Cybersecurity in Healthcare and its Challenges
From medical emergency surgeries to a simple doctor’s visit, healthcare is an essential component that everyone should rely on. Yet, as technological advancements continue to grow and change this can also leave dire consequences on cybersecurity in healthcare.
Recent Healthcare Standings
According to the AHA Center for Health Innovation, “Health care organizations are particularly vulnerable and targeted by cyber-attacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors.” Due to the recent strikes on cybersecurity in healthcare, it’s important to stay aware of your information and how your healthcare providers handle them.
Current Threats to Cybersecurity in Healthcare
There are numerous types of data breaches that cybersecurity in healthcare can experience, such as internal and external data breaches. Internal data breaches “comprise incidents that have occur with the help of an internal agent.” Examples include unauthorized access or disclosure to data, improper disposal of data, and loss or theft of data. Meanwhile, External data breaches are “incidents caused by any external entity or source.” Examples includes hacking/IT attacks, spyware, or phishing attacks.
Although each data breach can become malicious for cybersecurity in healthcare, our focus will be on the most frequent data breaches within the decades. All of which happen to be internal data breaches. According to The HIPAA Journal it’s revealed that “Hacking/IT”, “Unauthorized Access/Disclosure”, and “Loss/Theft” were the most frequent types of data breaches to occur for cybersecurity in healthcare. Amongst these breaches Hacking/IT was the most prevalent out of the three. In addition to the breaches, we’ll tie in the most disastrous cases of data security breaches in healthcare, starting with:
Hacking/IT
According to The HIPAA Journal, Change Healthcare Inc. had the most severe and widespread example of a Hacking/IT data breach, highlighting significant challenges of cybersecurity in healthcare. Affecting around 190,000,000 individuals in 2024, Change Healthcare Inc. ranked at number one with the most severe data breach in healthcare within the decades. During this breach, the company states to have reported the ransomware attack on February 21, confirming that a substantial amount of data had been leaked from February 17 to the 20. It wasn’t until April 22, where the company publicly confirmed the data breach. Nevertheless, on July 29 Change Healthcare mailed written notices to the affected individuals, according to the United Health Group.
Unauthorized Access/Disclosure
Ranking at number four, was Kaiser Foundation Health Plan Inc. with 13,400,000 affected individuals in their data breach in 2024. During their statement, Kaiser Permanente (which includes the Kaiser Foundation Health Plan) emphasized the gravity of cybersecurity in healthcare. They addressed how on September 3, 2024, they received notice that two of their workforce member’s emails had been accessed by an unauthorized party. Despite the emails being deleted, and authorities called, personal information such as “first and last names, dates of birth, medical record numbers, and medical information” had been leaked. However, those personally affected by this had received a notice via email or mail.
Loss
Ranked at 16, Science Applications International Corporations (SAIC) was the only company to have experienced a Loss cybersecurity data breach. During the 2011 data breach, about 4,900,000 people were affected, underscoring the importance of robust cybersecurity in healthcare. Despite being a business associate, SAIC’s data breach would directly involve the military healthcare provider Tricare. According to Data Breach Today, SAIC “reported the breach Sept. 14. Backup tapes were stolen Sept. 13 from the car of an SAIC employee that was parked outside an SAIC facility in San Antonio.”
Consequentially, these tapes would have included the social security numbers, names, addresses, phone numbers, and personal health data from patients treated in the San Antonio area military facilities. The article claims that a SAIC spokesperson acknowledges “that the company would pay all of the costs involved in the breach notification effort.” In addition to those claims, SAIC would offer a free credit monitoring or credit restoration system for those affected by the data breach.
Theft
Ranked at 19, Community Health Systems Professional Services Corporation had a theft data breach in 2014 affecting 4,500,000 individuals. According to The HIPAA Journal, “…the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data.” Unfortunately, the data stolen from these hackers included: names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. While a $2.3 million settlement was paid to avoid HIPAA violations, victims of the breach would soon file a class action lawsuit against the company in 2019, where it’d be settled for $3.1 million. From these lawsuits it’s clear that the cybersecurity in healthcare must have
Regulatory Framework and Compliances
Despite the numerous data breaches there are still rules and compliances that companies must follow in order to continue operating. However, what is healthcare compliance? According to Wake Forest university, they define it as “…the effort by healthcare organizations to follow federal, state, and local laws—as well as their own system of rules, ethics, and standards—to help prevent fraud and abuse in the healthcare industry.” Unfortunately, many companies’ responsibility toward healthcare compliance can be laxed. Nevertheless, there are still extensive systems and laws in place to help maintain and preserve ethical decision making. Therefore, through these rules and compliances companies, employees, and stakeholders can enforce and maintain ethical responsibility in their business practices.
Thus, while there are many different types of laws to go through, here is a list of the 5 major compliances in healthcare (according to Wake Forest university) and what they do:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) “establishes federal standards protecting sensitive health information from disclosure without the patient’s consent.” This act consists of both Privacy and Security Rules. Under the Privacy Rule HIPAA covers healthcare providers, health plans, healthcare clearinghouses, and business associates. Meanwhile under its Security Rule, (HIPAA) “..protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form.”
The Physician Referral Law (Stark Law)“prohibits physicians from referring patients to receive “designated health services” payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies.” Since the Stark law is a strict liability statute, it doesn’t require proof of specific intent to violate the law. However, violation of this law includes fines and “exclusion from participation in the Federal healthcare programs.”
The False Claims Act “a federal statute originally enacted in 1863 in response to defense contractor fraud during the American Civil War.” For any person who submits a false claim knowingly to the federal government is liable for “three times the government’s damages plus a penalty that is linked to inflation.” Additionally, under the qui tam suits, “the FCA allows private citizens to file suits on behalf of the government.”
The Anti-Kickback Statute (AKS) is a criminal charge that “prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs.” “The statute covers the payers of kickbacks-those who offer or pay remuneration- as well as the recipients of kickbacks-those who solicit or receive remuneration.”
The Patient Safety Act “amended Title IX of the Public Health Service Act to provide for the improvement of patient safety and to reduce the incidence of events that adversely affect patient safety by authorizing the creation of patient safety organizations (PSOs). PSOs work with providers to improve quality and safety through the collection and analysis of aggregated, confidential data on patient safety events.”
Violations and Penalties
In addition to the strict rules are the strict penalties that follow them. Consequentially, this forces companies to act accordingly to prevent such violations from ever occurring. Specifically, in regard to HIPAA, as seen below, they have magnitudes to their violation penalties. Ranging from Tier 1, showcasing the punishments of unknowingly breaking the rules to Tier 4 where there was willful neglect and no attempts at prevention.
Solutions for Cybersecurity in Healthcare
Although no one can be immune to cyber-attacks, this doesn’t mean that one shouldn’t be ready to defend and safely secure themselves and their online data. From a corporate to personal level, it’s always good to be aware of your threats and weaknesses. What are they? Where did they come from? How have they been affecting you? By identifying them you’ll be able to minimize any damage to your data and personal information. Additionally, by implementing your strengths and finding opportunities to grow them, this allows you to maximize your coverage and properly protect yourself from online threats.
When referring to the Department of Health and Human Services Top 10 Tips for Cybersecurity in Healthcare we’ll go over a few ways on how one can protect themselves against cyber-attacks. (For more information and tips on cybersecurity in Health care click on here.)
While there are many problems within the technical aspect, sometimes the user can become their own demise too. Due to faster advancements, it’s natural for anyone to not completely understand the functions of an IoT device or its programs. However, this only leads us to be more susceptible to cyber-attacks. Therefore, understanding and maintaining a culture around one’s security can be pivotal to their success in safety. Due to this, it’s suggested that:
-
- Education and training must be a recurring effort one takes.
- By being self-regulated, this sets those as the standard of how one should act or think, especially in a managerial or leadership position
- Centering the organization’s core values around accountability and responsibility could promote trust and growth amongst its workforces.
“A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside…and decide, according to pre-determined criteria, whether the message should be allowed in.” Therefore, by setting up a firewall companies will be able to track and view the programs an employee downloads and have the system determine whether the application or service is appropriate or not.
In turn, from scanning these applications firewalls can slow down, stop, and even report the downloads if deemed “rouge/unapproved”. While firewalls can be simplistic, it’s also important for a company to speak with their IT team or other resources to “…perform malware, vulnerability, configuration, and other security audits on a regular basis.”
The difference between firewalls and an anti-virus software is that a firewall prevents intruders from entering, while the software deals with the intruders that managed to enter. As for viruses, they can come into many shapes in sizes from an unassuming website download and emails to flash drives and even CDs. Henceforth, this it’s important to maintain updates on your IoT devices and use anti-virus software to regularly check up on your devices. Luckily, anti-virus software is well tested and widely available, having a range of prices, many of which are affordable for individuals and companies alike.
Signs that your device may have a virus:
-
- System will not start normally (e.g., “blue screen of death”)
-
- System repeatedly crashes for no obvious reason
-
- Internet browser goes to unwanted web pages
-
- Anti-virus software does not appear to be working
-
- Many unwanted advertisements pop up on the screen
- The user cannot control the mouse/pointere
While there are many technical threats that can compromise your data security, there are also many unexpected external factors that can affect you as well. Unfortunately, natural disasters of any kind can unexpectedly appear in one’s daily life. Due to this it’s important to not only create a backup but have a sound recovery plan. Firstly, when creating a backup, it’s easier to start it the very first day. By continuously updating and ensuring that the information is not only accurate but can be properly restored, provides companies and individuals a safety measure for the unexpected.
Additionally, it’s also important to keep storage devices containing the backups (such as hard drives, CDs, and DVDs) in a safe location where it wouldn’t be affected by the elements. Furthermore, scanning and uploading physical documents to these devices can also prove to be efficient and useful in the instance that the physical copy gets damaged. Using cloud computing can also be efficient and convenient due to its little use in technical expertise and nonphysical form. However, one must still be cautious when uploading backup files, so that they’re as secured as the original.
Actions and Improvements for Cybersecurity in Healthcare
Regardless of the persistence of data breaches in healthcare, this shouldn’t discourage people or companies to be less regulated in their operations of their technology. Undoubtedly, as technology evolves so does our way of being able to protect ourselves against new attacks day by day. Even so, this should also tarnish any delusions one may have in regards that they won’t be the next victim to these malicious or careless attacks. After all, although there have been reductions to data breaches in healthcare, with a 10.6% reduction from 2023 to 2024, healthcare still remains at the top for costliest data breaches since 2011. (The HIPAA Journal)
Ultimately, by knowing your rights and protections this can aid you in achieving compensation from these companies. Moreover, by staying vigilant and careful of how and where you use your data can also make a difference on the outcome of potential future attacks. Likewise with companies, by investing in and prioritizing cybersecurity measures, not only would you differentiate yourself from other competitors, but this will help attract more loyal customers making the cost of advancement worth it.
SHARE ME!
Article Contents
MORE ARTICLES
