Cyber Security in the Healthcare Industry: Should the Government Intervene?

Media Division | April 17, 2017

What do you want your doctor to be concerned about?  The latest diagnostic technology.  The best treatment for your medical condition.  The possible side-effects of a procedure.  Any of those concerns, and so much more.  The healthcare industry, from the emergency room to your family practitioner, is made up of high-stakes, often high stress, jobs, where your care should be the top priority.

Your doctor also keeps a remarkable quantity of data in detailed records on each patient, which is why HIPAA laws (Health Insurance Portability and Accountability Act, the privacy laws of healthcare) govern how that data must be kept and can be accessed.  That’s also why the healthcare industry is a popular target for hackers.

How Healthcare Utilizes Your Data

Whether you have a Bluetooth medical device or you rarely see your doctor, healthcare facilities and insurance companies utilize your personal data for a wide variety of reasons, each involving electronic communications.

  • Medical devices—pacemakers and blood sugar monitors have all advanced over the years, and the latest models utilize technology that allows patients and practitioners to more closely monitor medical conditions, in some cases even self-administering medication.
  • Internal communications—when you sign in at reception and then see a practitioner in a treatment room, with seamless service, your personal information has been electronically communicated within a facility.
  • External communications—whether sending a prescription to a pharmacy, sending an x-ray to an external specialist, or transmitting exam codes to an insurance provider, your medical information gets communicated digitally within healthcare organizations and to external resources.

Each of these many electronic data transfer points, while providing instant and improved care to patients, also represent a potential point of cyber attack for cyber criminals.  Any chain is only as strong as its weakest link, and any internet-capable device is a link in that chain.

The Value of Your Data

Cyber criminals commercialize all sorts of information on the cyber black market.  Consider all of the information the health care industry has that may have potential value:

  • Social security numbers
  • Dates of birth and other data used for identity theft
  • Medical records (also potential blackmail material for targeted attacks)
  • Credit card numbers
  • Digital devices in massive numbers, which could also just translate into a bot army for IoT (internet of things) attacks.

In this age of ransomware, the largest value might even be the potential loss of function: cybercriminals regularly hijack a computer for a ransom. In healthcare, it might be cheaper and less inconvenient to give in to demands and pay that ransom, rather than to place services on hold.  A hospital or other large healthcare facility, if taken offline for even just a few moments, can cause major trouble for patient service.

Cyber criminals bank on the fact that businesses need their own data to operate, even if that data is not of direct value to the hackers themselves.  That’s why ransomware can be so successful.

Where the Government Comes In

Governments and regulation evolve directly as a result of the need for widespread coordination and cooperation.  The privacy acts in place in healthcare serve such a purpose: protecting patient information as their own property, and not to be shared without express consent.

The financial industry, another hotbed of attack for cyber crime, has its own state-sponsored and industry-supported collaborative operation: the Financial Services Information Sharing and Analysis Center (FS-ISAC).  Like a sort of Chamber of Commerce for the cyber security of the financial sector, this 6,000-member strong non-profit organization helps “assure the resilience and continuity of the global financial services infrastructure and individual firms against acts that could significantly impact the sector’s ability to provided services critical to the orderly function of the global economy.”

Sure, the financial sector is super important.  A bank gets robbed and the FBI steps in.  A bank gets hacked and it is a major deal.  People take care of their money, as well they should.

What about the automotive industry? Would a hack of the automotive industry create such an epic impact as that of the banking industry? Perhaps not, but they also have their own ISAC, the Auto-ISAC (Automotive Information Sharing and Analysis Center), with similar objectives to the FS-ISAC.

Healthcare does indeed also have such an organization, the NH-ISAC (National Health Information Sharing and Analysis Center).  Like other similar organizations, the non-profit group is made up of members who aim to coordinate, share best practices, and generally protect the cyber security of their industry.  Currently, of the thousands of potential member organizations in the United States, the NH-ISAC has about 200 members.

Unlike banking or the auto industry, every American will likely interact with the health care industry at some point and time.  Leaving cyber security up to individual member organizations, therefore, puts Americans at much greater risk of data breach.

The healthcare industry deserves government interaction and intervention in protecting digital communications and digital assets.

After all, it’s only your health on the line.

Asset Protection

Even should the United States intervene in the cyber security in the healthcare industry, it will require collaboration.  Staying ahead of the game with cyber security monitoring helps monitor and mitigate against imminent threats to critical operations.

Want to see what threats are at your door?  Request a live demo from our sophisticated team.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.