Why Cybersecurity must be a top priority in Healthcare
The healthcare industry is a target for cybercriminals. Here's how cybersecurity can help protect data - and lives.
The Healthcare field is a top target for cybercrime. Fortified Health Security’s mid-year report showed that the healthcare sector suffered about 337 breaches in the first half of 2022. The risk of cyber-attacks on healthcare organisations has grown dramatically since the Covid19 pandemic, with some of the largest healthcare companies becoming victims, causing major costs and disruption. Stay-at-home directives during the pandemic forced healthcare companies to rush into providing telecare before cybersecurity safeguards were in place to protect medical systems, devices and networks. This escalated the cyber risk factors, placing patients’ care and privacy at risk.
When we talk about the cost of a data breach, we know costs go way beyond financial damage. When targeting hospitals and healthcare facilities, criminals sometimes steal personal information. Other times, they might even shut down medical equipment and systems. The more severe consequence of a leak is how it can affect patient lives and contribute to the deterioration of the health conditions of millions of people.
"Every industry and every subindustry in healthcare is seeing an increase in attacks. We're seeing increased attacks on medical devices. We're seeing increasing attacks on life sciences organisations. We're seeing it for a variety of reasons. This isn't going away." Taylor Lehman, director of the Office of the CISO for Google Cloud to Bank Info Security.
Healthcare data breaches in 2022
Cyberattacks targeting hospitals and health companies worldwide have affected millions of individuals. Predictions that cybercrime targeting hospitals would be on the rise proved accurate, with an increasing number of ransomware attacks. We listed three of the data breaches that impacted lives and organisations this year:
Medibank, one of the largest Australian private health insurance providers, suffered one of the most significant data leaks of 2022. Although announced in October, when officers at the Australian Signals Directorate (ASD) detected suspicious activity, the company is still dealing with the consequences of the leak. Medibank's Ransomware Saga Continues, as the company said it would not pay the ransom and criminals keep threatening to publish stolen records of roughly 9.7 million customers and health claims data for almost 500,000 customers.
Also in October, Chicago-based medical giant CommonSpirit Health confirmed a ransomware that exposed the personal data of more than 620,000 patients. The incident affected electronic health records and delayed patient care in multiple regions.
In April, Yuma Regional Medical Center (YRMC) also suffered a ransomware attack. Although EMR systems were not affected, the stolen files exposed patient names, Social Security numbers and private health information of around 700,000 individuals.
How can we improve healthcare's cybersecurity?
Healthcare facilities and providers hold an extensive set of databases of patient records, including personal and medical information, which need to be protected from unauthorised access, loss, theft or any type of disclosure. Still, it also needs to be available for doctors and other healthcare professionals as well as the patients themselves to access and use for patient care.
In this case, healthcare facilities could use data-in-use encryption to protect patient records while accessed or processed. Homomorphic encryption allows documents to stay encrypted during usage so doctors can perform mathematical operations on the encrypted data, such as calculating a patient's body mass index or blood pressure. There's no need to decrypt the data, ensuring that sensitive information is protected while it's still available for patient care.
Doctors can efficiently work with protected data by structuring it into predetermined fields such as height, weight, blood pressure, etc. Homomorphic encryption would only be applied to specific areas that contain sensitive information, ensuring protection and security without compromising performance and ease of use.
This is just an example of how encrypted data can improve patient data privacy, but there are many different approaches. Protecting patient data and mitigating the consequences of a leak also involves having technical safeguards in place to prevent unauthorised access to electronic protected health information (ePHI).
Compliance, GDPR and HIPAA regulations
The business value to a healthcare organisation using these technologies is protecting sensitive patient information without compromising access and patient care. However, another advantage is complying with various privacy and security regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).
Data-in-use encryption allows facilities to demonstrate that they're taking appropriate security measures to meet vital compliance requirements.
In addition, using data-in-use and homomorphic encryption would also help protect the hospital against the negative consequences of data breaches and insider threats, working as an extra layer of protection.
If an attacker were to gain access to the hospital's network or systems, they would not be able to view or manipulate the patient records unless they also had the appropriate encryption keys. And, in the worst-case scenario of a leak, encrypted data is absolutely useless to criminals.
Why healthcare organisations need fully functional data-in-use encryption
Most encryption methods don’t protect data that is being used by your team using their apps. Your ePHI is vulnerable to a data breach at this point. With Vaultree, your ePHI remains fully encrypted at rest on your server, in transit on your network and in use by your team using their apps. This mitigates your risk of a data breach because even if your data is lost or stolen at any point of its lifecycle, it would be completely useless. Your data is safe, and so are your patients.
More from our blog
Here's why our $12.8 million funding round is a major development not only for us, but for the world of data privacy