The COVID-19 pandemic transformed many lives around the globe and created a new normal. Despite the changing gravity of this health crisis, cybercriminals deemed the pandemic a lucrative opportunity to exploit healthcare. There was roughly a 50% increase in the number of healthcare-related cyberattacks in just the first few months of 2020! This blog will discuss cybersecurity challenges in the healthcare field before and after the pandemic and possible ways to prevent it in the future.
Cybersecurity challenges before COVID-19
Cybersecurity challenges were prevalent long before the pandemic -- the pandemic simply exacerbated existing issues. The Health Insurance and Portability and Accountability Act (HIPAA) was enacted in 1996 to protect patient information from being disclosed without their consent and created restrictions for handling physical and electronic patient information. Despite HIPAA being a fundamental part of healthcare, this law had many shortcomings that created security breaches. To highlight this, I will discuss three case studies of cybersecurity violations in the U.S. healthcare sector. These cybersecurity violations refer to both physical attainment of company laptops and malicious hacking at the expense of healthcare organizations and patients.
Case Study #1: U.S. Veterans Administration
The Veterans Administration (VA) consists of 1700 hospitals, clinics, community living centers and facilities. This administration experienced a breach of security in 2006 due to their ineffective information security program and physical security. The personal records of over 26.5 million veterans were at risk of being exposed when an employee’s laptop was illegitimately stolen from their home. This incident raised an important question: Should employees be able to access healthcare information outside of work? Even after the breach, VA failed to implement effective, preventative measures and according to Healthcare IT News, VA is still one of the largest offenders of HIPAA regulations!
Case Study #2: Utah Department of Technology Services
External hackers got access to a computer server with Medicaid and Children’s Health Insurance Plans (CHIP) in 2012. They could have accessed identifying information, such as SSNs, names, dates of birth, addresses, etc… This incident occurred because an employee failed to change the default password of their system. Roughly 780,000 individuals could have been affected by this breach! In response, IT security was reorganized and additional funding for cybersecurity was requested.
Case Study #3: EPHI Security Breach at Private Healthcare Organizations
In 2012, at the Advocate Health System, a laptop containing over 812 patient records was stolen. In 2014, the company experienced another theft of four laptops that compromised the SSNs of over 4 million patients. This shows the company’s inability to tighten security and implement corrective measures.
Cybersecurity challenges during COVID-19
Cybercrime is the leading cause of health security breaches and, according to the World Health Organization (WHO), it has increased five-fold during the COVID-19 pandemic. Pandemics heighten the vulnerability of patients, making them more susceptible to cybercrime since cybercriminals prey on feelings of fear and uncertainty. One way cybercriminals do this is by disguising themselves as a trusted organization like the WHO and/or seeking COVID-19 donations. For this reason, health care organizations become targets during health crises. Understanding how and why pandemics are opportunistic for cybercriminals is crucial to preventing it in the future.
Physician practices have been greatly interrupted by the COVID-19 pandemic as traditional, in-person medicine became harder to access; this caused a shift to telemedicine. For example, a 4330% increase in nonurgent virtual visits was observed during the pandemic by New York University. In order to make telemedicine accessible, the enforcement of HIPAA was loosened to allow the usage of online platforms such as Zoom, Skype, etc… which made it easier for cybercriminals to access private patient files. This means that telemedicine services (such as Zoom) are not truly HIPAA-compliant as they do not adhere to the practices outlined in HIPAA to protect patient confidentiality. Cybercriminals are more likely to attack when physicians are working from home because televisits could be conducted through outdated devices rather than secure internal computer systems at hospitals.
Cybercrime is being used in multiple ways to exploit physicians and patients: release of private documents and ransom-motivated attacks. For example, a cybercrime group hacked Hollywood Presbyterian Medical Center and demanded payment (US $17,000) in exchange for a decryption key to regain access to their hospital system. But, why are hackers targeting patient records? Patient records contain valuable, identifying information, such as genetic and health data, that can be sold for high profits.
Prevention and recommended practices
Many cybersecurity challenges resulted from poor protective measures for computer systems and/or human errors. In order to prevent cybersecurity challenges in the future, increasing awareness is the first step to take. Implementing training programs for hospital employees will allow them to protect themselves and patients. The purpose of the training programs is to educate employees on cybersecurity and help them identify scams, which will allow them to tighten security. Additionally, secure patient accounts could be created by employing a multifactor authentication and monitoring log activity and revoking access when no longer needed. For telemedicine conducted from physicians’ homes, it is important to establish policies that require them to work with secure equipment supplied only by the practice. Other recommended practices include implementation of the following: effective risk management program, identity management and access controls, incident response, security management training, and strong passwords. Additionally, measures should be taken to increase HIPAA compliance and penalize violators.
Sources: