The adoption of new technologies is transforming the way the healthcare sector treats people. Telemedicine, Electronic Health Records (EHR), wearables that monitor biometrics are just few examples of what hospitals are providing as new tools to improve patients’ treatment ([1], [4]).
If these transformations are contributing to enhancing the patients’ health and wellbeing, they are unfortunately also increasing patients’ exposure to cyber risk. In addition to giving an attacker access to health services and medical prescriptions, stolen medical data might also be instrumental in opening bank accounts, procuring passports and even getting loans ([4]). Risk is further increased by the fact that, unlike credit card information, health data cannot be changed once stolen. As a result, health data are considered fifty times more valuable than financial information on the black market ([5]), and therefore among the most targeted kind of data ([6]). As a matter of fact, it has been noticed that data breaches are becoming more and more frequent in the healthcare sector ([3]). In this regard, the situation is aggravated by the fact that new trends, such as the Bring Your Own Device (BYOD) approach, are introducing new attack vectors to healthcare institutions ([2]). Recurring data breaches might have an impact on patients’ trust, who might start putting in question the reliability of the healthcare sector in its ability to protect personal health records [4]).
Still, compared to other organizations, the healthcare sector plods along in defending their systems ([3]). Hospitals are not adopting as many defense tools as other industries. For example, in the United States, only 70% of hospital boards include cybersecurity in their risk management oversight, and only 37% of hospitals perform annual incident response exercises ([7]). Evidence suggests that 39% of the healthcare organizations perform vulnerability scanning compared to the 49% of other institutions ([8]). It is interesting to note that, despite the above-mentioned, the perception of having an effective threat detection system is higher in the healthcare sector than in other industries ([8]).
This clearly shows that hospitals and healthcare organizations should consider the protection of medical data as one of their top priorities.
This blog post was written for the ProTego project by Ilio Catallo (OSR) and Lisa Cagnin (OSR).
References
- H. Thimbleby, “Technology and the future of healthcare,”, in Journal of public health research, 2013, 2.3.
- A. Boddy, et al. “A study into detecting anomalous behaviours within healthcare infrastructures,” in 9th International Conference on Developments in eSystems Engineering, 2016.
- M.S. Jalali, and J. P. Kaiser, “Cybersecurity in hospitals: a systematic, organizational perspective,” in Journal of medical Internet research, 2018.
- L. Coventry, and D. Branley, “Cybersecurity in healthcare: A narrative review of trends, threats and ways forward,” in Maturitas, 2018, 113:48-52.
- S. Morgan, “2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics,” Cybersecurity Ventures [Website]. Available: https://cybersecurityventures.com/cybersecurity-almanac-2019/
- Symantec, “Cybersecurity in Healthcare: Why It’s Not Enough, Why It Can’t Wait,” Symantec [Website]. Available: https://www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study-en.pdf
- S. T. Argaw, et al, “The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review,” BMC medical informatics and decision making, 2019,19.1: 10.
- Cisco, “Healthcare Security: Improving Network Defenses While Serving Patients, ” Cisco [Website]. Available: https://www.cisco.com/c/dam/en/us/products/collateral/security/security-benchmark.pdf
