The healthcare sector has seen a digital change following the adoption of the Internet of Medical Things, smart devices, information systems, and cloud services. These advancements have digitized healthcare services, making treatment simpler and more accessible. However, internal and external threats have made the modern healthcare sector the principal victim. Data breaches affect customers, stakeholders, organizations, and enterprises and are a problem and challenge for security specialists. Regardless of the data breach forms, they virtually always have the same effect. This paper discusses implementing security countermeasures for Sutter Health, a healthcare organization in California.
Information to Protect
Adopting electronic health records and other digital platforms organizations use to collect and store information requires implementing security countermeasures. Healthcare organizations must protect electronic and patient/personal health information (PHI) by ensuring data privacy and confidentiality (Isola and Yasir 1-3). Personal health information is any information a healthcare provider gathers to identify an individual, including demographic data, medical histories, test and laboratory findings, mental health issues, insurance information, and other data (Isola and Yasir 1-3). This information should only be accessed by authorized individuals and shared with the patient’s consent. Failure to follow procedures and regulations violates The Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Impacts of a Security Breach on The Organization
Patient safety risks are the most critical consequences of healthcare data breaches, which can also lead to data theft and reputational and financial damages. However, violations also have serious legal ramifications. According to research, in the days and weeks following a data breach, attorneys for affected patients increasingly filed duplicate lawsuits against healthcare organizations (McKeon 1-2). Consequenty, given the frequency of breaches in the industry, negligence is a common defense used in data breach cases. Moreover, according to which an organization should establish stricter security measures to prevent a breach. The HIPAA Breach Notification Rule and other breach notification laws may be violated, as evidenced by most litigations.
Organizations might settle disputes outside of court even if there remain no actual harm caused by the data breach to avoid protracted legal proceedings and high defense costs. Legal risk cannot be eliminated, and healthcare businesses may still be vulnerable to data breaches. Furthermore, the ensuing lawsuits even with the most sophisticated security posture (McKeon 1-2). However, HIPAA-covered entities and businesses that store health data can better safeguard themselves while protecting patients and minimizing the potential effects of a data leak by concentrating on the areas an organization can control and seeing risk holistically.
Potential Attacks the Organization Can Experience
Criminals on the internet frequently target the healthcare industry. A total of 1,426 attacks per week were made against healthcare companies in 2022, per Check Point Research (CPR). It represents a 60% increase from the previous year, and many of the year’s most significant attacks targeted healthcare institutions (Kost 2). Ransomware is a frequent and costly risk to healthcare organizations, with about one out of every 42 healthcare businesses falling victim to a ransomware assault in the third quarter of 2022. The most common cybersecurity threat in healthcare is phishing. Phishing is inserting harmful links into a seemingly innocent email, the most typical phishing type (Pranggono and Abdullahi 69-70). Phishing emails sometimes refer to a well-known medical condition to encourage link-clicking and can appear very convincing.
Data breaches are also a threat; comparatively speaking, the healthcare sector experiences a disproportionately high number of data breaches. Consequently, in the healthcare industry, there were 1.76 data breaches on average every day in 2020 (Kost 5). HIPAA sets stringent rules for preventing unauthorized access to sensitive information, such as health records. Still, many health organizations struggle to implement security controls, leaving holes that serve as entry points for cybercriminals (Pranggono and Abdullahi 69-70). A distributed denial-of-service is another attack involving flooding a targeted server with bogus connection requests to take it offline. This coordinated attack uses many endpoints and IoT devices forcibly recruited into a botnet through malware infection (Implementing Security Countermeasures).
Counter Measures
Along with adhering to HIPAA requirements and local medical regulations, the National Institute of Standards and Technology (NIST) created a framework for enhancing critical infrastructure cybersecurity in response to requests from the American Hospital Association and other healthcare-related organizations for enterprise network risk management. Additionally, based on the NIST Cybersecurity Framework (NIST CSF), HHS established Health Industry Cybersecurity Practices (HICP) for the healthcare sector, which outlines the cybersecurity threats and mitigation strategies the sector must employ (Mavis 8). Adopting endpoint protection solutions that support operational security via operation lock, USB device lock, data lock, and configuration settings lock, which can fully safeguard intricate and numerous endpoints in healthcare operations, is one of these strategies.
Asset management by adopting inspection scanning and clean-up solutions like Trend Micro Portable Security 3 Pro (TMPS3) is another countermeasure that helps mitigate the probability or threat of malicious code being introduced into the system. Moreover, this solution generates comprehensive details about the scanned assets, helping identify security threats (Mavis 9-11).
Thirdly, a healthcare organization can adopt network management solutions such as Intrusive Prevention Systems (IPS) that control customer connections and content transmissions between the equipment in the network, ensuring no unauthorized devices can establish a connection or transmit content (Mavis 12-14). These strategies are some solutions to data security issues affecting healthcare organizations.
Work Cited
Isola, Sasank, and Yasir Al Khalili. “Protected Health Information.” StatPearls [Internet]. StatPearls Publishing, (2022): 1-3.
Kost, Edward. “Biggest Cyber Threats in Healthcare (Updated for 2022).” Third-Party Risk and Attack Surface Management Software | UpGuard, (9 Nov. 2022): 2-7. www.upguard.com/biggest-cyber-threats-in-healthcare.
Mavis. “Potential Threats to Healthcare Ecosystems.” TXOne Networks, (7 Oct. 2022): 8-14. www.txone.com/potential-threats-to-healthcare-ecosystems/.
McKeon, Jill. “Key Ways to Manage the Legal Risks of a Healthcare Data Breach.” Health IT Security, (13 Oct. 2022): 1-2. healthitsecurity.com/features/key-ways-to-manage-the-legal-risks-of-a-healthcare-data-breach#.
Pranggono, Bernardi, and Abdullahi Arabo. “COVID‐19 pandemic cybersecurity issues.” Internet Technology Letters 4.2 (2021): e69-70.