Healthcare data is increasingly under attack. In October alone there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights, resulting in the exposure of some 71,377 records.
To understand how to best counter these threat, we’ll take a look at some recent breaches, review key best practices, and explore the rise of Artificial Intelligence as a cyber remedy.
A review of some of the biggest breaches of 2017 helps give a sense of the size and scope of the threat facing healthcare enterprises across the digital landscape.
Henry Ford Health System notified patients that a hacker had gotten into its system this fall and may have viewed and stolen data on some 18,470 patients. It started with the theft of email credentials from a group of employees. Hackers could have used those credentials to get into employee email accounts that contained patient health data.
Fayetteville-based Arkansas Oral Facial Surgery Center saw a potential breach impacting some 128,000 patients. In this ransomware attack, a virus was used to lock up X-ray images, files, and documents.
Augusta University Medical Center and Augusta University got hit by a phishing attack that gave hackers access to email accounts and may have allowed access to patient data.
These cases are just the tip of the iceberg, but they are representative of both the variety and severity of cyberattacks being launched on healthcare organizations nationwide. How can a health enterprise protect itself?
The Health Care Compliance Association offers a rundown of best practices for healthcare organizations looking to protect employee and patient records in a hostile cyber environment. These include:
- Establish a security culture driven by education and training. Ensure managers set a good example of cyber hygiene for others. Make security a core value.
- Protect mobile devices, which can be a weak link in the security structure. Put in place strong authentication and access controls, and harden the wireless networks of laptops and other mobile devices.
- Keep systems in top condition. Routinely uninstall non-essential software; review the default settings on new installations and adjust as needed; disable remote file sharing and printing.
In addition, the association urges healthcare organizations to make certain cybersecurity measures a part of their standard operating procedure. This includes the use of firewalls, a rigorous password-protection policy, and strict control around access to sensitive information.
In addition to such fundamental measures, IT leaders also should be keeping a watchful eye on developments in Artificial Intelligence (AI). There’s a growing body of evidence that suggests AI may soon emerge as a powerful tool in the cyber toolkit, especially for those charged with safeguarding highly sensitive data around patient health and privacy.
The AI evolution
Machine learning is reshaping our ability to respond to cyber threats at computer speed. As a result, healthcare CIOs and CISOs should recognize that AI has the ability to enhance technology’s identification of malicious activity and attackers, and to protect systems and data, experts say.
Within an antivirus or advanced firewall system, for instance, AI can assess user behavior and pick up on abnormal patterns which may be signs of infection or attack. AI can be trained to automatically quarantine such activity, and can also automatically identify and remediate potential vulnerabilities.
Driven by such powerful capabilities, cybersecurity “may be among the most well adopted applications in artificial intelligence in enterprise. Artificial intelligence seems to be the way into the future of cybersecurity and can serve without a doubt,” said Daniel Nigrin, MD, Senior Vice President and CIO at Boston Children’s Hospital.
How might that look in practice? Nigrin describes a scenario in which a celebrity checks into the hospital and suddenly 500 doctor and nurses are peeking into the electronic health records system. “AI-based guidelines are considered to detect those kinds of anomalous behaviors and alert us to them. We’re definitely starting to see the tools evolve and improve using these sorts of technologies,” he said.
In fact, AI has potential applications across the healthcare enterprise. Aetna for instance recently used it to introduce a new security system for its mobile apps that does away with password requirements, suggesting possible uses for machine learning that extend beyond the immediate employee base.
While the basic block and tackle of security remains largely unchanged—strong passwords, good firewalls, and so on—the fast-evolving nature of the threat calls for more serious defenses. In healthcare, where security and privacy concerns are ever at the forefront, the rise of AI offers a potentially powerful new means for IT leaders to address the rising cyber threats.