Cyber attacks are skyrocketing in healthcare. Medtech must be part of the solution.
Lately, it seems like every week brings a new headline about a healthcare cybersecurity breach.
Earlier this month, a hacking incident at a Michigan surgical group exposed the protected health information (PHI) of an estimated 15,000 patients. Within the same week, reports surfaced of a D.C. health marketplace data breach which exposed the PHI of over 56,000 people, including members of Congress.
These events appear to be symptoms of a larger issue brewing within the healthcare system.
Healthcare Dive recently published a analysis of over 5,000 breaches reported to the U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) over the past 13 years. The results paint a stark picture of a rising cybersecurity crisis in healthcare.
Join us in unpacking how the medtech industry is involved in the issue—and how we must help to solve it.
Healthcare cybersecurity in 2023: A snapshot
OCR’s database of reported breaches reveals that an estimated 385 million patient records have been exposed from 2010 to 2022, though individual patient records may be counted multiple times.
The breach records contain only those required to be reported to OCR by insurers, providers, claims clearinghouses, and business associates—namely, breaches affecting over 500 people. When such a breach occurs, covered entities have 60 days to report it.
The most common breach type (by far) among OCR’s records is under the category of “Hacking/IT incident.” Healthcare Dive reports that hacking attacks at healthcare firms have “skyrocketed” over the past 5 years. In fact, the FBI says that the rise in ransomware attacks has hit the healthcare industry the hardest compared to other critical infrastructure. In these attacks, cybercriminals often demand a monetary ransom in exchange for restoring access to the PHI.
These threats compound challenges to delivering quality and timely care to patients, with health systems across the country strained with staffing shortages and financial pressures from the COVID-19 pandemic.
Factors contributing to weakened cybersecurity in medicine
Healthcare Dive’s report cites three major factors that have contributed to the outsized vulnerability of the healthcare sector to cybercrime.
1) The sharp rise in electronic health record (EHR) adoption
Since 2010, federal incentive payment programs have driven providers and health systems alike to switch from paper records to EHRs. By 2014, EHR use by American hospitals jumped to almost 100%, up from an estimated 16% just four years prior.
However, EHRs themselves are generally not the problem. EHRs and health information exchanges generally undergo rigorous cybersecurity certification procedures—such as ONC certification.
However, a hospital’s or provider’s overall IT system is only as secure as its weakest link. Vulnerabilities in non-EHR legacy IT systems can thus become an issue.
These issues are also challenging to address when they are discovered. Healthcare is a 24-hour, seven-days-a-week operation, so minimizing downtime to patch issues is critical.
2) The rise in remote work across healthcare
This is also where workspaces come into play. If in-office computers and IT systems can be exploited, at-home noteworks are even more vulnerable.
Cybersecurity expert and former cybercrime FBI section chief John Riggi told Healthcare Dive that remote work in the healthcare sector gave attackers an “expanded digital attack surface.”
Plus, the rush to remote work coincided with the extra pressure on the health system of a pandemic response.
“It becomes very, very difficult to secure this expanded attack surface under increased fire during a pandemic,” Riggi said.
Of course, while they do represent the most common type, not all healthcare data breaches are the result of cyberattack. The second most common category is unauthorized access or disclosure, which can involve a provider accessing records off the job or when a laptop is left in a public place or stolen.
Even when unintentional, these kinds of breaches happen more easily when PHI can be accessed outside the healthcare workplace.
3) Healthcare systems’ dependence on third-party medtech
Let’s say a health system’s cybersecurity standards are very high when it comes to their own technology, such as their staff’s work station computers. But what happens when a third-party medical device is required for patient care—and that device connects to a network without vetting for security?
That’s a vulnerability that cybercriminals can exploit.
Third-party technology makes hospitals more vulnerable to cyberattack because “they don’t have total control over the security of third-party tools,” Riggi said. “As a result, hospitals have to wait for vendors to send patches for connected medical devices and are prohibited from patching problems themselves.”
Current approaches to protected patient privacy with medical devices appear to be falling short. A study published last month in The Lancet says medical wearables’ approaches to de-identifying patient data gives “a false sense of security” in the face of cybersecurity threats.
Our perspective: Medtech must lead the charge against healthcare data breaches
Granted, all three of these factors have improved healthcare tremendously for patients. At the same time, their vulnerability to cyberattack is a grave concern.
Medtechs must prioritize cybersecurity in product development, dissemination, and maintenance. Companies whose products present a security vulnerability must also lead the charge in cybersecurity training for providers (and patients), so that when issues come up, all parties can respond quickly to minimize damage.
Innovation and replacement of legacy technology with more secure alternatives throughout the healthcare system will be an important part of the solution as well. We’re looking forward to seeing how our industry takes up this torch.