By Prerna Lal, Assistant Professor, International Management Institute New Delhi, India
Abstract
Digital revolution has changed the way organizations work; the healthcare industry is no exception. Technologies like cloud computing, big data, analytics, Artificial intelligence has transformed the way data is stored and analyzed. Healthcare data contain sensitive information about an individual making it a unique situation as compared to other industries. Thus, the security of this care data becomes critical and needs consideration. The objective of this paper is to understand the information systems used by the healthcare industry and the kind of threats they face. Finally, what kind of steps organizations should take to ensure the security of carte data.
Introduction
From paper-based medical records to wearable medical devices, technology has played a crucial role in changing the healthcare landscape drastically over the past few years. Introduction of technologies such as cloud computing, big data, the Internet of Things (IoT), mobile applications, and analytics are the force behind this digital revolution in healthcare. On one hand, it has changed the way patients receive care be it tracking doctor’s appointment online, monitoring vitals through mobile-based health applications, or consulting doctors through telemedicine. While on the other hand availability of electronic health records (e.g. patient’s medical history, lab reports, etc.) has also helped doctors in making better and informed medical decisions. Thus, making it a win-win situation for two key stakeholders in the healthcare industry. As we can see whether it is providing or receiving care every decision requires one crucial component i.e. data. This is where technology comes into the picture. The exact role of technology in healthcare is to provide solutions where data is stored in a structured form, as well as it should be available anytime, anywhere through various devices either for quick reference or for decision making. Technology which is providing strength to the data in healthcare is also the one which is making it more vulnerable. Let’s look at one of the headlines
“HIV status of over 14,000 people leaked online, Singapore authorities say”[1] (CNN, Jan 29, 2019)
Scary, right!
The Healthcare industry has witnessed a surge in cyberattacks in the past few years. According to Statista medical/healthcare organizations have been the second-most attacked industry with 366 data breaches after businesses with the majority (571) breaches out of total 1244 data breaches reported during 2018[2]. Healthcare is attracting more cybercriminals for being more lucrative than any other industry. Interestingly, personal health information is 50 times more valuable on the black market than financial information, and stolen patient health records can fetch upwards of $60 per record (which is 10-20 times more than credit card information)[3]. Further, the weekly or daily frequency of cyberattacks on healthcare organizations is 39 percent as compared to financial organizations that stand at 34 percent[4].
The kind of cyberattacks faced by healthcare organizations varies from ransomware, malware, phishing, to insider errors. What makes this situation unique is that the impact of these cyberattacks not only put patient data at risk but also disrupt the healthcare service provider’s ability to provide care to the patients. Thus, leading to situations where the loss may not be limited only to money or data but a life.
Looking at these statistics we can see that there is an urgent need for designing and implementing efficient data security controls in healthcare. To understand these issues, we first need to look at the landscape of healthcare and what makes it vulnerable. Why hackers want health data? And what can be done to ensure the security of data?
Healthcare industry and information technology
The last decade has witnessed a drastic change in the fundamental business processes in the healthcare industry. Global health care expenditures are expected to continue to rise as spending is projected to increase at an annual rate of 5.4 percent between 2017-2022, from USD $7.724 trillion to USD $10.059 trillion[5]. Key stakeholders of healthcare i.e. patients, providers, payors, and policymakers (4P’s)[6] are now looking for innovative patient care services that are cost-effective, technology-enabled, easy to access and avail anywhere breaking the boundary of hospital walls. The healthcare environment is becoming more and more complex wherein patient care services are now not limited to hospitals but also at their home which may be in a different city or even a different country. Healthcare service providers such as doctors, nurses, pharmacists, administrative staff, technologists, and technicians, therapists work in different locations and use different information systems to manage healthcare data at their end. Payors in healthcare are entities (e.g. insurance providers) that take care of the financial aspect of health services which involves the processing of patient eligibility, services, claims, enrollment, or payment[7]. Finally, policymakers are the one who establishes the framework within which health care is provided to the country’s citizens. It is evident that there is a strong relationship between these key stakeholders which entirely depends on the collaboration of data which in turn is becoming a driving force behind the adoption of healthcare information systems (HIS).
Technologies such as cloud computing, Big data, virtual reality, artificial intelligence, and analytics have played a significant role in the evolution of healthcare information systems (HIS). These technologies are used to provide a networked HIS wherein data from each stakeholder of the healthcare industry can be stored and shared for compilation, analysis and synthesis, and communication and use[8]. The global healthcare information systems market size is expected to reach USD 169.2 billion by 2025, registering a 7.7% CAGR during the forecast period[9].
Healthcare information systems market comprises of various healthcare solutions targeting different stakeholders. It can range from Practice Management systems (PMS), Electronic Health Record (HER), Electronic Medical Record (EMR), Patient Engagement solutions, Revenue cycle management, Pharmacy information system, Laboratory information system, to the medical imaging system. Table 1 presents a summary of these tools and key players. With the advanced technologies cloud computing, it is possible to integrate these systems to provide care services that are more efficient in terms of collaboration, operations, and cost.
Table 1. Types of healthcare information systems
| System | Application | Examples |
| Practice Management Systems (PMS) | PMS are used to streamline the administrative workflow of practice (e.g. hospital).
|
AdvancedMD, Advanced Data Systems |
| Electronic Medical Records (EMR) | An electronic medical record (EMR) is a single practice’s digital version of a patient’s chart. An EMR contains the patient’s medical history, diagnoses and treatments by a physician, nurse practitioner, specialist, dentist, surgeon or clinic. | Epic, Allscripts |
| Electronic Health Records (EHR) | EHRs are built to share information with other health care providers and organizations – such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – so they contain information from all clinicians involved in a patient’s care. | eClinicalWorks, Cerner |
| Patient engagement solutions | Patient engagement software is an electronic system designed to communicate with patients, provide educational resources, or manage the patient-provider relationship. | NextGen Healthcare, AdvancedMD |
| Revenue cycle management | Revenue cycle management (RCM) is the financial process, utilizing medical billing software, that healthcare facilities use to track patient care episodes from registration and appointment scheduling to the final payment of a balance. | Athenahealth, Convergent |
| Pharmacy Information System | Assists pharmacists to manage the medication process. | |
| Laboratory Information Systems | A laboratory information system (LIS) is a software system that records, manages, and stores data for clinical laboratories. | Sunquest Information Systems, SSC Soft Computer |
| Medical Imaging Information System | Tracking billing information and radiology imaging. | Softneta, eMedica |
Security issues in healthcare
The today healthcare industry relies a lot on technology solutions that are connected and accessible through the internet. These networks aide providers and payors in making a quick and efficient decision so the care can be provided with better efficiency. But we cannot oversee the fact that these technologies or networks are also making the healthcare industry a soft target for cybercriminals and hackers for wrong motives.
What is at risk?
Yes, you guessed it right, data. As mentioned in Table 1 there are various types of healthcare information systems that can be used by providers or payors to manage data of different entities. First, the key data in healthcare is of the patient which will include personal information such as name, address, social security number, contact details, date of birth and health data like illnesses and hospitalizations, allergies and adverse drug reactions, medications and dosing, surgeries, clinical data, etc. Second, financial data i.e. bank account number, credit card details, etc, which patients may have used to make payments using their credit cards or online banking, etc. Third data regarding claims settlement with payors. Finally, it can be the Intellectual healthcare data regarding medical research, patents, etc.
What is the motive?
First and foremost, the main reason for data breaches is to make a lot of money by selling patient health data. In deep web marketplaces, medical health record is expected to be worth hundreds or even thousand dollars as compared to the credit card or social security number which are around 25 cents and 10 cents respectively[10]. Further data can be used to make money by creating duplicate credit cards and conducting frauds. Another scenario may be medical identity theft wherein patient’s data can be used by someone else for receiving medical treatment, drugs, or submitting false claims for medical services. Finally, the motive can be to damage the healthcare provider’s brand or business by hacking the intellectual property and selling it to the competitors.
What type of security threats are there?
Hackers and cybercriminals have been keeping the IT security companies on toes. It will not be wrong to say that as compared to organizations they are the ones using new technologies for devising new ways to do the crime.
- Ransomware and other malware
In Nov 2018, two hospitals owned by Ohio Valley Health Services & Education Corporation (Ohio Valley Medical Center in Wheeling and East Ohio Regional Hospital in Martins Ferry, Ohio) became the victim of a ransomware attack. This attack impacted the emergency functions of medical care as they were forced to shut down their IT systems.
“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in[11],” (Karin Janiszewski, director of marketing and public relations for EORH and OVMC, 25 Nov 2018)
Ransomware attack in healthcare has serious implications as they can be used to hijack information systems as well as the medical devices connected through the network or even shut down the entire medical facility until the ransom is paid. Out of all the industries healthcare is one of the top industries targeted by ransomware attack[i]. Moreover, 18 percent of medical devices have been the target of malware attacks last year[ii].
- Phishing
On August 20, 2018, Portland, Oregon-based Legacy Health notified 38,000 patients that a phishing attack might have breached their data[iii]. Further, their investigation revealed that unauthorized third party gained access to some of the email accounts of employees that may have contained some patient information e.g. patients’ name, dates of birth, health insurance information, billing information, medical information regarding care received at Legacy Health and, in some cases, social security numbers and driver’s license numbers.
In a phishing campaign, an attacker poses as a legitimate person or entity in an email to get the target to provide valuable information, such as credentials, or click on a link that results in ransomware being downloaded on the victim’s machine. Employees who are not careful may click on the link or provide confidential details which may lead to fraud. According to the study conducted by Cofense “Payment Notification” emerged as the top healthcare phishing attack Subject[iv]. The 2018 Verizon data breach report revealed that phishing attacks are not only prominent, they’re also on the rise, with 43% of data breaches stemming from such incidents[v].
- Insider threats
On Jan 20, 2016, Wall street journal reported that five people, including two former research scientists of the pharmaceutical giant GlaxoSmithKline (GSK), were charged in the U.S. with scheming to steal trade secrets and sold them to the organizations operating in China[vi]. The stolen data included intellectual property such as information regarding the research development of multiple biopharmaceutical products. In 2018, both scientists pleaded guilty to committing intellectual property theft, but the exact amount of financial damage has yet to be calculated. Additionally, insider threats not only include employee stealing data but vary from incidents happening due to error or carelessness to the theft of employee laptop containing confidential data[vii].
- Technology management issues
On Dec. 26, 2018, UW Medicine reported that misconfigured databases lead to the exposer of patient data on the internet for several weeks. The exciting part is that breach was discovered by a patient looking for his own name on google and ended up finding the data related to UW medicine files containing patients’ names, medical record numbers, and a description and purpose of the information[viii]. Other than misconfigured databases or servers, lack of appropriate IT security implementation in the organization or IT vendors who are providing or managing IT solutions on your behalf may be the reason for a data breach. In addition to that usage of cloud platforms by the HIS providers is also increasing the risk of security of data.
- Risks of using Internet-enabled connected healthcare devices
With the introduction of the Internet of Medical Things (IoMT) has made it possible to provide real-time care to the patients can save lives in emergency situations like heart-failure, asthma attacks, or diabetes. IoMT devices can collect real-time data regarding blood sugar levels, blood pressure, heartbeat, etc. which can be monitored by the care provider to make decisions regarding medication. Continuous Glucose Monitor, Closed-loop (automated) insulin delivery system, smart inhaler, Bluetooth-enabled coagulation system are a few examples of IoMT systems in healthcare. The market of IoMT is growing and is expected to drive nearly $47 billion in revenues in healthcare revenue by 2020[ix]. With convenience comes the cost. The cost here is the risk of loss of very personal health data captured by these devices which are stored using cloud platforms. In one of the cases in 2018, a fitness tracking application Strava which is used to track and share daily exercise routes by individuals revealed sensitive information about the location of US army bases[x].
In sum, security risks faced by healthcare information systems range from ransomware, malware attacks, phishing, a threat from inside actors such as employees, HIS solution providers or maybe the technology mismanagement. Table 2 lists some of the significant breaches to understand that these attacks are not just limited to a specific type of attack, specific geography, or a variety of healthcare information systems.
Table 2: Major attacks faced by the Healthcare industry
| S.No. | Year | Organization | Type of breach | Impact | Reference |
| 1 | March 2019 | Meditab, California | Fax server wasn’t properly secured i.e. no password, giving access to anyone who could read the transmitted faxes in real-time. | Thousands of records leaked including medical records, doctor’s notes, prescription amounts and quantities, as well as illness information, such as blood test results etc. The faxes also included names, addresses, dates of birth, and in some cases Social Security numbers and health insurance information and payment data. | https://techcrunch.com/2019/03/17/medical-health-data-leak/
|
| 2 | May 2018 | Rush University Medical Center, Chicago, USA | An employee from the billing department disclosed a file to an unauthorized party | Names, addresses, birth dates, and Social Security numbers of 45,000 patients were exposed | https://www.govtech.com/security/Medical-Center-Data-Leak-May-Have-Exposed-45K-Patients.html
|
| 3 | Oct 2018- Mar 2019 | Secur Solutions Group (SSG), a vendor of the Health Sciences Authority (HSA), Singapore | Accessed illegally from vendors system | Personal information of more than 800,000 blood donors exposed online
|
https://www.channelnewsasia.com/news/singapore/blood-donors-information-exposed-online-hsa-11349308
|
| 4 | Dec 2018 | UW Medicine, Washington | A misconfigured database which was the result of a coding error | Data of around 974,000 individuals was exposed on the internet | https://www.bankinfosecurity.com/misconfiguration-leads-to-major-health-data-breach-a-12042
|
Steps to be taken to ensure the security of data
Looking at the increasing number of data breaches in healthcare over the years raises the alarm for healthcare organizations to take strong measures to deal with the situation and ensure that they should be ready to deal with these threats. They need to change their approach from being reactive to proactive in their approach to deal with the situation. Some of the actions they may take are as follows:
- Raising awareness of vulnerabilities and threats among users
Users are the ones posing a major threat to any information systems. Users in the case of healthcare information systems include patients, hospital staff, doctors, nurses, therapists, etc. who are using the systems to store, retrieve, or analyze care data. Any human error or carelessness in using a system may lead to a data breach. Thus, healthcare organizations should ensure that they provide training to the employees with respect to the usage of HIS as well as what are the risks associated with them. Users should have a clear understanding of what kind of data they are dealing with and how sensitive the data is and what steps they should take to ensure that none of their actions should cause the breach. It may be as simple as ensuring that they log off from the system after using it, don’t share their login credentials even with peers, and keep their laptop safe. The awareness regarding security should not be a one-time activity, users should be reminded again and again over a period for better results.
- IT Compliance
Organizations that follow security compliance are always at lower risk and better prepared to deal with security threats. NIST, HITRUST, Critical Security Controls, ISO, COBIT are a few examples of the IT security frameworks followed by organizations all over the world. In a 2018 HIMSS Cybersecurity Survey, NIST was identified as the most popular framework adopted by 57.9 percent of the healthcare organizations. The guidelines for security standards differ from country to country for example ISO 27001 is applicable internationally while HIPAA is applicable in the United States.
The benefit of compliance to any security standard ensures that proper measure has been taken by the organization to safeguard the data. In addition to that, they also have well-defined procedures for risk management and business continuity in the organization.
- Using Artificial intelligence-based security solutions
The latest trends in IT security are the use of artificial intelligence-based security solutions. The benefit of using AI-based solutions is that they have the capability of identifying any unusual activity or behavior in the organizational network and raise the alarm. This can help IS security managers in taking preventive steps to stop the breach. In addition to that, there are automatic AI-based response systems are available that can handle any incident and act without human intervention. In the case of healthcare organizations need to invest in AI-based solutions because it can help them in saving a lot of cost due to the data breach.
Conclusion
Though data is an important asset for any industry but in the case of healthcare, it poses unique challenges as discussed. Ensuring the security of data in healthcare is not the responsibility of just one stakeholder but everyone must do their part to make it work be it patient, provider, payor or policymaker. Healthcare information systems can’t operate in isolation they need an integrated approach to provide efficient collaboration and communication between information systems used by different providers. In case any one of the links in the network is weak the ball will be in the court of criminals which may lead to a breach leading to severe damages. Research studies suggest that the healthcare industry is becoming one of the prime targets by criminals, therefore, there is an urgent need to take preventive measures by the industry stakeholders to ensure the security of care data.
About the Author
Prerna Lal is an Assistant Professor in Information Management at International Management Institute New Delhi, India, and a published writer in journals and publications, both Indian and international. She is an engineer with an MBA degree (IIT-Roorkee). She is an SAP- certified consultant and has ITIL® V3 Foundation-level certificate in IT Service Management. She has more than 16 years of experience in academics and research with areas of interest being Data Warehousing and Data Mining, Business Analytics, Management Information System, Software Project Management, IT Service Management, Cyber Law, and Cloud Computing. She earned her Ph.D. in the area of Cloud Computing from Banasthali University, Rajasthan, India. She can be reached at [email protected].
[1] https://edition.cnn.com/2019/01/28/health/hiv-status-data-leak-singapore-intl/index.html
[2] https://www.statista.com/statistics/273572/number-of-data-breaches-in-the-united-states-by-business/
[3] https://cybersecurityventures.com/cybersecurity-almanac-2019/
[4] https://www.radware.com/ert-report-2018/
[5] https://www2.deloitte.com/global/en/pages/life-sciences-and-healthcare/articles/global-health-care-sector-outlook.html
[6] https://jln1.pressbooks.com/chapter/3-introducing-the-key-stakeholders-patients-providers-payors-and-policymakers-the-four-ps/
[7] https://blog.definitivehc.com/top-healthcare-payers
[8] https://www.who.int/healthinfo/statistics/toolkit_hss/EN_PDF_Toolkit_HSS_InformationSystems.pdf
[9] https://www.researchandmarkets.com/research/jvdvpz/the_global?w=5
[10] https://www.forbes.com/sites/mariyayao/2017/04/14/your-electronic-medical-records-can-be-worth-1000-to-hackers/#3c11158050cf
[11] http://www.timesleaderonline.com/news/local-news/2018/11/hospitals-patient-information-safe-in-eorh-ovmc-computer-attack/
[i] https://www.beazley.com/documents/TMB/Factsheets/beazley-bbr-ransomware-factsheet-us.pdf
[ii] https://www.healthcareitnews.com/news/malware-hits-medical-devices-18-percent-healthcare-orgs-last-year
[iii] https://www.legacyhealth.org/our-legacy/stay-connected/newsroom/notice-of-email-phishing-incident.aspx
[iv] https://cofense.com/state-of-phishing-defense-2018/
[v] https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
[vi] https://www.wsj.com/articles/five-charged-of-conspiring-to-steal-trade-secrets-from-glaxosmithkline-1453333452
[vii] https://securityboulevard.com/2018/03/employees-are-biggest-threat-to-healthcare-data-security/
[viii] https://www.bankinfosecurity.com/misconfiguration-leads-to-major-health-data-breach-a-12042
[ix] https://dzone.com/articles/addressing-security-issues-in-connected-healthcare
[x] https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases
;
We are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.