HHS identifies healthcare’s most urgent cyber threats

During the recent Safeguarding Health Information: Building Assurance through HIPAA Security conference, the HHS urged healthcare organizations to use advanced security measures to address ransomware threats, legacy systems, medical device risks, and data breaches.

Major cybersecurity threats in healthcare 

Ransomware attacks

According to HHS Cyber Security Operations Cyber Threat Intelligence Branch Chief Rahul Gaitonde, “Healthcare providers are prime targets for ransomware due to the critical nature of their services and the sensitivity of patient data.”

Moreover, when healthcare providers are targeted, the repercussions can be catastrophic, compromising the privacy and security of patient data and interrupting healthcare operations.

Legacy systems

Another urgent issue presented at the conference was the reliance on legacy systems. "Many healthcare institutions rely on outdated software and systems creating security vulnerabilities,” Gaitonde explained.

Hackers prefer these outdated systems as they are usually less secure as evidenced in the WannaCry attack in 2017. The attackers exploited weaknesses in the UK's National Health Service, causing $4 billion in losses and disrupting patient care.

Medical device risks

Connected medical devices such as pacemakers and insulin pumps improve patient care. However, these devices also create "unique security challenges" with the “life-threatening potential [of] security flaws.” 

As an example, Gaitonde mentioned the 2017 pacemaker vulnerabilities case which led to the recall of over 465,000 devices.

Data breaches

Data breaches are among the great challenges healthcare organizations confront, and these breaches have severe consequences “including identity theft and compromised patient care." 

Even with strict regulations like the Health Insurance Portability and Accountability Act (HIPAA), these breaches continue to occur, compromising patients’ protected health information (PHI).

How healthcare providers can improve their cybersecurity

• Identify vulnerabilities and legacy systems within the organization.
• Upgrade legacy systems with firewalls, encryption, and intrusion detection systems.
• Use secure communication platforms, like Paubox, which protects PHI during transmission and storage.
• Regularly update medical devices with security patches.
• Create organizational guidelines for data protection and incident response.
• Create a culture of security awareness among employees. 
• Train staff for better threat detection and response.
• Continuously monitor security threats.
• Stay informed about emerging threats and adjust security protocols accordingly.

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

How does email encryption improve cybersecurity?

Encryption converts email content into a secure format only authorized recipients can access. Ultimately, it prevents unauthorized PHI disclosure that leads to costly data breaches and costly HIPAA fines.

Can healthcare providers securely send PHI without learning new software?

Yes, providers can integrate a platform like Paubox with existing email systems such as Google Workspace or Microsoft Outlook. Paubox automatically encrypts emails and does not require recipients to use portals or keys. So, providers can use regular emails without compromising patient privacy or violating HIPAA regulations.

Learn more: HIPAA Compliant Email: The Definitive Guide