The Equifax incursion that exposed the personal information of 143 million Americans makes clear the security vulnerabilities of some of the nation’s biggest financial and healthcare institutions, says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission.

In the past 18 months there has been a record number of healthcare data breaches and cyberattacks. As of June 30, there had been 228 separate healthcare industry data breach incidents on top of the 450 cyberattacks healthcare organizations of all kinds were hit with in 2016, says patient privacy analytics developer Protenus Inc., which also tracks healthcare data breach incidents.

For the first six months of the year, 3.2 million electronic medical records were impacted by a cyberattack. That compares with 27 million electronic patient medical records breached in 2016, Protenus says. Healthcare data breaches are occurring at the rate of 1.2 incidents daily

Lee Barrett

Massive data breaches are happening much more frequently. The Equifax incursion that exposed the personal information of 143 million Americans makes clear the security vulnerabilities of some of the nation’s biggest financial and healthcare institutions, says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission and a member of the U.S. Department of Health and Human Services Cybersecurity Task Force.

Here’s Barrett’s take on the current state of cybersecurity in healthcare and why data breaches and attacks continue to happen at an alarming rate—and what the industry needs to do about it.


What can the healthcare industry learn from the Equifax breach and other cyberattacks like the ones that affected the U.S. Securities and Exchange Commission and accounting firm Deloitte?

The Equifax breach impacted more than 143 million Americans as a trove of information was breached. It’s no surprise that two out of three Americans are affected by a breach or cyberattack. That’s an increase from one in three Americans in years past. In 2017 alone, the top three health data breaches have impacted 1.5 million people. The Office for Civil Rights has reported a record number of HIPAA settlements and fines this year as well. These headline-making data breaches are a vivid reminder that it’s clearly not a matter of if a breach can happen but when.

Hospitals and healthcare systems now need to keep their focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs. Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and  business operation to a halt, compounded by long-term financial and reputational hardships—the WannaCry and Petya ransomware attacks from earlier this year are clear examples of the impact this can have on healthcare. On average, it costs a healthcare organization more than $2.2 million and its business associates more than $1 million for a data breach. Is it worth risking that by taking an “it-can’t-happen-to-us” attitude?

What can healthcare organizations do to adjust to the continuously shifting cybercrime landscape and reduce their risks of becoming another statistic on the U.S. Department of Health & Human Services website due to breach or attack? 

Protecting patient data should be a top priority for all healthcare stakeholders. Every organization handling protected health information needs to conduct a risk assessment and asset inventory of their organization and map the data flow within their enterprise in order to determine their risk in the event of a breach or cyberattack. Hospitals and healthcare systems need to build security frameworks and risk-sharing into their infrastructure by implementing risk mitigation strategies, preparedness planning, as well as adhering to the regulations created by the Office of the National Coordinator for Health IT and the National Institute for Standards and Technology.


But it’s not just the security of internal systems that are of concern in this increasingly interconnected healthcare ecosystem. The security and information technology risk management protocols of business associates and other vendors and partners must also be ready for the potential negative consequences of an incident, breach or attack as their risk mitigation preparedness can impact a health system’s operations. The failure to do so can bring devastating consequences. At a bare minimum, a system should have sufficient rigor and meet industry standards for adhering to HIPAA requirements, mitigating cybersecurity risks, and assuring that all portal and exchange connection points are secured.

As we look ahead to 2018, what areas should healthcare leaders take a hard look at in terms of enhancing their cybersecurity frameworks? 

The Internet of Things (IoT) has undoubtedly helped healthcare organizations deliver high-quality, more patient-centric and affordable care. However, by introducing these various internet-connected devices into a healthcare environment, you’ve exponentially increased the level of connection points, which in turn raises the level of exposure and heightens risk of compromise or breach. As a result, hospitals and healthcare systems need to evaluate their medical devices and bring your own device protocols within their security frameworks as they present a whole set of data security challenges.

Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an electronic medical records system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware. In fact, more than one million healthcare apps are developed worldwide on an annual basis. Unfortunately, only a small percentage of those new applications go through a security-type review before being launched to the consumer or other stakeholder.

Finally, think of the impact a cybercriminal could have if they were to control medical devices. Last year, Johnson & Johnson warned patients about a potential hacking risks to their insulin pumps. And just recently, we learned of a security risk in a Boston Scientific medical device that communicates with implanted pacemakers and defibrillators. These are real instances of medical devices being compromised by the ever-evolving cybercriminal. Our industry needs to make protecting these devices and the patients they serve a priority in 2018. The Federal Drug Administration has recently developed some medical device guidelines which are a start, but we still have a significant delta to continue to develop further policies, procedures, controls and industry guidance.


Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.