[BreachExchange] Is Cybersecurity in Healthcare an Impossible Dream?

[Audrey McNeil]

https://dzone.com/articles/is-cybersecurity-in-healthcare-
an-impossible-dream

Cybercrime costs the UK several billion pounds per year. Indeed, a recent
government report showed that 46% of all businesses identified at least one
cyber attack in the last year, with 74% of directors regarding
cybersecurity as a high priority issue for them.

This is a particular problem in healthcare, with a number of high profile
breaches earlier this year in the industry. I wrote earlier this year about
a study from Michigan State University, which found around 1,800 large data
breaches in patient information over a seven-year period in the United
States alone.

"Our findings underscore the critical need for increased data protection in
the healthcare industry,"the authors say. "While the law requires health
care professionals and systems to cross-share patient data, the more people
who can access data, the less secure it is."

A recent paper has mixed messages for the sector, for whilst it provides
some strategies that can be deployed to shore up security, the authors also
suggest that many of them may be impossible to implement.

"There are things we can do to reduce the risk but it is very hard to
perfect IT security, especially given the needs of modern hospital systems
to have things moving between places and increasing demand for
patient-facing access," the authors say. "To some extent, these attacks are
inevitable."

Mitigating the Risk

The authors outline a number of steps that IT teams can undertake to try
and prevent attacks. These include workforce training, retaining
cybersecurity expertise, patching operating systems, and reporting attacks
promptly to authorities. They also recommend more strategic, nationwide
steps, even though those may be harder to accomplish.

It's crucial that government efforts to improve security are coordinated,
as too often responses have been fragmented and disjointed. This was
certainly the case after the recent WannaCry attack, where the response was
split between many different agencies.

This could involve the creation of a Joint Commission, which would have the
ability to accredit hospitals according to their data security standards.
This might help to ensure the highest standards are upheld.

It's particularly prickly in the case of ransomware attacks, for whereas it
might be easy to suggest CIOs act in unison and openly state they will not
pay any ransom requests, when lives are on the line it's easy to imagine
pressure mounting and their hands being forced by patients.

"If I were a hospital CEO, it's one thing to make this pledge ex ante, but
it's another thing when you have a population of patients who need health
care to stick by it," the authors say.

Data governance is an issue of growing importance in the healthcare
industry, not only in terms of data security but also in terms of good
management of data that is being used to underpin the numerous machine
learning applications entering the sector.

It is, therefore, an issue that health officials and hospital managers will
need to come to grips with sooner rather than later.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171027/ed82ee31/attachment.html>