Cybersecurity in Healthcare Industries

The medical world is becoming increasingly interconnected as more and more IoT devices are used in patient care deliveries. In this blog post, I will talk about IoMT devices, the healthcare cybersecurity threats, and ways to mitigate them.

Cybersecurity in Healthcare Industries
Photo by National Cancer Institute / Unsplash

Have you ever envisioned a world where, as a patient, you wouldn't have to travel hundreds of miles to make an appointment with a doctor? And as a physician, have you ever imagined a scenario in which you could determine whether your patients are taking their medications as prescribed without having to question them closely or even communicate with them? If so, be happy because this is the current state of the medical world.

The medical world is becoming increasingly interconnected as more and more IoT devices are used in patient care deliveries. In this blog post, I will talk about IoMT devices, the healthcare cybersecurity threats, and ways to mitigate them.

Internet of Medical Things

The Internet of Medical Things (IoMT) is a subclass of the Internet of Things (IoT) technology. It is a collection of internet-connected devices, hardware systems, and software used in healthcare institutions. IoMT devices enable medical data to be sent or collected over a wireless network, reducing the need for patients to visit the hospital frequently. They are classified into wearable, in-home, and in-hospital IoMT devices.

Wearable IoMT devices are IoMT devices that can be implanted, ingested, or worn on the body. This IoMT device is divided into consumer health wearables and clinical-grade wearables. Consumer health wearables are personal fitness tracking devices used by individuals to track health metrics such as temperature, heart rate, and glucose level. An example of such is a smartwatch. Health authorities regulate clinical-grade wearables and are used on doctors' advice. They are used to improve chronic health conditions. These devices include pacemakers, ingestible sensors, and smart belts for fall detection and hip protection.

In-home IoMT devices are remote patient monitoring devices used at home to transmit patients' medical data to their physicians. These devices track events such as heart attacks to help patients ask for help and emergency care. It also reminds patients of their medications. Newly discharged patients commonly use this device.

In-hospital IoMT devices are internet-connected devices used in the hospital. These devices range from electronic record systems to asset monitors and medical devices like the MRI machine.

Impact of a cyber attack on a healthcare institution

The healthcare industry is one of the most targeted industries by cyber attackers because of the large amount of data they store and process. And with the increasing use of IoMT devices, the attack surface of the healthcare industry has increased, making room for more sophisticated cyberattacks.

Threat Intelligence Index shows an increase in cyberattacks in the healthcare industry. According to the index, healthcare is the sixth-most attacked industry in 2021, up from the seventh place in the previous year. Also, the Healthcare industry experienced more ransomware attacks than other industries, and the attack vector used by their attackers was mostly phishing and vulnerability exploitation. This report is a wake-up call to the healthcare industry about the importance of cybersecurity.

A breach in any cybersecurity principles, confidentiality, integrity, and availability, will significantly impact the healthcare institution. It can damage the organization's reputation and cause financial loss, death, and legal action.

One of the ethics of the medical profession is that the healthcare worker and institution are to protect the confidentiality of the information provided by their patients. However, disclosure of patients' data to unauthorized persons due to a cyberattack or an act of negligence by a healthcare worker can loop the healthcare institution into a lawsuit.

There are legal frameworks that govern the medical practice. An example of this framework is the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH Act work together to address the use and disclosure of patients' data, also known as protected health information (PHI), collected, stored, or transferred electronically. A costly fine will be imposed on a health institution if there is a data breach, especially if the violation occurred due to noncompliance.

HIPPA has a rule that any data breach that affects 500 or more individuals' PHI will be published and listed in a database commonly known as the "wall of shame." An organization whose name gets to the wall of shame may suffer reputational damage.

Healthcare industry is very particular about the integrity of information because of the harmful effect of an unauthorized modification. For example, if a patient's medical test results were to be altered by a cybercrime actor, the physician might prescribe the wrong medication, which could lead to the patient's death. Also, an attack on some of these IoMT devices can be devastating. Imagine if a vulnerability in a pacemaker in use is discovered and exploited by an attacker, the resultant effect could be life-threatening.

The Healthcare industry is data-centric. Most of the operations of healthcare workers require the use of patients' data. In a ransomware attack, whereby patients' data are locked or encrypted by a threat actor, health workers will be unable to access patient information to carry out their duties effectively.

Ways to mitigate these cyber threats

1. Conducting security awareness training

Security awareness training is an essential step in mitigating cyber threats. Medical directors should develop a security culture in their organizations by educating their employees about the industry's cyber threats and how to protect themselves from them. Cybersecurity awareness training should not be confined to IT personnel but should include the top management and other departments. This training should be tailored to the individual job role.

The staff will most likely not welcome the idea of a security awareness training with open arms, especially if they have to halt their work to take the training. The trainer should make them see how these threats affect them as individuals; this may get their attention. Also, The training should be interactive; this will make it less intrusive.

Security awareness training is more effective if conducted frequently. Therefore, if possible, the activity should be performed monthly for more effectiveness.

2. Investing in secure mechanisms

Secure mechanisms are tools and techniques for implementing security services. This mechanism includes cryptography, access control mechanisms, Firewalls, etc. Medical directors should invest in secure mechanisms this will help them prevent, detect and respond to cyberattacks early enough. They should also invest in tools that will help reduce the security burden on staff. Password managers, for example, eliminate the need to memorize many passwords and have the potential to prevent a phishing attack.

3. Using trusted and secure IoMT devices and information systems

Healthcare institutions should be mindful of the IoMT devices they adopt. They should ensure that the device is safe and patched regularly. IoMT manufacturers should fix any vulnerability as soon as it is discovered. Also, computer systems, software, and other information systems used in healthcare institutions should be updated regularly.

4 Creating security policies

Healthcare institutions should have security policies relevant to their organization to help enforce some security practices. Some examples of these policies are;

  • Password Policy: This ensures that the workers maintain good password hygiene.
  • Clear Desk and Clear Screen Policy: This ensures that workers don't leave sensitive documents on their desks or leave their computer systems unattended.
  • Access Control Policy: This policy defines how access to specific resources or physical locations is managed.

These policies must be reviewed from time to time within a specified period.