The healthcare industry has undergone a major transformation – spurred and fast-tracked by COVID. Despite many industries adopting cloud computing and infrastructure providers, the healthcare industry has been a laggard, not investing in these technologies until recently.
However, the need for telehealth has risen dramatically and new technologies, such as cloud-based vendors and infrastructure are facilitating remote care, telehealth, and improved patient recording keeping and processing.
According to Accenture, only 7% of surveyed patients had a healthcare consultation with a healthcare provider at the start of 2020, compared to 32% in 2021. The use of EHR and EMR systems (electronic health records and electronic medical records, respectively) have also increased dramatically since their introduction. In 2020, 89% of physicians surveyed reported using EHR or EMR systems.
This digitalization priority has transformed into an urgency when the COVID-19 pandemic prevented on-premise care from being possible. However, as is often the case, new technology introduces new risks and with the accelerated pace of adoption, due to COVID, healthcare cybersecurity isn’t always at the forefront of procurement and planning.
How COVID-19 need for digitalization is increasing healthcare cybersecurity risk
In a matter of weeks, the COVID-19 pandemic shut down offices, filled up hospitals, and transformed the healthcare industry to one that required remote, and virtual facilitation. As a result, healthcare cloud computing and vendor adoption skyrocketed with, understandably, little regard to the security.
However, the introduction of cloud-based vendors, cloud computing, and infrastructure services at this accelerated pace has dramatically increased the attack surface and risk exposure to the healthcare industry. These organizations now need to account for third-party security and risk management while also ensuring that these vendors, if they are handling private data, are doing so while adhering to compliance standards.
With remote work, the advent of BYOD (bring your own device), and the increase of shadow IT (vendors and technology entering your environment without your knowledge), the challenge to just account for your assets, vendors, and devices is nearly insurmountable. This doesn’t even address whether all of your endpoints are secured or your network is properly protected.
The use of EHR and other cloud-based healthcare systems for data storage and infrastructure needs also poses a risk of potential leaks. Whether due to misconfiguration on the side of the cloud provider or your internal team, health records may be accidentally exposed or leaked on the internet, putting your data in harm’s way while also eroding your reputation and trust.
Earlier this year, security researchers found over a billion records exposed in a database belonging to CVS Health that required no password to access. These kinds of incidents aren’t ignored by the general public either, who are concerned about how secure their data is in the hands of healthcare companies. In the same Accenture report mentioned earlier, 64% of patients surveyed said that virtual care has made them more aware of their data privacy and security needs.
The healthcare cybersecurity industry is being increasingly targeted by malicious actors
It’s no secret that the healthcare industry is being targeted more and more often by malicious attackers and bad actors. Again, in 2020, the number of healthcare cyber attacks climbed 42% year over year and the HHS reported that every month in 2020, over a million healthcare records were breached.
Some of these attacks can be attributed to healthcare organizations’ increased use of cloud-based vendors. More third-parties lead to a wider attack surface, one that’s hard to keep account of as it’s difficult to know whether or not a third-party is keeping the right healthcare cybersecurity practices and standards.
Malicious hackers are also keenly aware of the increase in cloud-based vendors within the healthcare security industry and are targeting healthcare companies for the explicit purpose of accessing and exfiltrating health and patient records. In June 2021, Forefront Dermatology announced that a data breach led to the exposure of over 2M health and patient records.
This means security needs to be upgraded for a modern healthcare industry.
How the healthcare industry can modernize its cybersecurity
The healthcare industry needs to modernize its cybersecurity in the same way it’s modernized its infrastructure and service. New modern security models and frameworks need to be adopted that incorporate third-party risk management, the use of cloud-based vendors and infrastructure providers, and that offer risk mitigation and recovery strategies for the modern threats healthcare companies face today.
NIST recently released a ransomware healthcare cybersecurity framework dedicated to this industry and you can find additional resources for securing your organization on the HHS.gov website. As for new developments and additional considerations, here’s a good start.
Prioritize your third-party and cloud-based vendor security
You’re only as secure as your most insecure vendor. Take stock of your various vendors, especially your cloud-based and infrastructure partners, prioritizing them by how critical these vendors are in terms of business function and whether or not they have access to sensitive information. It’s important to understand how secure these vendors are and how exposed you are through them.
Expand your asset visibility to take into account additional endpoints and partners
You should have a process in place to take a full inventory of your devices, networks, partners, and endpoints so you can ensure any new initiatives aren’t leaving any vulnerabilities exposed. This should include IoT devices, employee devices, remote work devices, and partners who are interacting with your network or environment.
Look for a healthcare cloud computing security partner
If you’ve adopted a new cloud-based infrastructure provider or are leveraging an EHR system, it’s likely you’ll need a solution dedicated to ensuring this data is kept secure and is managed properly. It’s one of the most impactful investments you can make in your cybersecurity department.
Have a plan in place in case of a breach or compromise
No organization is 100% secure so you should have a plan and process in place if you are attacked. Do you have a detection and response solution that’s looking at your network, endpoints, and sensitive files? Do you have an incident response plan in place and do you have the resources to facilitate and speedy recovery and remediation?
This may be another opportunity to bring in a partner who has the tools, staff, and resources on hand to help in case an incident occurs.
How to address the healthcare cloud computing cybersecurity challenge
We aren’t looking to roll back the new developments and technological advancements made by the healthcare industry. These innovations and adaptations were necessary to serve the global needs of an increasingly digital patient market. However, the increased digitalization has also attracted the attention of malicious hackers who unscrupulously know healthcare providers and facilities are most likely to pay ransoms sooner than most.
The next step for the healthcare industry is to secure their data, their organizations, and their new cloud-based partners, and infrastructure providers. Due to budget constraints, it would be difficult for these companies to build an in-house department robust enough to address all the new threats and risks posed to these organizations.
We recommend these companies look for dedicated partners with a track record of securing company data, providing detection and response tools, and offering cloud security solutions. It’s the next natural step in digital transformation and it’s needed now.
Learn more about the five biggest challenges facing healthcare security.