Cybercrimes directed against hospitals and healthcare systems have been on a massive upswing globally for several years.
IBM’s 2021 Cost of Data Breach Report has some unsettling revelations:
It is clear that the health care industry is one of the favoured targets of cybercriminals. According to US healthcare data breaches statistics, there were 599 breaches in 2020, affecting over 26 million records.
Ransomware, malware, phishing and other tools are employed by cybercriminals to extort large sums of money, steal private data from patients and providers, and compromise system safeguards. Worse, these attacks directly threaten patient care- “Ransomware attackers can disrupt or render inoperable critical medical technology such as radiology, lab services, electronic medical records and the systems which monitor lifesaving equipment, such as ventilators and heartbeat monitors.”
According to predictions by credit reporting firm Experian, the health care industry will continue to be a target for cyber attackers as “personal medical information remains one of the most valuable types of data for attackers to steal.”
Cyberattacks in Radiology
Although most of the cyberattacks have focused on large health care systems, radiology practices have also started being targeted. In March and April of 2019, two major exploits of the DICOM radiologic imaging standard were reported. These exploits serve to emphasize the importance of addressing security concerns with radiology which is not immune to hacking. It is also pertinent to mention that Radiology practices manage a complex data environment where protected health information (PHI) is transmitted and stored, including RIS, PACS, computer information systems, DICOM, imaging equipment, mobile devices, e-mails, short message service messaging, cloud storage, patient portals, and revenue cycle management systems. Each of these pose a unique set of data security challenges and provides a wide attack surface to threat actors which has been broadened as more doctors work remotely.
Cybercriminals are becoming increasingly creative launching sophisticated attacks in new ways. Some of the often-deployed attack vectors include:
- social engineering and phishing attacks that target individuals
- malware, zero-day attacks, and botnets that target systems and medical devices to exploit default administrative credentials and known software vulnerabilities
- ransomware attacks that target network and application infrastructure
- interception of unencrypted PHI data transmissions
- structured query language injections to exploit insecure internet-facing applications
Data Breach Impacts
The potential impact to health care providers of a single data breach is significant in terms of cost, disruption, and reputational impact. Consider the following:
- HHS-OCR HIPAA breach settlements and civil money penalties are escalating in both frequency and magnitude.
- Both the HHS-OCR and local media outlets must be notified within 60 days of discovery of the breach.
- Breach notification letters must be submitted within 60 days by first class postage to all affected patients.
- Post breach identity protection must often be provided for affected patients for one to two years.
- Lost business reputation can create a patient churn rate of 5% to 6% following a data breach.
- Class action lawsuits often arise, with average claimed damages of $1,000 per victim.
- Other miscellaneous costs can include organizational disruption, public relations/crisis communications, technical investigations, and increased cost to raise debt.
Advancing Cybersecurity as a Priority
The American Hospital Association (AHA) has urged Congress to “prioritize investment in telehealth and cybersecurity to ensure all patients have secure, sustained, equitable access to care using digital and information technologies”. Radiology practices need to consider data security a critical business priority for their own practice.
At databrackets, we consider data security a mission-critical strategic priority utilizing a four-part strategy:
Risk Assessment | Compliance Management | Technology and Processes | Certification
The strategy elements are briefly explained as below:
Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizations resulting from the operation and use of information systems. The purpose of risk assessments is to inform decision makers and support risk responses by identifying:
- relevant threats to organizations or threats directed through organizations against other organizations;
- vulnerabilities both internal and external to organizations;
- impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
- likelihood that harm will occur.
Compliance management is the ongoing process of monitoring and assessing systems to ensure they comply with regulatory policies and requirements- HIPAA/HITECH, GDPR, NIST are some of the well known regulations that most organizations need to comply with. Compliance management can be a confusing maze to navigate as many compliance requirements are industry- and geography-specific. Compliance management is important because noncompliance may result in fines, security breaches, loss of certification, or other damage to your business. Staying on top of compliance changes and updates prevents disruption of your business processes and saves money.
Technology and Processes
There are many data security technology solutions available in the market today that health care organizations can use to prevent, monitor, and respond to potential data security risks and threats. These may include the following tools:
- Intrusion detection and prevention tools
- Email protection tools
- Data transmission encryption tools
- Security incident and event/log management systems
- VPN Hardening Tools
- Robust Patch and Software update programs.
Third-party examination and certification of security practices is the fourth way for radiology practices to enhance data security. The following are two common certifications:
- SOC-2 attestation – Established by the American Institute of Certified Public Accountants in accordance with the Statement on Standards for Attestation Engagements 16 professional standards, SOC-2 focuses on a service organization’s controls related to the security, availability, integrity, confidentiality, and privacy of information and systems.
- PCI DSS 3.2 compliance is a comprehensive card security standard regulated by the world’s leading credit card companies. The standard evaluates data security of credit card payment applications and service providers by assessing a business’s network architecture, technology platforms, security policies, and data protection procedures and is a critical certification for any organization that stores, processes, or transmits credit card data.
Radiology practices are far from being immune to cybersecurity threats. Regulations demand that radiologists ensure their data security controls and methods are evolving to provide adequate protection to their patients’ valuable data. Risk assessment and compliance management, technology and processes, and certification are important steps that go a long way to strengthen the security posture of Radiology practices.
To learn more about the services, please visit www.databrackets.com.