Cybersecurity Solutions in Healthcare
Abstract
Healthcare information is necessary for running various operations in the delivery of healthcare services. It contains critical data such as social security number, contact, and address. Hackers make attempts to hack hospital sites and systems to seek ransom or use the data against the patients. Hacking can lead to a lack of trust among patients or legal fines. The current state of affairs demonstrates that the cases of hacking in healthcare are on the rise. It is also the role of the government to enact policies that will investigate and lead to the successful arrest of hackers. Hospitals should ensure they develop the right mechanisms to prevent such incidences from occurring. The United States healthcare system is under attack since hackers target middle-level hospitals that have not invested in quality and safety systems.
Introduction
Healthcare systems and websites are a prime target for hackers since it contains critical information such as social security number, contact, and address. Organizations should devise various strategies to ensure they protect the information. Breach of patient data breaks the trust of patients and can lead to legal fines. The government and other stakeholders in healthcare should contribute to ensuring the patient data is protected. The following paper provides an analysis of the current state of affairs, the role of the government and the healthcare sector to safeguard patient data.
Current State of Affairs
Healthcare technology is growing exponentially as providers realize the sensitivity of medical information and the risks of cyberattacks. Healthcare data is a prime target for hackers that prompts the American healthcare system to spend $65 billion in 2020 on security breaches (Bhuyan et al., 2020). Statistics indicate that ransomware attacks in the healthcare sector will quadruple in 2020. Research also shows that 2.4 percent of healthcare employees in America have never received cybersecurity awareness (Bhuyan et al., 2020). Trends in the United States depict the need for improvement in strategies to curb cyber attacks. Healthcare organizations should develop strategies to protect medical information to avoid rising cases of lawsuits.
Medical devices and websites are five times more likely to be hacked compared to standard devices. In America, manufacturers of medical devices and sites indicate that 67 percent of the devices are likely to be hacked within the first 12 months after launch (Luh & Yen, 2020). Some of the highly vulnerable sites belong to small and mid-sized healthcare organizations (Luh & Yen, 2020). The popular types of attacks include malware that compromises the integrity of systems and disrupts the ability to provide healthcare.
Summary of Media Coverage
The media has reported extensively about cybersecurity issues in healthcare. News coverage by CNBC in 2018 reported that Hancock Regional Hospital was hacked, exposing patient data. Hackers requested a ransom payable using bitcoins, which the hospital consented (Lovelace & Gurdus, 2018). In 2016, the BBC reported that Hollywood Presbyterian Medical Center paid $17,000 to hackers after the hackers took their systems offline (Baraniuk, 2016). On the other hand, CNN reported that in 2014, Community Health Systems, which facilitates 206 hospitals across America, had been hacked. The report indicated that 4.5 million patient records had been stolen (Pagliery, 2014). According to the news report, the various hospitals operate in 28 states with a major concentration in Alabama, Texas, Tennessee, Pennsylvania, Oklahoma, and Florida. Hackers targeted names, telephone numbers, social security numbers, addresses, and birthdays. CNBC also reported that such medical information can be sold at $30 to $500 (Lovelace & Gurdus, 2018). The news coverage shows the frequency and extent of cybersecurity cases and the measures that hospitals should take to mitigate the crisis.
Government’s Input in Cybersecurity
The United States government has taken various measures to mitigate cybersecurity in the country. In 2018, the government developed a national cyber strategy to reduce the risk of attacks in various areas, including the healthcare sector (Bhuyan et al., 2020). The government has also enhanced the crackdown in individuals and companies perpetrating cybercrime. For example, in 2017, a Chinese national was arrested in connection with cyber attacks. The United States government, through the Federal Bureau of Investigation (FBI), has detected attacks on healthcare systems (Bhuyan et al., 2020). For instance, the FBI detected and investigated a cyberattack issue in Maine General Health systems. FBI also issues regular alerts to healthcare organizations about cybersecurity to ensure they prepare adequately (Luh & Yen, 2020). The role of the government also involves developing policies to enhance security and protect healthcare systems.
Potential Solutions to Cybersecurity
Healthcare organizations can take various measures to mitigate the cybersecurity crisis. One of the potential solutions is to manage cybersecurity issues. Management involves mitigating, accepting, or transferring risk depending on the dynamics of a scenario. It also involves decision-making using reliable risk-management approaches (Murphy, 2015). Methodologies in decision-making are important to eliminate personal preferences and emotions, which can worsen a situation. Employees in a healthcare organization should also be trained on why and how to protect patient data. Murphy (2015) states that a reliable risk management strategy is essential in averting cyberattacks. For example, companies should load an antivirus software to devices and applications as part of their standard configuration (Murphy, 2015). The policies are effective in ensuring that hackers find it difficult to access devices and systems that contain patient information.
Third-party risk management is another approach that hospitals can deploy to promote the safety of patient data. Organizations contract third-party organizations to develop sites or applications (Bhuyan et al., 2020). It is also effective to hire an organization to carry out certain tasks in the healthcare system. Consequently, healthcare data is exposed to hackers or access by unauthorized people. Organizations should develop and implement appropriate tools to ensure they control the third-party risk (Murphy, 2015). For example, third-party risk management software to ensure that such a relationship with another company does not put patient information at risk.
Healthcare facilities should develop legally binding documents to be signed by third-party companies about the need to maintain integrity. The document is acceptable in court to ensure that in case the third party does not abide by the rules, they can be prosecuted (Murphy, 2015). It is also essential to train employees on the need to uphold various policies. For example, companies should create awareness about HIPPA, PCI data security standards, and FISMA. Organizations should also create a culture that promotes the safety of patient data and a healthy relationship with third parties (Murphy, 2015). Hospitals should initiate mock data breaches to ensure their employees have practical experience with cybersecurity issues.
Information Security
Information security is essential in healthcare to protect organizations from lawsuits that can undermine patients’ trust and fines. Workers should understand how to respond in case a data security issue emerges (Luh & Yen, 2020). Guidelines to report and respond to a data breach crisis ensure that workers do not respond in a manner that can make a situation worse. According to Murphy (2015), Organizations should also create a task force that will respond to such issues professionals. The team will also be responsible for analyzing data and improving their actions in the future. Other roles of the team, according to Murphy (2015), include detection, containment, eradication, and recovery. For example, some of the measures may include shutting down a system, changing passwords, disconnecting networks, creating backups, and altering access control.
The guidelines on how workers or a specialized team should respond to a data breach crisis should involve specific actions. For example, it should indicate how to respond to individual companies or third-party organizations (Bhuyan et al., 2020). Additional guidelines should also state how to report the incidences to law enforcement agencies, data authorities, media, and individuals affected, such as patients (Murphy, 2015). The reporting measures are critical in reducing the damage of a data breach and boosting the trust of the public, especially the affected patients.
Data Privacy
The preparedness to counter cybercrime in healthcare requires the collaboration of various stakeholders. The two major players include patients who provide the data and hospitals that promise to secure the data (Murphy, 2015). Patients should give consent to provide information or make an informed choice. HIPPA states that patients receiving treatment may not necessarily need to consent. However, they should be aware that the information they are sharing will be stored in a database. Organizations should maintain trust by protecting that information against any data breach (Murphy, 2015). They should also ensure they utilize the information only for the purposes they were collected for. For instance, patient information should be used to facilitate treatment and processing payment (Murphy, 2015). Organizations should also ensure that the data they are securing is complete, accurate, and correct. If the data is not correct, it can undermine the quality of treatment.
Data privacy and storage should align with security guidelines. The guidelines indicate that in an attempt to safeguard patient data, organizations should promote data availability (Murphy, 2015). They should also observe integrity, confidentiality, and accountability. Therefore, companies providing care should optimize their sites and devices to observe the various requirements. For example, confidentiality is limiting access to data, integrity is ensuring the data is accurate, while availability is making the data available to those who need it (Luh & Yen, 2020). System developers should strike a balance between making the data available and securing it against unauthorized access. For example, healthcare workers have been prosecuted in court for accessing patient data without legitimate reasons (Luh & Yen, 2020). The goals of information security should be patient-centered to ensure the welfare of their customers is guaranteed.
Healthcare organizations should develop policies and create awareness about the existing frameworks to protect patient data. They should also train employees on how to align with the existing government policies (Luh & Yen, 2020). Policies will provide a cushion against the cyberattacks, which can ruin the reputation of a company and undermine its profitability. Murphy (2015), emphasize that all the policies that organizations develop at a local level should be synchronized with existing policies. The purpose of creating and implementing policies is to safeguard patient data against the rising cases of data breach.
Conclusion
Healthcare workers are at the frontline to ensure safety of highly-targeted data by hackers. Hacking of websites and applications in the healthcare sector have increased as reported by the media. The government should have various attempts to secure the healthcare data by deploying investigative teams and enacting policies. Healthcare organizations should also refine their policies and seal all loopholes to prevent further attacks. Patient information is at a higher risk of hacking and thus quality approaches are requires to restore patient trust.
References
Baraniuk, C. (2016). Hollywood hospital pays ransom to hackers. BBC News. Retrieved from https://www.bbc.com/news/technology-35602527
Bhuyan, S. S., Kabir, U. Y., Escareno, J. M., Ector, K., Palakodeti, S., Wyant, D., … & Dobalian, A. (2020). Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations. Journal of Medical Systems, 44(5), 98. DOI: 10.1007/s10916-019-1507-y
Lovelace, B., & Gurdus, L. (2018). Hospital CEO forced to pay hackers in bitcoin now teaches others how to prepare for the worst. CNBC. Retrieved from https://www.cnbc.com/2018/04/06/hosptial-ceo-forced-to-pay-hackers-in-bitcoin-now-teaches-others.html
Luh, F., & Yen, Y. (2020). Cybersecurity in Science and Medicine: Threats and Challenges. Trends in Biotechnology. https://doi.org/10.1016/j.tibtech.2020.02.010
Murphy, S. (2015). Healthcare Information Security and Privacy. 1st edition. McGraw-Hill/Osborne.
Pagliery, J. (2014). Hospital network hacked, 4.5 million records stolen. CNN Business. Retrieved from https://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/