Healthcare is probably the most heavily regulated industry on the planet (possibly losing out to finance). This makes a lot of sense since, if you make a mistake in healthcare, people can die. So in order to ensure that healthcare providers don’t make a habit of making careless or risky decisions, there are laws allowing them to be sued for malpractice. While these laws can (and are) abused, in general they’re a good thing and make sense.
In the age of the Internet, the security of healthcare information has become much more complicated. Things used to be easier when all records were paper. Odds are no-one could find anything, but at least that included the bad guys too. Now, with digital healthcare records and portals, you still can’t get to your own information half the time, but unfortunately the same isn’t true for the hackers.
Data privacy laws are designed to enforce data security for healthcare providers. By clearly defining information protected by these laws, how it should be secured, and the penalties for failing to do so, these regulations attempt to ensure that your data is secure. But how good is healthcare data security?
Doctor Patient Confidentiality?
When you go to the doctor, you expect that everything that you discuss will be kept private the two of you. Laws about doctor-patient confidentiality mean that the doctor is not allowed to disclose any information that you provide to them during a medical consultation.In many jurisdictions, the confidentiality of healthcare data is explicitly protected under data protection laws. In the US, this is HIPAA, and, in the EU, all healthcare data is protected under the data protection umbrella of GDPR.
These protections are important due to the value of the data that’s available to healthcare providers. At a minimum, they probably have your name, date of birth, home address, email address, phone number, credit card number (for billing), and various biometric details (height weight, eye color, etc.). With the information in a healthcare record, it’s easy for an attacker to commit identity fraud pretending to be you. And this doesn’t even consider the other impacts of a breach. What’s one of the most common security questions out there? Your mother’s maiden name? Definitely in your healthcare record. So are many of the other answers for common security questions.
Healthcare information is also a godsend for attackers performing phishing attacks. You may not fall for the standard spam and phishing emails, but what if the phisher had the trove of information in your medical record to base their pretext on? A phone call or email from your “doctor” referencing that medical condition (or other specific information about your health) could have you spilling your secrets in no time.
The State of Healthcare Security
Luckily, we don’t have anything to worry about our healthcare information. Our healthcare providers comply with the relevant regulations and properly protect our data, right?
Most people would say that the main cause of data breaches are those dastardly hackers trying to break into our healthcare providers’ computer systems. Depressingly, that isn’t quite right. The cause of 41% of healthcare breaches is unintentional disclosure, i.e. someone messed up and your data is on the Internet. Those hackers take a distant second at 19%, followed by malicious insiders at 15% and physical loss at 8%. Out of these top four causes of breaches, three of them (for a total of 64% of all healthcare data breaches) originated inside the organization. That’s pretty bad.
But it gets worse. Another study had a slightly different breakdown of breach causes (33.5% caused by human error), but it’s interesting because it broke down this category into more specific causes of breaches. At the top of the list, 38.2% of unintentional healthcare breaches were caused by ‘misdelivery’. You were worried about hackers stealing your data? While that’s a significant concern (14.8% of all breaches), you should also be worried about your doctor accidentally emailing the details of that embarrassing medical issue to the wrong patient (12.7% of total breaches).
These issues only cover the data breach-related issues with cybersecurity in the medical field. The healthcare industry is also known for its heavy use of Internet of Things (IoT) devices, which are notorious for their poor security. Many stories have been in the news recently about hacking medical devices both in the hospital (with the ability to fake cancer on a CT scan) and in people’s bodies (pacemakers, bionic limbs, etc.). While the Internet of Things promises to make life and medicine better for all, right now it’s a bit scary.
How Healthcare’s Cyber Can Become Healthy
The main problem with healthcare security is that many healthcare providers don’t implement even the most basic cybersecurity protections. The majority of healthcare data breaches are caused by authorized parties breaching it (accidentally or maliciously). However, this is a mostly solved problem in the cybersecurity industry. Software for implementing data loss prevention (DLP) and role-based access control are widely available. These solutions could have a significant impact on healthcare providers’ ability to detect and prevent data breaches. Other steps like locking down IoT devices on the network and encrypting all sensitive data are also vital for healthcare security.
The surge in data privacy laws after the start of GDPR in May 2018 indicates a turning point in how the world thinks about data and privacy. While your healthcare information may be vulnerable now, the availability of solutions and pressure to implement them mean that this could change soon.