Spotlight On Healthcare: Information Security And Data Privacy

Information security and data privacy are critical concerns for healthcare organisations worldwide in today’s digital age. In 2022 global healthcare cyberattacks increased by 74%, and healthcare was the number two most attacked sector in the United States, an increase of 57% year on year. And there are no big surprises why healthcare gets the attention it does from cyber-criminals – it is a gold mine of valuable data and protected health information (PHI) coupled with legacy tech, poorly managed network systems, and budget and staff challenges. All of these make healthcare providers an easy target with potentially high rewards. 

The critical challenges for healthcare providers are two-fold; 

1. Patient Data: As the sector relies more heavily upon tech to deliver services, more sensitive patient information is stored and exchanged online. Healthcare providers must prioritise information security and data privacy to safeguard patients’ personal information.
2. Operational Delivery: Cyberattacks on healthcare organisations can disrupt critical healthcare services, such as patient care, medical research, and medical device functionality. Cybersecurity threats can also compromise the safety and accuracy of medical records and clinical data, leading to severe diagnosis, treatment, and medication errors.

This blog post will highlight the importance of information security and data privacy in the healthcare industry and the risks of neglecting them. We will explore the latest threats facing healthcare providers, such as ransomware attacks, phishing scams, and insider threats, and delve into regulatory compliance requirements, such as HIPAA, NIS2, GDPR and Privacy Act. Finally, we will discuss best practices for healthcare organisations to strengthen their infosec and data privacy posture.

Join us as we navigate the complex landscape of healthcare cybersecurity, and learn how healthcare providers can protect their patients’ data and maintain the integrity of their critical services.

The Cyber Threats Facing the Healthcare Sector 

Ransomware

Ransomware attacks are one of the most significant threats to healthcare providers. According to a recent Ponemon healthcare report, 60% of respondents listed ransomware as their biggest concern, and 40% stated they had experienced more than three ransomware attacks in the last two years.

These attacks involve hackers encrypting a healthcare provider’s data, rendering it unusable until a ransom is paid. If the ransom is not paid, the hacker may threaten to delete the data, causing significant harm to the provider’s operations and patient care or, in the case of Medibank in Australia, publish that data online, not only causing distress and damage to the patients affected but also substantial financial and reputational damage for the organisation’s failure to keep patient data secure and comply with mandatory regulations.

DDoS Attacks

DDoS attacks involve overwhelming a healthcare provider’s network with traffic to cause it to crash, rendering it unusable. This can impact the provider’s ability to access and use patient data, leading to delays in patient care and potentially compromising patient safety. Often, DDoS attacks serve as a distraction while bad actors deploy more sinister malware on their victim’s network.

The ongoing cyberattack tactics of KillNet perfectly demonstrate the impact a DDoS attack can have. This hacktivist group has been actively targeting the US healthcare sector, causing service outages of many hours, resulting in appointment delays, inability to access electronic health records, and ambulance diversions.

Third-Party Providers + Supply Chain Attacks

Healthcare providers are only as secure as their third-party providers and supply chain. Anyone accessing a health organisation’s systems can maliciously or accidentally compromise protected data and service delivery causing anything from short to long-term service outages impacting patient care, service delivery and the financial bottom line.

According to the Ponemon Healthcare Report, 71% of healthcare organisations believe they are susceptible to supply chain compromise. On average, 50% of healthcare organisations have suffered more than four supply chain attacks that prevented them from delivering services in the last two years. 

The Internet of Things (IoT)

The rising adoption of the internet of things (IoT) in healthcare is another technology trend with troubling security implications. As healthcare providers’ systems are increasingly connected to other medical and operational systems, there’s also been a significant move towards internet-connected medical devices such as insulin pumps and pacemakers.

IoT’s increasing connectivity could jeopardise medical providers’ ability to deliver services, the safety of their patients and the operability of their business. These devices contribute to IT sprawl, lack adequate built-in security measures, and increase healthcare providers’ attack surfaces and the health and well-being of those patients using connected medical devices. Alarmingly, 63% of healthcare organisations claim to have experienced a security incident due to unmanaged IoT devices in the last 12 months.

The Impact of Poor Infosec and Data Privacy Practices in Healthcare 

A failure to take information security and data privacy seriously can profoundly impact patients, healthcare providers, and healthcare organisations. 

Healthcare Provider Consequences

If a provider’s system is breached, it can lead to disruptions in patient care, treatment delays, and revenue loss. Providers may also face legal and financial consequences, including fines and legal action, if they are found to be non-compliant with data security regulations.

Additionally, healthcare providers may experience damage to their reputation and loss of patient trust following a cybersecurity breach. Patients who feel that their privacy has been compromised may be less likely to seek care from that provider in the future, which could have long-term financial consequences for the provider.

Patient Care Consequences 

Though cybersecurity may cost healthcare providers billions of dollars in lost revenue, payouts and reputational damage, the most immediate and obvious consequence is the potential impact on patients. If a cyber-attack renders a facility or healthcare organisation inoperable, patients who require timely care may not get it. 

At the same time, millions of people around the globe already have poor access to healthcare. It is a well-known fact that there is a significant shortage of healthcare providers, meaning that patients often have to wait weeks or months before they can see a physician. Therefore, when poor information security and data privacy practices cause delays to patient care, it can significantly deteriorate the health conditions of millions of people and communities worldwide.

Compromised patient data can also lead to other adverse outcomes, including identity theft, financial fraud, and medical fraud. Patients may also be at risk of having their personal health information (PHI) exposed, which can have a range of negative consequences, such as discrimination by employers or insurers, social stigma, and embarrassment.

The impact of poor infosec and data privacy practices can have significant repercussions when they tangibly affect patient lives. Thus, cybersecurity infrastructure is undoubtedly a top priority for healthcare providers.

What Are the Key Cybersecurity Regulations in Healthcare

The General Data Protection Regulation (GDPR)

GDPR is a European Union (EU) regulation which took effect on May 25, 2018. It applies to all organisations that process the personal data of EU residents.

The GDPR imposes specific requirements on organisations processing personal data within the healthcare sector. Healthcare organisations must process personal data legitimately, including obtaining valid consent from individuals or for medical treatment. Individuals have enhanced rights under GDPR, including the right to access their data, rectify inaccuracies, request deletion, and restrict processing. 

When processing activities are likely to pose a significant risk to individuals’ rights and freedoms, healthcare organisations must conduct a data protection impact assessment (DPIA). They must also implement technical and organisational measures to ensure data protection by design and default, such as pseudonymisation, encryption and authentication. Additionally, healthcare organisations must report personal data breaches to individuals and authorities within 72 hours of becoming aware of the incident. 

GDPR also requires healthcare organisations to appoint a data protection officer (DPO) to ensure compliance and serve as a point of contact for individuals and authorities.

Data Protection Act 2018 

The Data Protection Act 2018 (DPA 2018) is a UK law that sets out how personal data should be processed, stored, and used. It outlines several requirements related to cybersecurity in the healthcare sector.

The law requires healthcare organisations to conduct thorough risk assessments of their data processing activities, including cybersecurity practices, to identify potential vulnerabilities. And then implement appropriate technical and organisational measures to ensure personal data security, including encryption, access controls, and regular security testing.

The law also includes strict rules around breach notification, where healthcare organisations must report any data breaches to the relevant authorities within 72 hours of becoming aware of the breach.

Healthcare organisations must ensure that any third-party processors they work with comply with the act, including cybersecurity requirements.

NIS 2 

NIS 2 (the EU Directive on Security of Network and Information Systems) outlines several requirements related to cybersecurity in the healthcare sector. These include:

1. Identification of essential services and operators: Healthcare organisations must identify the essential services and operators necessary to maintain critical societal and economic activities.
2. Risk management and incident reporting: Healthcare organisations must conduct risk assessments and implement risk management measures to ensure the security and resilience of their systems and networks. They must also report incidents to the relevant national authorities and take appropriate steps to mitigate the impact of the incident.
3. Security measures: Healthcare organisations must implement appropriate technical and organisational measures to ensure the security and resilience of their systems and networks. These measures must include measures to prevent unauthorised access, protect against malware and other cyber threats, and ensure the availability of critical services.
4. Cooperation and information sharing: Healthcare organisations must cooperate with other operators and public authorities to safeguard the security and resilience of their systems and networks. They must also share information on threats and incidents with relevant organisations and authorities.
5. Compliance and enforcement: Healthcare organisations must comply with the requirements of NIS 2 and any other applicable cybersecurity regulations. National authorities are responsible for enforcing compliance and may impose sanctions for non-compliance.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a law that safeguards health information against unauthorised access and disclosure in the United States. Covered entities, typically healthcare providers, must comply with stringent security standards to protect this information.

Following HIPAA, covered entities must implement robust security measures when handling protected health information (PHI), such as encryption, authentication procedures, and other safeguards, to prevent unauthorised access or disclosure.

Moreover, HIPAA mandates that covered entities inform individuals of their legal rights. This includes providing notice of who can access their PHI, how to request copies, and what happens if they change their minds about sharing the information.

The Australian Privacy Act 1988 (Privacy Act)

This law outlines healthcare providers’ requirements to protect their patient’s personal information from cybersecurity threats. Some of the key provisions of the Privacy Act related to cybersecurity in the healthcare sector include:

1. Data Security: Healthcare providers must take reasonable steps to protect the personal information they hold from misuse, interference, loss, and unauthorised access, modification or disclosure. They must have appropriate security measures to prevent cybersecurity threats such as hacking, malware attacks, and unauthorised access.
2. Notification of Data Breach: In case of a data breach, healthcare providers must notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as possible. The notification must include the nature of the breach, the kind of personal information involved, and the steps taken to mitigate the risk of harm.
3. Privacy Impact Assessment: Before implementing new technologies or processes involving personal information handling, healthcare providers must conduct a privacy impact assessment (PIA) to identify and assess the risks to the privacy of individuals. This process must include a review of cybersecurity risks and the measures in place to mitigate them.
4. Third-Party Providers: If healthcare providers use third-party providers for services such as cloud computing or data storage, they must ensure that these providers comply with the Privacy Act’s requirements. This includes ensuring the third-party provider has appropriate cybersecurity measures to protect personal information.

The Consequences of Not Complying With Healthcare Cybersecurity Regulations 

The implications of not complying with healthcare information and data privacy regulations can be severe, including legal, financial, and reputational consequences.

In the UK, failure to comply with data protection regulations can result in fines of up to 4% of an organisation’s global revenue or £17.5 million (whichever is higher), as well as potential legal action and reputational damage.

In the US, HIPAA violations can result in significant financial penalties, with fines ranging from $100 to $50,000 per violation (up to a maximum of $1.5 million per year for each violation category). In addition to fines, healthcare organisations may face negative publicity, loss of business, and legal action from affected individuals.

In Australia, non-compliance with privacy regulations can result in penalties of up to $2.1 million for organisations and $420,000 for individuals, as well as potential legal action and reputational damage.

In addition to these specific consequences, non-compliance with information and data privacy regulations in healthcare can have broader implications for patient safety and trust. In that case, it can lead to serious harm to patients, erode confidence in healthcare providers and institutions, and damage the reputation of the healthcare industry as a whole.

A Standards-Based Approach to Healthcare Cybersecurity

For organisations looking to comply with the multiple cybersecurity, data and information security regulations in the healthcare space, certification against ISO 27001, for information security and ISO 27701, for data privacy could be a decisive first step.

Many of the healthcare regulations themselves mention that any steps companies take to comply should consider “compliance with international standards,”. For example, the technical guidelines issued by the European Union Agency for Cybersecurity (ENISA) for NIS 2 map each security objective to several best practice standards, including ISO 27001. 

An ISO 27001- compliant information management system (ISMS) enables organisations to reduce their risk and exposure to security threats by identifying the relevant policies they need to document, the technologies to protect themselves and the staff training to avoid mistakes. They also mandate that organisations conduct annual risk assessments, which helps them stay ahead of the ever-changing risk landscape.

When implementing an information security framework, organisations gain a clear and consistent structure for organising and storing data, making it easier for companies to make informed decisions. This can lead to better strategic planning, incident management, and regulation compliance. Additionally, clear privacy policies provide a structured approach to handling any privacy incidents, which can also reduce downtime.

Once established, adding any additional HIPAA, GDPR and regional regulatory requirements is much simpler. ISO 27001 can also be independently certified, providing evidence to suppliers, stakeholders and regulators that you have taken the “appropriate and proportionate” technical and organisational measures.

In summary, an ISO 27001 standards approach can benefit healthcare companies looking to comply with multiple healthcare regulations because it helps meet regulatory requirements, protects sensitive patient data, builds trust with patients and stakeholders, improves overall security posture, and provides a framework for continuous improvement.

Achieving Effective Information Security and Data Privacy Has Never Been More Critical

Healthcare organisations and providers must prioritise cybersecurity measures to protect their data and systems. This includes implementing technical safeguards, such as firewalls and encryption, and establishing policies and procedures for data privacy and security. Employee training and awareness programs can also be critical in preventing security breaches, as employees are often the first line of defence against cyberattacks.

Prioritising cybersecurity in healthcare is not just a matter of compliance or risk management – it is a critical responsibility to protect patient data and ensure patient safety. Healthcare organisations and providers must take action to implement robust cybersecurity measures to safeguard their data and systems and to maintain the trust and confidence of patients and stakeholders.

Strengthen Your Healthcare Compliance Today

If you’re looking to start your journey to better information security and data privacy, we can help.

Our ISMS solution enables a simple, secure and sustainable approach to data privacy and information management with ISO 27001 and supercharges other frameworks such as HIPAA, GDPR and more. Unlock your healthcare compliance today.

Speak To An Expert