Digital transformation in healthcare
Risk versus Reward
COVID-19 has disrupted the healthcare industry and accelerated the adoption of virtual care. Many leading healthcare companies had already begun a digital transformation journey adopting the use of mobile devices and cloud services. The pressure to innovate has never been more intense, with patients expecting better care based on service improvements in other industries. These new technologies are now especially important as providers are putting more focus on better data analytics and improved coordination across the ecosystem. Furthermore, these technologies have the potential to save lives. From mobile connectivity to cloud-based servers, everything is being streamlined, from accessing patient data and ordering prescriptions, to monitoring patient health and delivering remote diagnosis.
According to Verizon, 88% of healthcare organizations said their reliance on data stored in the cloud is growing, and 85% of healthcare organizations said that, within five years, mobile will be their primary means of accessing cloud-based services. The driving force for mobile adoption is the flexibility and efficiency it provides frontline workers: they can remotely access patient records from anywhere, and use apps to action medical workflows without having to return to an office and manually file records. However, there are risks. In the same report, Verizon notes that nearly two-fifths (38%) of healthcare organizations admitted to having suffered a compromise involving a mobile device in the past year.
This increased adoption of mobile and cloud technology brings many benefits to healthcare, but also increased risk — more devices outside the protected perimeter means a larger attack surface for cybercriminals to target.
The security threat to the public sector comes from a range of sources with diverse motives. Regardless of an attack’s origin, it can be both sophisticated and disruptive. Data managed by the public sector is often extremely valuable. Ernst and Young valued the UK’s National Health Service’s (NHS) data at £9.6bn per year, making it a prime target.
The value of a healthcare record on the black market is now higher than credit card details. According to a CBS report, medical records can sell for up to $1,000 each on the dark web, while social security numbers and credit cards sell for $1 and up to $110 respectively. Why? Because healthcare records often contain a lot of personally identifiable information (PII) in one neat package. Additionally, it can take months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. In contrast, credit card theft can be detected by a victim or their bank’s fraud team within minutes, and the card can be canceled immediately.
To make matters worse, healthcare organizations have more than data loss to worry about. When the National Health Service (NHS) suffered a ransomware attack in 2017, it led to disruption at hospitals across the UK. Thousands of patient appointments and operations had to be canceled or transferred to other clinics. When the stakes are that high, bad actors know a ransom will be paid out quickly.
The advantages mobile and cloud services bring to healthcare are far too great to be dismissed as ‘too risky.’ But can these technologies be protected so that healthcare organizations can safely adopt their use, allowing them to improve their services and care to patients and communities? This report will explore industry regulations that affect the safe handling of healthcare data, notable breaches that have impacted the industry, statistics that show which threats are impacting real users in the industry, use cases from leading healthcare organizations, and recommendations for the safe adoption of mobile and cloud technologies in the industry.
88% of healthcare organizations said their reliance on data stored in the cloud is growing.
85% of healthcare organizations said that within five years, mobile will be their primary means of accessing cloud-based services.
43% of Healthcare organizations have seen attacks increase by between 26-50% with a further 29% experiencing more than a 50% increase in attacks.
Healthcare industry regulations
With all of this new technology and a completely different patient care experience, is our personal health data still safe? And are healthcare services resistant to bad actors? Thankfully, regulations are in place and enforced to make sure healthcare organizations remain compliant by adhering to industry best practices.
In terms of regulations that apply to data handling in the US healthcare industry, the most common ones you’ll hear about are HIPAA (Health Insurance Portability and Accountability Act) and the more recent HITECH (Health Information Technology for Economic and Clinical Health) act.
HIPAA was enacted in 1996. This act laid the foundation for the standards that protect peoples’ sensitive health information, and it holds healthcare organizations accountable for data mishandling.
The HITECH Act was enacted in 2009. It promoted the adoption and meaningful use of health information technology, such as electronic health records (EHR) by offering incentives to medical groups. The HITECH Act also strengthens the enforcement of HIPAA law relating to data breaches. Furthermore, it puts more power in patients’ hands, as affected individuals have the right to request access to this information at any time.
HIPAA and HITECH are federal regulations, but healthcare organizations are also accountable to state privacy laws. When state and federal regulations conflict, organizations must default to whichever affords more protection to the patients, i.e., the stricter regulation.
Gartner predicts that by 2022, half of the planet’s population will have its personal information, which incorporates PHI (protected health information), covered under local privacy regulations in line with the General Data Protection Regulation (GDPR), up from one-tenth in 2019.
“With the move to a more collaborative and citizen-centric care environment, it is more essential than ever to balance legitimate privacy concerns with the benefits of sharing PHI.”
Gartner Hype Cycle for Healthcare Providers, 2019.
A newer regulation in the US, the Cures Act Final Rule, supports a patient-centric view in healthcare technology. It aims to give consumers full transparency on how their electronic health information is being accessed, shared and used at all times. Under this regulation, consumers will be able to better understand the cost and outcomes of their care and have better access to competitive options for medical treatments and services. It’s already hard to imagine getting by without an app for our healthcare providers and insurers.
A highly targeted industry
When it comes to the US healthcare industry, there is one place to go for information on data breaches: the US Department of Health and Human Services’ (HHS) breach portal, aka the “Wall of Shame.” It’s a database containing information about breaches of PHI.
The HHS released the portal in 2009 as part of the HITECH Act. HIPAA requires healthcare organizations to notify both the government and affected individuals of a breach within 60 days whenever 500 or more individuals are affected.
The breach portal highlights breaches currently under investigation within the last 24 months. Older breaches are archived, but still available to view on the site.
According to the HHS breach portal, data breaches affected 27 million people in 2019. Hacking/IT incidents accounted for the highest number of breaches last year, followed by unauthorized access or disclosure.
A recent paper published by JAMA Internal Medicine looked at the causes of data breaches posted to the Wall of Shame between 2009 and 2017. It found that while a significant number of the breaches were the result of outside theft (32.5%), over half (53%) were caused by internal mistakes or neglect. Of the internal mistakes, email mistakes were a major factor, with numerous cases of employees clicking on phishing emails, employees forwarding emails with PHI to their personal accounts, and accessing PHI without authorization.
This is consistent with findings of the Verizon Data Breach Investigations Report (DBIR). In the 2020 DBIR, external actor breaches (51%) narrowly outpaced breaches perpetrated by internal actors (48%). According to the report, healthcare remains the industry with the highest amount of internal bad actors.
Top 5 breaches by number of individuals affected, currently listed on HHS’s breach portal
wdt_ID | Company | Individuals affected | Breach submission date | Type of breach | Location of breached information |
---|---|---|---|---|---|
1 | Optum360 | 11,500,000.000 | 01/07/2019 | Hacking/IT Incident | Network Server |
2 | Dominion | 2,964,778.000 | 21/06/2019 | Hacking/IT Incident | Network Server |
3 | Inmediata | 1,565,338.000 | 07/05/2019 | Unauthorized Access/Disclosure | Network Server |
4 | Inova Health System | 1,045,270.000 | 09/09/2020 | Hacking/IT Incident | Email, Network Server |
5 | Magellan Health Inc. | 1,013,956.000 | 12/06/2020 | Hacking/IT Incident | Email, Network Server |
The US healthcare industry is not the only one held accountable for the reporting of data breaches. In the UK, health service organizations must use the NHS Data Security and Protection Incident Reporting tool. This will report serious data breach incidents to NHS Digital, the Department of Health, the Information Commissioner’s Office (ICO), and other regulators.
In Australia, eligible breaches must be reported to the Office of the Australian Information Commissioner (OAIC), under the Australian Privacy Act 1998. According to the OAIC, health service providers have consistently reported the highest number of data breaches compared to other industry sectors in recent years. According to a report by Stanfield IT, 47% of healthcare data breaches reported in Q2 2019 were caused by a malicious or criminal attack, with the remaining 25% caused by human error.
In Singapore, healthcare data is protected by the Personal Data Protection Act 2012 (PDPA). In 2018, SingHealth suffered what is believed to be Singapore’s largest data breach on record when a front-end workstation was infected with malware that allowed hackers to gain access to the database. The health records of 1.5 million patients were stolen, including the prime minister’s. According to investigations, SingHealth lacked an incident reporting framework, which meant it was unaware that the issue needed to be reported to Singapore’s Cyber Security Agency.
The prevalence of cyber security threats among healthcare organizations
To understand the prevalence of common security threats among employees in the healthcare industry, we looked at the subset of healthcare organizations in Wandera’s global database, which consists of tens of thousands of users from hospitals workers, hospice care providers, and medical equipment manufacturers. We organized the below threats into high, medium and low severity, which is consistent with how they are presented within our product.
High-risk threats
Malware
An app that is specifically designed to disrupt, damage, or gain unauthorized access to a mobile device.
Healthcare Organizations Affected’
8%
Malicious network traffic
Network access from an app to a web service that is known to demonstrate malicious behavior. Can include downloading unauthorized software to a device, disrupting normal operation, or gathering sensitive information.
Healthcare Organizations Affected’
72%
Phishing
A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form.
Healthcare Organizations Affected’
56%
Man-in-the-middle attack
Compromised Trust Store: The device has been manipulated to fully trust unauthorized 3rd party certificates.
- SSL Stripping: An intermediate server is using advanced techniques to pose as a genuine service.
- Targeted Certificate Spoof: An intermediate server is actively attempting to pose as a genuine service.
Healthcare Organizations Affected’
16%
Vulnerable OS (high risk)
An older version of an OS that is more vulnerable to known security exploits.
Healthcare Organizations Affected’
48%
Medium-risk threats
Potentially unwanted or vulnerable app
A potentially unwanted application is one that can cause harm to your device.
Healthcare Organizations Affected
24%
Sideloaded apps
Apps that are not installed through official channels, such as through official app stores or an EMM, are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious.
Healthcare Organizations Affected
24%
Risky hot spots
SSL interception is taking place, but using an untrusted certificate (common for paid hotspots).
Healthcare Organizations Affected
56%
Vulnerable OS (all)
An older version of an OS that is vulnerable to known security exploits.
Healthcare Organizations Affected
56%
Configuration vulnerabilities
Includes the following:
- Jailbreak: A modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack.
- Lock screen disabled: Once the lock screen is disabled, the device encryption is rendered useless against physical attacks.
Healthcare Organizations Affected
60%
Cryptojacking
A site designed to secretly hijack the target’s device to mine cryptocurrencies.
Healthcare Organizations Affected
16%
Low-risk threats
Third-party app stores installed
Third-party app stores are applications that can download and install other applications. They might distribute malicious applications because those apps are not diligently tested against malicious behavior.
Healthcare Organizations Affected
16%
How healthcare organizations are driving innovation with Wandera
Wandera has the privilege of working with some of the world’s most innovative healthcare organizations. Below are just a few short stories of how these organizations have partnered with Wandera to develop robust security strategies that protect employees, patients, and intellectual property from an ever-evolving threat landscape.
Aspen Medical, a global provider of healthcare solutions, was recently contracted by the Department of Health in Australia to support the setup of GP-led Respiratory Clinics (GPRCs) around Australia. As part of this project, Aspen Medical purchased 1,000 Samsung tablets and approximately 100 Apple iPads for clinic staff to document COVID-19 related health information in the GPRCs.
Aspen Medical was seeking a security solution for the tablets that would address several key requirements. First, it needed to defend the device against attacks that would risk the exposure of sensitive medical data. Second, the solution would need to provide protection to the GPRC staff from social engineering attacks, like phishing. Finally, it needed to guarantee the enforcement of acceptable use policies and control access to corporate resources.
Aspen Medical’s IT team purchased Wandera’s Security Suite, which includes protection against the full spectrum of threats, a data policy component to address shadow IT risks, and secure access to protected resources using zero trust principals. In just three months, Aspen Medical saw 682 security events blocked. This is a combination of outside-in attacks (like malware trying to communicate with command and control) and inside-out attacks (like users clicking on phishing links).
“In terms of risk, we identified that we needed a mobile security solution to further safeguard the tablets and iPads deployed to the GPRCs. Wandera already provides mobile security solutions to Aspen Medical and they quickly rolled out the Wandera security suite to the GPRC sites.”
Aspen Medical
Vitas Healthcare is the largest provider of hospice and palliative care in the United States. Vitas has two main user groups that participate in its mobility program. The first is its patient care staff. They are in the field, primarily working with patients in their homes, so mobile devices allow them to gain remote access to information relevant to patients. The devices are a means of connecting back to the company’s main database, where its staff can update patient records and prescribe drug orders for patients. So mobile technology is critical in delivering patient care at Vitas. The second group is closer aligned to Vitas’ sales force and its members are responsible for business development and sales activity, so they use devices when they are on the move to access emails and corporate resources.
Wandera was deployed by Vitas to protect devices from security threats and enable secure remote access to corporate resources.
“When I look at my RADAR dashboard in the morning and it’s got something like 3,600 to 4,000 blocks by Wandera, it makes me and my CISO very happy to know we have a product that protects us when we’re not looking and more so when we least expect it.”
Vitas Healthcare
Vitas was awarded the Best Technology-Enabled Process Improvement Project at the 2018 PEX Network Awards. Vitas’ mobile solutions earned this award for successfully improving the patient transition experience into hospice by putting mobile devices in the hands of field staff to relay important care information more efficiently. Mobile and cloud technologies have helped reduce time and errors incurred during patient admission and increased the speed to bedside by Vitas clinicians.
Wandera was deployed by Vitas to protect devices from security threats and enable secure remote access to corporate resources.
“In the world of security, you can’t assume that the blocks you’ve enforced in the past are going to protect you into the future. Wandera is helping us evolve and stay on top of fast-moving threats so we can continue to roll out transformative mobility programs.”
Vitas Healthcare
Berkshire Healthcare NHS Foundation Trust is a specialist mental health and community health services trust for the Berkshire County in England. The organization has actively promoted remote working for a number of years, but the number of staff working remotely has dramatically increased during the COVID-19 lockdown. The IT team is supportive of flexible working, allowing staff to work where and when they want to, ensuring that all digital services they need are accessible.
This has the potential to rapidly increase mobile data use and security threats across their employee base.
“The Wandera solution gave us the answer that we needed, giving us the controls to manage how and what uses data through policies applied to the devices. Additionally, Wandera has improved our security posture across our remote workforce and reduced management time for both staff and IT support. We now have clarity of the potential security threats to our remote workforce and this allows us to take remediation action if a threat is discovered.”
Berkshire Healthcare NHS Foundation Trust
Gloucestershire Health and Care NHS Foundation Trust (GHC) uses 1,500 SIM-enabled laptops for clinical services across the UK. These laptops enable clinicians to provide care in the community and offer real-time access to clinical systems and other services that require an internet connection.
While in their offices, employees are able to connect their laptops to the secured Wi-Fi network, but with many of these users working remotely, access to cellular data is vital to keep the workforce productive.
The Wandera administration console has provided the Gloucestershire IT team with the needed analytics into security risks. Policy can be informed in real time, allowing administrators to take action where they see fit.
“Wandera has helped us achieve greater visibility and control over our cellular estate. We’ve got the peace of mind that we know it’s not physically possible for our staff to use non-work related apps like Netflix and Spotify when they’re using our SIM cards.”
Gloucester NHS Trust
Recommendations for securing innovative healthcare organizations
With healthcare data breaches now costing $7.13 million on average, we believe prevention is better than remediation. We recommend that healthcare organizations use this checklist for developing a modern security strategy:
Outline the requirements based on the new use cases that cloud and mobile adoption are creating.
- What are you trying to enable employees to do on their devices — access email or access sensitive databases? Segment data so access can be granular.
- Evaluate your use cases and define requirements for your remote workforce.
- The above requirements will inform your device ownership model — which device types will you support, who owns them, and how are they managed?
Connectivity
- Regarding connectivity and cloud applications, determine what you need to know about users, devices, networks and apps before you grant them access to corporate resources.
- Limit users to only the healthcare tools they need. This prevents over-privileged accounts from being exploited to attacks across a large numbers of systems.
Define Acceptable Use
- Review your existing acceptable use policies and ensure that mobile is incorporated.
- Implement an acceptable use policy for each appropriate subset of devices to control shadow IT and unwanted usage, enabling your organization to ensure regulatory compliance.
Expand access management policies to incorporate device risk posture
- Implement a user-friendly IAM (Identity and Access Management) solution for authentication to corporate apps on all devices, including mobile.
- Incorporate device risk assessments into your IAM policies to ensure that device risk posture is considered.
- Ensure that risk posture is continuously evaluated for the duration of a session.
Deploy endpoint protection across all devices. A cloud-based security solution is especially important for protecting against the broad spectrum of cyber threats and usage risks
- Ensure that your security solution has a strong endpoint detection capability and an in-network architecture to prevent attacks before they reach a device.
- Ensure that your security solution can address both external cyber threats (like phishing, man-in-the-middle attacks, malware) and usage behavior risks (sideloaded apps etc)
- For all security tools, ensure that appropriate configurations are made to address the threat vectors that are appropriate to your business while respecting the privacy of your end users.
- Evaluate the security solution’s machine-learning capability to understand how the threat engine identifies and protects against new threats.
Deploy a UEM for device-level control
- If appropriate, deploy a UEM solution that will enable you to provision devices with corporate resources and undertake ongoing device compliance checks.
Revisit this list often and consider what changes need to be made based on the following:
- Changes in company size and composition, e.g., mergers or acquisitions
- New regulations that affect the way you handle data
- Evolving IT strategy
- Threats that you have seen affecting employees
- New applications employees need to get their jobs done