Cyber attacks in the healthcare sector are on the rise, especially those perpetrated by third parties. A recent report suggests that implementing best practices to detect, prevent, and respond to these threats can be highly effective, but these practices are not being adopted on a wide scale.
a new report, State of Cyber Security and Third-Party Remote Access Risks, which surveyed 636 individuals about their cyber security practices, documented an increase in cyber attacks. SecureLink Inc. This is the second annual research study, sponsored by , which explores how organizations are investing in their cybersecurity infrastructure to mitigate threats and which industries are paying attention to third-party remote access risks. .
Statistics show that every industry has weaknesses and strengths. The financial and health care sectors are the 2 top industries targeted by cyber security attacks. The report indicated that 58% of financial organizations and 55% of healthcare organizations experienced a third-party data breach in the past 12 months.
The results weren’t surprising because both of these industries rely heavily on third parties collecting and storing valuable data, such as protected health information (PHI), that hackers are seeking. The findings revealed that the health care sector is not giving top priority to IT systems and third party security. More than half of health care institutions reported that managing third-party security is burdensome and a drain on internal resources.
The report found that implementing an automated infrastructure can be a powerful defense against cyberattacks, but lack of resources is a barrier. Cyber security is often underrepresented at an organizational level, with only 39% of organizations allocating 15% or less of their annual IT budget to cyber security, according to the report. In addition, 52% said securing third-party remote access is not a priority for their IT or security team.
Hackers look for the path of least resistance in mission-critical applications and assets, whether a weak access point or poorly secured credentials. The health care industry has transitioned to a more virtual environment since the start of the COVID-19 pandemic through increased virtual and telemedicine consultations, said Steven Walzak, PhD, professor of health information systems at the University of South Florida in Tampa. The growing reliance on Internet-based communication and virtual work has opened up new targets for cybercriminals. Often, physicians’ home computing equipment lacks adequate security measures.
Dr. Walzak pointed out that there is no barrier to entry into becoming a cybercriminal. “The only tool a cybercriminal needs to launch attacks against medical facilities, personnel and patients is an Internet connection,” he said. “Cyber criminals also communicate and propagate attack methods via the web, meaning cyber criminals no longer need advanced computer knowledge to steal identities or upload malware.”
Some experts argue that cybercrime is not widely applied. Many attacks can cross national borders and laws and enforcement policies differ around the world. “While HIPAA serves to remind health care workers about their information security responsibilities, I personally do not believe that increasing penalties will greatly affect compliance,” Dr. Walzak said. “Additionally, even with full compliance, hacks and medical identity theft will still occur.”
As a best practice, health care practices and facilities should hire full-time cyber security professionals or contract with cyber security providers to monitor their networks and ensure their security is the best possible. , Doctor. Walzk said.
Genevieve P. Kanter, PhD, assistant professor of medicine, medical ethics and health policy at the University of Pennsylvania in Philadelphia, said both the number of violations and the reporting of violations are on the rise. “There are many reasons for the rise in the number of breaches in health care, from the demands of COVID on hospitals, to the strain on resources, as well as the switch to telehealth,” Kanter said.
Contributing to the problem is the growing number of business associates and contractors, many of whom have greater vulnerabilities. Reporting and talking about these breaches has increased, and many health care providers are looking for direction. “I think the law through HIPAA has focused a lot on privacy, but the laws and regulations need to be expanded to create carrots and sticks for security concerns, separate from privacy concerns,” she said.
Dr. Kanter pointed out that some problems resulting from a cyberattack, such as disrupted health care services, are outside the scope of HIPAA, which only requires health care entities to report cases when PHI is accessed or removed from the system. Current legislation has not created a regulatory scheme specifically to adequately deal with health cyber security, he observed.