At Verkada, we’re observing National Cybersecurity Awareness Month (NCAM) by looking at the ways different industries are affected by digital threats. This week, the NCAM is focusing on the theme of ‘Securing Internet-Connected Devices in Healthcare’ with the intention of spreading awareness of an increased presence in digital threats associated with the healthcare industry.
Over the years, healthcare facilities have grown a greater dependency on technology. Everything from the computers and onsite servers that host patient data to the modern technology they’ve adopted for improving patient care, hospitals and clinics have increased their connected footprint. While this has enabled healthcare facilities to become more efficient, it has also opened the door to new threats to their organization and the data they are trusted to protect.
In this article, we explore the three biggest threats to healthcare organizations and how facilities can partner with security vendors to protect themselves from unforseen threats.
Ransomware is a form of malware that hijacks the normal operations of enterprise computers and servers and holds them hostage. If a single device in an organization is infected, entire networks of machines can be disabled and held for ransom. This can be particularly disastrous when vital healthcare appliances are concerned. Ransomware can temporarily shut down critical infrastructure forcing hospitals to suspend treatment and divert patients elsewhere.
Tragedy struck recently when a German woman had to be redirected to another hospital 20 miles away after a ransomware attack disabled critical systems at Dusseldorf University Clinic. She died in transit before she could receive emergency care in an incident that some are calling “the first confirmed death resulting from a cyberattack on healthcare infrastructure.” German police launched an unprecedented investigation to bring the perpetrators in on charges of negligent manslaughter.
The implication of these events is clear-- hospitals and other healthcare institutions are among the most critical organizations to protect from digital attacks. Attacks on these targets can result in far more than the standard financial penalties and operational delays; they risk bringing harm to the sick or injured.
The best defense against this type of attack is one that prevents it from getting any worse after the initial infection. Ransomware attacks are able to shut down entire departments of an organization by spreading from device to device until they can assume complete control. Properly configured devices can use firewalls and air gapping in order to slow or prevent a spread like this.
2. Data Breaches and HIPAA Violations
Data security is a critical priority for every digital citizen, but the protected nature of health records make them among the most potentially destructive kinds to steal.
All healthcare organizations are bound by law to secure and protect any data that can be used to identify a patient and the nature of their care. In an era where healthcare is becoming increasingly digitized, the amount of personally identifiable information (PII) that must be securely stored is immense and always increasing. Care machines, laptop stations, and even building equipment like video security and access door controllers all record sensitive data that must be protected.
As shown in the table above, there are four tiers to HIPAA fines. Cases are assigned a tier based on their severity and how well they were managed after being discovered. In truly exceptional cases, fines have sometimes totalled multiple millions of dollars. These fines are intimidating in scale, but in reality only amount to a fraction of the fallout caused by a PII data breach.
Operational expenses, lengthy investigation and remediation processes, and reputational losses can all be expected after a HIPAA breach, as well a number of other “hidden” costs. All covered healthcare entities are required by 45 C.F.R. § 164.408 to notify the Department of Health and Human Services within a specific window of discovering a breach. The HHS’s website has more information and resources for reporting a data breach.
In most cases, data breaches are a result of some inside party’s secure credentials being stolen. A staff member at the University of Washington fell victim to a phishing email scheme, resulting in 90,000 exposed records and a $750,000 fine. Phishing is still the leading cause of data breaches, showing that bad actors are extremely adept at extracting information like usernames and passwords.
The Federal Trade commission recommends the usage of Identity protection features like Single Sign On and Multi-Factor Authentication to protect against password theft. The Verkada Command platform offers both of these features, as well as robust identity management tools like role based access control and audit logs. This gives users the ability to detect and resolve problems quickly if an identity theft occurs.
3. Vendor and Third Party Threats
The process of providing care to patients has become so complex and fragmented that it is nearly impossible to avoid involving third party goods or services. The average hospital depends on an average of 1,300 vendors, according to a Ponemon research report. With the involvement of this amount of outside actors, it is impossible to fully oversee and monitor their actions for security threats.
According to the same report, 56% of respondents have experienced one or more vendor-related data breaches in the past two years, at an average cost of 2.9 million dollars. Despite this, "[vendor evaluation] controls and processes are often only partially deployed or not deployed at all." One example of this occurred at national healthcare giant Atrium Health when a vendor that provided billing services was breached, exposing an estimated 2.65 million patient records, including social security numbers.
The lack of oversight in evaluating vendor security is understandable given the gargantuan scope of the task. However, constant monitoring of vendor operations isn’t necessary if due diligence is done ahead of time. There are a series of questions that can be asked in the initial discussion between covered entities and their business associates (BAs). Their answers can provide stakeholders with important insights about the security policy and protocols of their vendors, establishing a relationship of trust and liability.
Are policies and procedures in place for privacy and security?
What is the process for determining internal access to PHI?
How is PHI handled by the BA?
What are the internal training policies of the BA?
Has the BA disclosed and appropriately vetted their subcontractors?
What are the policies and procedures should a breach occur?
What is the entity’s knowledge of HIPAA/HITech regulations?
Has the entity disclosed all risk potentials of PHI?
At Verkada, we have collaborated with over 150 healthcare providers to create a comprehensively secure, HIPAA compliant solution. We are an authorized Business Associate and our protection of PII has been tried and tested. Healthcare organizations trust Verkada due to our continued demonstration of strong cybersecurity principles.
For more information on how Verkada protects sensitive patient information, read our HIPAA Compliance resource. Inside, you’ll find details about the various tools and systems we use to secure our critical healthcare partners.