Recent news that Coplin Health Systems in the US was forced to notify 43,000 patients that their medical records had been stolen from a laptop placed a spotlight on the challenges facing healthcare organisations worldwide, including in Australia.
In this incident, the records were stored on the computer’s unencrypted hard drive. As yet there’s no evidence the stolen records have been misused, however the provider is working to review its IT security policies and processes.
The laptop theft demonstrates the risks facing many healthcare providers. In most other sectors data confidentiality is given the highest priority, followed by data integrity and then data access. In the healthcare sector this list is reversed.
The provision of quality patient care relies on access to data such as medical records. Where a lack of data access might mean inconvenience or disruption for a business, in the healthcare sector the result could be the loss of a human life.
This risk was highlighted last year when the WannaCry ransomware attack hit healthcare organisations in the UK. Some ambulance services could not dispatch vehicles and a number of hospitals were unable to accept patients for treatment. This demonstrated just how critical data availability in healthcare has become.
Data integrity is the next most important factor for healthcare providers because any errors or unauthorised changes to medical records can compromise patient treatment and care.
For example, someone could deliberately manipulate healthcare records to cover up certain unauthorised treatments. This occurred back in 2000 in the UK when a general practitioner, Howard Shipman, attempted to cover his murders of multiple patients by altering their medical records.
Data integrity can also be compromised through the accidental altering of records. This could happen if treatments were wrongfully recorded in a file or changes in medication doses incorrectly noted. If records are altered in this way, it can lead to incorrect treatment which could harm or even kill the patient.
Even though it ranks as third on the priority list, data confidentiality is certainly vital for healthcare providers as medical records can contain an individual’s most private of information. In fact, so valuable are medical records, they sell for more than credit card details on the dark web.
Misuse of patient records can have significant ramifications in terms of identity threat and even more nefarious efforts, such as extortion. Healthcare providers also hold financial and administrative data and misuse of this information could come in the form of fraudulent transactions and unauthorised payments and keeping it secure must also be a priority.
Given the sensitivity of health information, organisations are required to adhere to the strict provisions of the Privacy Act, with obligations relating to consent and use. The mandatory data breach legislation, which comes into effect on 22 February 2018, will add additional responsibilities onto providers and place them at risk of reputational damage and fines if they do not take reasonable steps to make sure personal information is held securely.
The security challenge
Despite the need for data availability, integrity and confidentiality in the healthcare space, many providers are hesitant to undertake typical security activities, such as vulnerability scanning and patching, because they don't want any downtime in their systems.
If a decision was taken to upgrade the operating system, comprehensive testing would then be required to ensure it continued to operate in its intended way, which could also result in disruption to treatment schedules – something providers are constantly trying to avoid.
This means there tends to be large numbers of outdated systems still in use. There can also be a reliance on end-of-life or outdated software, with many medical devices still running on Windows XP. Such devices may have a working lifespan of 15 to 20 years, which can be much longer than the support provided by software companies, resulting in security vulnerabilities.
The security challenge is made more complex by the fact that there are so many different types of medical devices in use. Securing a fleet of identical PCs is one thing, but securing a range of different medical scanners, X-ray machines, heart monitors and computerised drips is quite another.
A better approach
Faced with these challenges, healthcare providers need to find ways to improve the security around data, systems and devices.
One way is to use recognised regulatory frameworks as a guide for what security measures should be implemented. The National eHealth Security and Access Framework is a blueprint based on international standards and has been tailored for Australian healthcare organisations. There are also guidelines relating to the Federal Government's My Health Record initiative that can improve the security of stored patient data.
When it comes to the technical aspects of IT and data security, the same practices that work in other sectors will also work for healthcare providers. It's simply a matter of keeping the sector's specific challenges in mind when selecting security tools, services and strategies.
Care should be taken that networks are segmented to reduce the chance of unauthorised access. Older medical devices must also be protected from improper access or infection. There is also a need to have in place tools that allow patch management without disruption to device functioning. Where possible, these tasks should be automated to ensure the latest patches are deployed as quickly as possible.
Information security is only going to become more important for healthcare providers, but by following recognised frameworks and putting in place necessary tools and processes they can be confident that critical data remains accessible while its integrity and confidentiality is retained at all times.
A Health Provider's Guide to Cyber Security
Cybersecurity is not keeping up with the requirements of the health providers. This whitepaper seeks to provide examples of how strategies can be applied to health care organisations to improve their information security posture.