Over the past 18 months, the amount of health data collected and transmitted using cloud computing has exploded. As a result of the Covid-19 pandemic, many forms of care and treatment were upended as clinics and healthcare providers were forced to offer virtual consultations and telehealth services. According to research from the Centers for Disease Control, the number of telehealth visits during the third week of March, 2020, increased by 154% when compared with the same period in 2019.
The massive expansion in online healthcare means that providers must take responsibility for a larger and deeper pool of information. But despite the increasing scope of the challenge, many organizations have failed to adopt the necessary measures to secure their data. According to our recent data of global cybersecurity threats based on responses from 2,600 respondents, one third of healthcare organizations encrypt less than half their data. By leaving large portions of their data virtually unprotected, these organizations are inviting bad actors to view and access sensitive personal information. And while not all data is created equal, as the industry deepens its dependency on the cloud, healthcare organizations cannot fall victim to the increasing complexity of these cloud environments.
Risking a breach
Perhaps the most concerning figure pulled from the healthcare industry in our data is that more than one third of respondents reported having experienced a data breach in the cloud. With healthcare data sitting at the intersection of personal identifying information, billing data, and diagnoses, a single data breach can provide bad actors with ample opportunities for fraud and identity theft. According to Experian, medical records can sell for as high as $1,000 on the dark web.
Unencrypted data is easily visible and accessible to unauthorized users, and standard encryption measures offer the bare minimum for protecting information in a cloud environment. Healthcare organizations must begin with encryption and key management to establish a basic level of security around their data. But as emerging threats such as quantum computing loom on the horizon, healthcare providers should take additional steps to protect their assets for years to come. The need is urgent: even if bad actors don’t have the tools yet to make sense of stolen data, the next generation of hacking tools will be able to break many of today’s most common security protocols.
The future of data protection for high-stakes industries like healthcare and finance should take the form of a “Zero Trust” architecture; not only do these solutions require users to verify their identity each time they need to access sensitive data, but they also limit access only to the specific assets authorized for each individual user. In this architecture, encryption and continuous validation enable a system to expand and incorporate new data without increasing the risk of a breach. Healthcare providers must also recognize that every employee could unknowingly provide entry for cybercriminals; every member of the organization should be trained and retrained on a regular basis to remain up-to-date with security protocols and best practices.
Recent high-profile breaches such as the Colonial pipeline ransomware attack have demonstrated the devastating consequences of failing to maintain adequate security measures. With sophisticated hacking groups becoming more ambitious in the scope of their attacks (and the size of their demands), the threat continues to grow on a daily basis. Most recently, Ireland’s Health Service Executive was attacked by a hacking group, leading to widespread appointment cancellations and forcing healthcare providers to revert back to paper recordkeeping.
As data breaches increase in size, and as large organizations demonstrate their willingness to pay ransom, it only becomes a matter of time before more healthcare organizations are the subject of a coordinated attack. From large hospitals to local doctor’s offices, health leaders must review their security measures to ensure that they can withstand both current and future cyberattacks. Trust is at the core of every doctor-patient relationship, and we must be able to trust our healthcare providers to protect our most sensitive information.
Photo: Traitov, Getty Images