Prescription for Protection: Cybersecurity Measures for Health Care Professionals

As number of computing devices has exponentially increased, so has the risk surface area of the information technology (IT) system. Securing data effectively is especially relevant in regulated industries such as health care. Health care organizations often have extremely sensitive and confidential information, such as personally identifiable information, financial information, and protected health information. Patient trust in health care organizations is based on a sacred foundation of confidentiality, which can be violated during a cyberattack.

The Rise of Cybersecurity Threats

Image credit: sarayut_sy | stock.adobe.com

Cyberattacks are activities that are used to disrupt, steal, alter, destroy, or degrade data.¹ If successful, these can result in a data breach, whereby an unauthorized person or group gains access to information without permission. In February 2024, a cyberattack on Change Healthcare resulted in a significant disruption in medical billing and reimbursement for several weeks. Change Healthcare billing software is used by 33,000 pharmacies, 5500 hospitals, and 900,000 physicians across the United States.² The consequences of this attack were widespread as patients experienced delays in care and practitioners saw uncertainty in reimbursements.

The number of patient health care records exposed, stolen, or illegally disclosed increased from 7 million in 2018 to 38 million in 2019.¹ Attacks within health care organizations can be disruptive for delivery of quality patient care and jeopardize patient safety. The hacker’s motivations for conducting these attacks can include notoriety, financial gain, or an aim to simply disrupt routine operations. A health care organization’s top priority is to effectively manage the health of patients, not necessarily to safeguard data. Certain industries, such as health care and energy, are selectively targeted for cyberattacks as these offer the potential to yield high value for hackers. The data that can be taken—financial information, protected health information, and sensitive information—have high monetary and intelligence value.³

The COVID-19 pandemic increased the number of computing devices as telehealth became more prevalent.⁴ The integration of these devices has led to overall positive benefits, such as precise health care delivery and communication, but there are challenges associated with safeguarding data.³ As the number of connected devices increases within a health care organization (computers, vital monitoring devices, etc), so does the surface area or overall risk exposure to cyber threats.⁵ With each new device connection, potential weaknesses in one device can be exploited to gain access in other connected devices. This concept allows a hacker to gain a backdoor entrance to other devices or programs (eg, servers, computers). Safeguarding health care data is critical to establishing, maintaining, and sustaining patient trust in the organization.

The Pillars of Information Security

To better understand how health care practitioners can help safeguard health care data, a review of the pillars of information security is necessary. Confidentiality, integrity, and availability (CIA) are the 3 pillars of information security, often referred to as the CIA triad. At the basiclevel, these cover relevant factors related to the design, deployment, and maintenance of IT systems. Although there are portions of each pillar reserved for IT professions, health care practitioners all have responsibility within each pillar to safeguard data.¹ Each pillar is defined along with examples of cyber breaches as follows:

• Confidentiality is the protection of data from unauthorized access.6 Confidentiality can be violated through various methods, including data breaches, insider threats, social engineering, and brute force attacks.
  • Data breaches can occur when sending health care records to the wrong address, giving the recipient unauthorized access to the records.
  • Insider threats are executed by people employed by the organization who intentionally or unintentionally access records when their job responsibilities do not require access.¹ An example might be security personnel who can log in to view patient information in an electronic health record.
  • Social engineering is a category of techniques that aim to manipulate people to provide specific information or perform an action. An example could be an email directing the recipient to a seemingly legitimate website that prompts for log-in credentials. When a log-in is tried, hackers can obtain the log-in credentials provided. Hackers can also physically attack IT infrastructure by presenting with false credentials and/or uniforms to gain access to servers or other essential equipment.
  • Brute force attacks occur when hackers try to gain access by cracking passwords or credentials through trial and error. Simple log-in passwords are highly vulnerable to this type of attack.
• Integrity is the accuracy and consistency of data as well as the completeness and reliability of those systems.6 Integrity can be violated through data corruption, a bug, a glitch, or a hardware malfunction that causes inaccurate transmission and storage of data. Malicious software (eg, worms, viruses, ransomware) can influence data integrity when a hacker injects the malware into the IT system with the potential to change data, cause damage or disruption, and/or tamper with data to change it without authorization.
• Availability is the ability of users to access systems and information when needed.⁶ This concept is especially relevant during times when the IT systems are stressed (eg, cyberattacks, natural disasters). Availability can be violated when a cyberattack overwhelms an IT system’s capacity to continue functionality, such as a distributed denial-of-service attack.

Role of Health Care Practitioners in Securing Data

It is not reasonable to believe that IT professionals are solely responsible for safeguarding IT systems. These actions are strategies that health care practitioners have a responsibility to emphasize. The entire health care team should implement and maintain practices that support safeguarding data.¹ The following recommendations will focus on the steps health care practitioners can take and are not a comprehensive list of strategies.

People are often identified as the weakest link within an IT system. Every person working for the health care organization has a responsibility to effectively manage, respond, and mitigate the risks of cybersecurity threats.¹ Social engineering attacks often take place in this manner. The general aptitude of people to aid others when they are requesting help enables social engineering, and this goodwill can be taken advantage of when the aid request originates from a hacker. To remedy these problems, it is necessary to provide both awareness and training programs that address and apply directly to the audience.⁴ However, providing generalized awareness and training may not be sufficient. The following list contains key cybersecurity strategies, which should be implemented in a health care organization’s IT system:

• Encryption. One of the core components of data security is encryption, which can safeguard data during storage and transmission.^6,7
• Access controls. Health care practitioners should be aware of and report instances where inappropriate user privileges are found. For example, it may not be appropriate for a custodial staff member to have access to retrieve controlled substances. Lists of authorized users for each system and program should be reviewed, updated, and proactively managed on a routine basis.
• Physical controls. Health care practitioners should ensure that IT infrastructure is physically secured through physical security deterrents such as locks on restricted access areas, which limit access only to people who have a legitimate need for access.⁷ Do not unlock or prop doors open in areas where IT infrastructure is stored. Consider securing desktop computers to furniture and keeping line of sight for dedicated laptops.
• Policy and procedures. Policies and procedures should emphasize acceptable practices and provide accountability to those computing practices. Include regular training that seeks to educate, train, and emphasize effective cybersecurity practices.⁸
• Least privilege principle. Users should have the minimum necessary privilege to complete duties assigned to the position. Administrative user privileges should be assigned only to those who truly need them; not every user should have administrative privileges. Restricting administrative privileges helps to mitigate damage from a user account that has been compromised. If health care practitioners find administrative privileges when they are not needed, they should request lesser privileges.
• Updates. Users should ensure that IT system updates are installed, maintained, and implemented. Software providers regularly check, assess, and publish updates to safeguard against weaknesses or vulnerabilities while also providing system stability.⁷ Health care practitioners should ensure that updates are automatically applied as soon as is practical.
• Downtime procedures. Plan for and be prepared for times when programs or IT services are unavailable, such as during a cyber incident or environmental emergency, and ensure people are trained on processes and procedures for such occurrences. Test those processes and procedures to find gaps in effectiveness and adjust accordingly. IT services could be unavailable for extended periods, so ensure that communication with stakeholders (eg, patients, employees, managers) is predictable, consistent, and frequent regarding updates on returning to service.

Final Thoughts

The evolution of health IT has yielded benefits for the enhanced delivery of patient care. Hackers selectively target health care data for their high-value, sensitive, and confidential nature. All health care practitioners have a responsibility to safeguard data through understanding of key cybersecurity concepts.¹ Safeguarding health care data not only minimizes disruptions in patient care but also sustains patient trust in the organization. Maintaining patient trust has the potential to improve health outcomes, quality of life, and perceptions of quality care.

References

1. Chua JA. Cybersecurity in the healthcare industry. Journal of Medical Practice Management. 2021;36(4):229-231. Accessed June 10, 2024. https://www.proquest.com/scholarly-journals/cybersecurity-healthcare-industry/docview/2504871270/se-2.5

2. Dyer O. US hospitals face collapse as cyberattack on UnitedHealth cuts revenue streams BMJ. 2024;384:q686 doi:10.1136/bmj.q686

3. Bhosale KS, Nenova M, Iliev G. A study of cyber attacks: in the healthcare sector. Presented at: 2021 Sixth Junior Conference on Lighting; September 23-25, 2021. doi:10.1109/lighting49406.2021.9598947

4. Nifakos S, Chandramouli K, Nikolaou CK, et al. Influence of human factors on cyber security within healthcare organisations: a systematic review. Sensors (Basel). 2021;21(15):5119. doi:10.3390/s21155119

5. Buzdugan Au. Integration of cyber security in healthcare equipment. Presented at: 4th International Conference on Nanotechnologies and Biomedical Engineering; September 18-21, 2019. doi:10.1007/978-3-030-31866-6_120

6. Rizwan M, Shabbir A, Javed AR, et al. Risk monitoring strategy for confidentiality of healthcare information. Comput Electr Eng. 2022;100:107833. doi:10.1016/j.compeleceng.2022.107833

7. Javaid M, Haleem A, Singh RP, Suman R. Towards insighting cybersecurity for Healthcare Domains: a comprehensive review of recent practices and Trends. Cyber Security and Applications. 2023;1:100016. doi:10.1016/j.csa.2023.100016

8. Thamer N, Alubady R. A survey of ransomware attacks for healthcare systems: risks, Challenges, Solutions and opportunity of research. Presented at: 2021 1st Babylon International Conference on Information Technology and Science; April 28-29, 2021. doi:10.1109/bicits51482.2021.9509877