By Susan Biddle, Sr. Director of Government, Education and Healthcare Industry Solutions, Fortinet
Medical practice consolidation is a growing trend, with smaller practices being bought out by larger healthcare systems. One intriguing result of this wave of mergers and acquisitions is the tendency of the acquiring medical system to act like a security SaaS provider to the smaller acquired practice.
Because these practices are smaller, they often don’t have the IT or security expertise that some of the larger practices can afford. This buy-in helps the acquiring health care system get more thorough and secure access to patient information, and both organizations are more likely to avoid the many cyber risks endemic to the healthcare industry.
Many Threats to Healthcare Data
Experian predicts in its 2017 Data Breach Industry Forecast that healthcare organizations will be the most targeted sector. The reason they are top targets for cybercriminals is the nature of the data they are protecting. Patient health information is, on average, 10 times more valuable on the black market than the traditional credit card. Whereas credit card fraud is quickly detected and the card is deactivated, personal health information is difficult to mark as fraudulent and can be used for drug or other medical fraud for months or years.
Protecting patient information is a priority, one made more difficult with the transition to electronic health records. In the shift from paper to paperless, security wasn’t always the primary focus. The federal government responded with strict HIPAA standards. So far in 2017, there have been nine HIPAA settlements resulting from failure to adhere to security requirements for this data. Sometimes security budgets are tied into IT budgets, and if healthcare organizations have to choose between a life-saving technology or a back-end system, they are more likely to choose the former.
In addition, the rise of the Internet of Medical Things (IoMT) has opened the doors to improved processes and patient care, as well as to increased risk. As of 2014, healthcare IoT was valued at nearly $25 billion – and these investments are expected to increase dramatically, according to P&S Market Research. The demand for better-connected healthcare systems, remote patient monitoring devices and more are all expected to lead to a CAGR of 37.6 percent through 2020.
These connected devices have expanded the surface area for possible attacks. As noted above, many smaller healthcare practices lack adequate security capabilities. As a result, attackers are not only exploiting inadequate IT security to gain unfettered access to networks and data, but actual control of IP-enabled medical devices themselves – which could be deadly.
Ransomware is another major industry concern. In the past year, there have been multiple instances where ransomware was used as a means for care disruption or quick financial wins. At a recent College of Healthcare Information Management Executives (CHIME) conference I attended, one CIO of a large integrated health system noted that although no patient information was compromised, the organization was offline for 11 days due to the Petya Ransomware attack in June. Healthcare institutions are often pressured into paying the ransom, as prolonged downtime can be damaging to reputation and, more importantly, patient safety.
With so many connected pieces of medical equipment and different types of software being run, cybersecurity is a huge challenge for healthcare organizations. Inadequate budgets and a lack of skilled security personnel are a combination cybercriminals can’t resist. Consequently, nine out of ten healthcare organizations have suffered a breach in the past two years, according to a Ponemon study, and the data shows that these breaches could be costing the industry upwards of $6 billion.
Best Practices for Symbiotic Security
If healthcare providers can’t figure out how to safely adopt IoMT and operate in the digital age, they won’t survive. One of the benefits of consolidations, mergers and acquisitions is that the acquiring practice is oftentimes now acting as a SaaS provider for the smaller, acquired practice – including providing cybersecurity. Because networks are more complicated than ever before, security is only as strong as its weakest link.
However, if the bigger acquiring organization employs cybersecurity best practices, they can onboard acquired practices on their network quickly and safely.
- Technology. Adopt a single, automated unified threat management strategy to on-board acquired care facilities. This involves multiple levels of security organized through a single integrated portal with capabilities to detect, isolate and prevent threats from permeating the network. More importantly, UTM organizes your increasingly distributed network infrastructure, providing IT teams with a clear, single-pane-of-glass visibility into the network and centralized control over policy orchestration and threat response. This eases the strain of onboarding and managing newly acquired medical offices on your already overstretched IT team.
- Timely updates. Conduct an inventory assessment and make sure to keep your software updated. This is quite challenging but critical because software vulnerabilities are a huge target for ransomware as a method for getting into your system
- Training. Educate your new acquired facility so that they can be a part of your security strategy. This is extremely important, as much of the malware-dropping ransomware today is usually delivered through phishing emails with zip attachments containing malicious documents. Mandate security awareness education to recognize the signs of cyber attack and avoid and report suspicious behaviors can help reduce the chance of being victimized by hackers.
- Finally, back up. Back up often. Back up always. Put an extensive back-up plan and disaster recovery in place. Then, store those back-ups safely offline on a separate device that an infection can’t get to. That way, if you do get infected from your newly acquired medical facility, you can recover from it quickly.
A well-informed staff, combined with a robust and automated cybersecurity and threat intelligence program, scaled to fit the size of your acquired care organizations, will reduce the impact of cyberattacks through early prevention and detection and proper onboarding.
About the author:
Susan Biddle is the senior director of government, education and healthcare industry solutions at Fortinet. She is a high technology and healthcare marketing executive with over 15 years’ experience driving new solutions from concept to market, managing diverse cross-functional teams and developing highly effective marketing programs. Biddle has expertise in strategic planning, market segmentation and research methodologies. She has a strong background in product and solutions marketing, demand generation and key IT infrastructure solution areas for the health and life sciences industry, such as translational research, digital health and connected care.