The number of healthcare breaches nearly doubled in the first five months of 2022 in comparison to the same period last year, according to the US government.
This isn’t a surprise. More data is being collected and used in vital systems and processes to facilitate patient care than ever before, creating plenty of potential vulnerabilities for hackers to attack.
An RBC Capital Report records that 30% of data worldwide is rooted in the healthcare industry. The number is expected to be 36% by 2025 as the compound annual growth rate of healthcare data increases—faster than manufacturing, media, and financial services.
It’s a gold rush worth of data ready to be mined by hackers, eager for a payout. This means attacks on healthcare are rising, and health-tech companies are right in the line of fire.
So what’s happening, and what can health-tech companies do to prioritize data security in 2023?
Look behind the shadow
Hackers no longer look like the stereotype of a teenager hidden away in their bedroom. Elite organized crime groups are now the brains behind modern hacking activities.
These groups recruit computer scientists out of grad school and are often hired for state-sponsored activities. However, nothing is stopping them from also participating in lucrative illegal activities.
Hacking attackers want to disrupt infrastructure and cause disruption that results in a payout. Where robbers used to hold up banks, hospitals have become much more attractive targets as their rapid digital transformations have left them vulnerable to attack.
As healthcare has required more patient data for things like asynchronous working and the digitization of electronic health records (EHR), more endpoints mean hackers have more places to enter systems and cause havoc.
Data systems are now a hospital’s most crucial tool, and if a hacker takes control, it can be tempting for hospitals to pay. While government guidelines recommend refusing to negotiate, hospitals are left exposed on all sides.
Hospitals are sandwiched between duplicitous hackers and the possibility of being sued by patients if they don’t pay and governments if they do. Protecting data systems before an attack occurs must be a top concern for hospitals and health-tech companies in 2023.
Consider the consequences
Hospitals are legally required to release details of an attack to the public if the security breach of patients affected totals 500 or over. However, with so many challenges to face from patients, governments, and press coverage, hospitals are right now taking on this burden solo.
Health-tech companies must take a proactive approach to data security to ensure they are best protected in 2023. Without safe and validated security systems, sensitive patient and hospital data are at risk of being released to the public. Depending on where a data breach attack occurs, this could have varying severity in its implications for the patients involved.
From my personal experience as CTO for a medical learning platform, we have always protected and anonymized individual data. Visaluzing data is good , but so is privacy. We wouldn’t want anyone to be compromised professionally by using Firefly Lab, which shows that protecting healthcare data is vital for both patients and hospital staff.
In a data leak, you might not mind a potential employer knowing you broke your arm, but something more sensitive might start to create roadblocks in your career. In the United States (US), most citizens have healthcare tied to their employment. Unfortunately, this means that if an employer found out and looked disapprovingly at your mental health treatment, it could negatively influence their decision in an upcoming promotion, for instance.
Recent developments with abortion rights in the US make certain kinds of patient data even more sensitive. When it’s legal to get an abortion in one state but not another, what happens if a list of patients who have undergone the procedure is released? It’s one thing when it happened in Australia, where abortion is legal country-wide, but how would we have dealt with it in our legal system divided as it is?
Both health-tech and our legal systems need to face what could be the reality of an attack in 2023.
Practice preventative measures and counter-attacks
Hospitals can pre-empt an attack by practicing data recovery. IT departments need to ensure a backup is ready and know the system’s procedures for restarting. This type of drill means less stress if an attack does occur, as you’re following a plan, not acting on the fly.
Following the principle of least privilege is an example of how hospitals can tighten their security. This means staff only have as much data access as they need to do their job. Data scientists also perform highly insightful analyses of encrypted data. Individual data doesn’t have to be visible to be valuable for seeing trends and patterns.
Using the principle of least privilege, people are prevented from accidentally or purposefully putting data at risk. Ensuring everyone in the hospital uses multi-factor authentication (MFA) is also a simple recommendation.
But the responsibility shouldn’t just rest on hospitals and health-tech companies. Governmental organizatons need to step in to create support networks that take the burden off unequipped staff. Ensuring that the national data security market doesn’t become a monopoly is another way the government can prevent the consolidation of providers from becoming an additional security risk.
Jonathan Jesneck is the co-founder and CTO of Firefly Lab, where he coordinates data security, machine learning, and the analytics of surgical and procedural training. As an enthusiastic technologist, he has been developing machine learning and data mining applications for complex systems for 20 years. He has founded and grown several technology companies focusing on large-scale analytics, machine learning, and medical data. At Duke University, he earned his Ph.D. in Biomedical Engineering and M.S. degrees in Statistics and Computational Biology and Bioinformatics.