Rethinking cybersecurity for healthcare

These four ideas can help protect your organization and customers

by AT&T Business Editorial Team

According to HIPAA, 2017 wasn’t such a bad year for the healthcare industry.

While breaches increased by 6 percent, the number of records exposed or stolen plummeted from 27 million in 2016 to just over 5.5 million this year.

On the other hand, reported ransomware attacks more than doubled, in part due to new guidance from the Office of Civil Rights. And though fewer records were exposed or stolen, the fact remains that, since 2010 – according to cumulative statistics from JAMA, Forbes and the U.S. Department of Health & Human Services – over 150 million Americans have had their data compromised.

“People are coming in for scheduled surgery and being told, ‘We can’t operate today because we’re in the middle of a ransomware attack’…this is where this gets real,” says Theresa Payton, president and CEO of Fortalice Solutions.

Thinking differently

Healthcare can present unique challenges; a ransomware attack could endanger lives. Yet, as necessary as they are, security protocols can’t stand in the way of patient care.

“In healthcare, it used to be old-school rules; you could develop your firewall and hide the data behind it," Payton says. "That rule has been broken."

Rather than a new list of best practices, these four bigger-picture ideas could potentially shift your cybersecurity paradigm.

1. Disconnect Social Security numbers

You often use it to open bank accounts, buy homes, and pay taxes. You’ve been carrying around that nine-digit code since birth. And that’s the problem.

“The Social Security number has outlived its usefulness,” said Rob Joyce, White House cybersecurity coordinator. “It’s a flawed system that we can’t roll back after a breach.” In other words, you can get a new credit card, but those nine digits can’t be replaced. Nor can your mother’s maiden name, your birthday or any of the “permanent data” that gets stolen along with that number.

Added Payton: “In healthcare I would be thinking, what do you want to use to create unique identifiers, how do you want to generate those?”

As an alternative, hospitals create unique, temporary patient identifiers that can be used, then retired. Permanently.

2. Make sure your segregated networks really are

When a “smart” thermostat can be a way in for hackers, segregating it from your guest Wi-Fi just makes sense. And yet…

“I can’t tell you how many times I’ve gone to a healthcare organization and they say, ‘Yeah, we’ve got physical and logical separation,’” Payton says. “And then we do a capture-the-flag exercise.”

The exercise – basically a white-hat hack – exposes the connections in “segregated” networks. Will separating them be too expensive or cumbersome? “That's where your kill switches need to be," Payton says.

3. Flip the switch, save the world

When a ransomware attack hobbled (among many other vital services) Britain’s entire hospital network, a young researcher discovered the “kill switch” that helped save companies, governments and healthcare providers millions of dollars.

Flipping the switch is like closing a steel door. It helps prohibit hackers who have gained access from moving laterally through your network, and allows you to continue serving patients with limited functionality. This would be the time to decide which functions are vital, and design a switch that can keep them running during an attack.

4. Take the ultimate step in network segregation

It sounds like a paradox: Data that’s accessible to everyone is invulnerable to hackers. But that’s blockchain: a decentralized network presenting no single point of vulnerability.

To hack one “block” of data in the “chain” means you have to hack them all.

Understanding how it works isn’t as important as grasping what it can do: safeguard hospitals, records and patients. Originally created for Bitcoin transactions, Harvard Business Review reports that “blockchain for healthcare is very early in its lifecycle, but it has the potential to standardize secure data exchange in a less burdensome way.” And in a much more secure way, too.

Rethinking your security strategy? Visit our cybersecurity solutions page for more information to help protect your organization and customers.