Znaniec, Managing Director, CohnReznick Advisory, Healthcare

410.783.6230

Bhavesh Vadhani, Principal, National Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Deborah Nitka, Manager, Cybersecurity, Technology Risk, and Privacy 

646.762.3372