Vast amounts of data, complex environments, out-of-date equipment, and a shortage of specialised security staff have all contributed to what some are referring to as the “perfect storm”. A recent report by the U.S. Department of Health & Human Services has highlighted some of the key issues. Below are the top 10 biggest data security issues facing the healthcare industry:
1. The growing attack surface
The changeover from paper records to electronic health records (EHRs) has greatly increased the quality and efficiency of patient care. However, it has also increased the attack surface for many healthcare service providers. Both in the UK and the US, Government have been pushing to ensure that all health records are digitized as soon as possible, yet investment in cyber-security is still lagging far behind.
2. Out-dated medical hardware and software
As you would expect, medical equipment is very expensive, and healthcare service providers must choose wisely how their limited resources are allocated. As a result, hospitals are still using equipment that may be decades old, and some of this equipment may be using software that is no longer supported by the manufacturers. The same is true for the IT system used by service providers. The recent WannaCry attack, which infected the NHS (and many other organisations) was able to propagate using a known vulnerability associated with earlier versions of Windows (mostly Windows 7).
3. Cybersecurity risks are ignored
The attitude – “it will never happen to me” – is common across all industries – although when the GDPR comes into effect, this will likely change. Unfortunately, it usually takes a serious data breach to wake organisations up to the importance of cyber-security.
4. Small health organizations are struggling to keep up
As you would expect, smaller health organisations simply don’t have the resources necessary to prevent cyber-attacks and keep up-to-date with the rapidly evolving attack vectors. And of course, many smaller organizations are now using electronic health records.
5. Healthcare systems are interconnected
While attacks on smaller medical establishments rarely make the headlines, they are likely to be far more numerous. However, the interconnected nature of the healthcare industry may enable attackers to use these small service providers as a way to breach larger organizations.
6. Healthcare data is very valuable
Data has been referred to by some as “the new oil”. But why are healthcare records so valuable? Well, should a criminal steal credit card information, that information is typically used only once before the card gets canceled. Medical records, however, can be used multiple times and for multiple purposes, and there’s not much that that can be done to stop it. The extended lifetime of medical records, which can be as much as 20 years, have made them very valuable. Stringent IT auditing can help enhance the security of healthcare data. Auditing solutions, like LepideAuditor, audit every configuration change made to multiple server components, including File Servers, and track user permission changes.
7. Patients are in more control of their medical data
Allowing patients access to their medical data is a growing trend, and while there are many benefits to this, it also increases the attack surface, as a patient don’t necessarily protect their login credentials in the same way they do their bank details.
8. Limited resources for cyber security
Healthcare service providers are required to make important decisions about how they spend their limited resources. Should they spend their money on crucial technologies, staff and supplies? Or should they spend their money on specialised IT security staff, training, software and others? It is an important decision that many healthcare service providers are faced with.
9. Lack of cyber security education
One of the biggest problems that healthcare service providers face is that the doctors, nurses and administrators are often not aware of the security risks associated with storing large quantities of personal data. What’s more, they don’t understand that everybody (including the patients themselves) must play a role in protecting this data.
10. No clearly defined personnel in charge of cyber security
Many healthcare service providers often have no designated personnel who can manage cyber security operations. Of course, this leads to problems with accountability and means that no one is pushing for the changes necessary to secure the network. A hierarchy of users with privileged access to sensitive data has to be defined. Users breaking this hierarchy should be pointed out and notified to the concerned authorities in real-time.
LepideAuditor audits every change in user permissions in Active Directory, Exchange Server, Windows File System, NetApp Filer, SQL Server, SharePoint Server and Office 365 (SharePoint Online and Exchange Online). These changes are notified in real-time with filtration or threshold-limit to any recipient through email or by notifications to LepideAuditor App. You can restore permission changes in Active Directory to an ideal state and take automated steps, using scripts, upon encountering an unwanted change.