The need for high scale, modern cyber-security has become increasingly critical with the emergence of cloud computing, moving sensitive medical/health record information outside a hospital’s protected environment. However, cyber-security professionals face the challenge of not only ensuring that patients’ information is safe, but also making this information easily accessible for clinicians.
The Value of PHI
According to a 2014 survey by the SANS Institute, an American cybersecurity firm, 61% of respondents considered medical/health record information the most at-risk to cyber-criminals.
The downstream effects of a possible data breach to a hospital’s IT infrastructure or an offsite server pose considerable threats to patients’ lives in many different ways. Personal health information (PHI) has become the world’s most sought-after and prized entity on the black market. Hackers who manage to break into a health IT infrastructure are able to gain access to sensitive, confidential information such as diagnostic test results, phone numbers, insurance numbers, family history, and much more—just from a patient’s health record.
For cyber-criminals, the payout to pursuing health record information over credit card information, for example, is much more valuable. Insurance scams alone could potentially yield tens of thousands of dollars, rather than a couple thousand that could result from a credit card heist. A data breach in the health care cyberspace delivers far greater returns for cyber-criminals.
The most effective methods of cyber-security have a multi-layered approach. With PHI in the core, protected behind multiple firewalls and controls, with end-users at the very periphery of the system.
Health care facilities and regional systems must have several, separate networks within their IT infrastructure, assigned with limited access Access Control Lists (ACL). ACLs are imperative to mandating which personnel within the facility have unique access to varying controls and checkpoints within the security system.
Multiple firewalls should be deployed across the security layers surrounding the PHI, with specific traffic rules applied to them as a measure of appropriate checks and balances. Web traffic rules applied to the various ports, or “gateways”, into the cyber infrastructure must be monitored around the clock, picking out any anomalies that might appear. Cyber-criminals with malicious intent, viruses, and malware may attempt to “piggy-back” off of normal web traffic to pass through a protected port. Having sophisticated monitoring technology at the ports and firewalls allows health care IT professionals to perform a deep inspection, detect any malicious activity, and shut it down.
Despite all precautionary measures, cyber-attacks can occur at any moment, and to any health care facility. In February 2016, Hollywood Presbyterian Medical Center, in Los Angeles, California fell prey to a malware attack. The cyber-criminals held valuable patient medical records hostage for a ransom of $17,000, which the hospital inevitably paid in order to regain access to the records.
Maintaining vigilant, around-the-clock monitoring of critical health care cyber-security is absolutely critical in a time where patients’ PHI is at stake. Protecting a hospital’s IT infrastructure requires a multiform, diverse, and robust security infrastructure that not only prevents attacks before they happen, but is able to stop them as soon as they occur.
- SANS Institute. New Threats Drive Improved Practices: State of Cybersecurity in Health Care. December 2014. Retrieved from: https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652.