HIPAA Compliance: 5 Healthcare Cyber Security Vulnerabilities

Published on : 06 Jul 2022

5 Healthcare Cyber Security Vulnerabilities

The world of healthcare has gone digital. Records can now be transferred anywhere they are needed, from hospital to hospital, or even directly to the patient’s email inbox. While the digitalization of healthcare records is extremely convenient but it is now equally dangerous. These sensitive PHI data are exposed to various forms of cyber threats and vulnerabilities.  So, for addressing this growing concern of cyber threats the US Health and Human Service (HHS) introduced the HIPAA regulation to protect the privacy of PHI data. The HIPAA regulation is designed to ensure the security and privacy patient data. So, with this regulation in place let us see how it impacts the digital operations of the healthcare industry. In this article, we take a look at the five biggest cyber security threats to the healthcare system.

Wearable Technology

Wearable health technology is a great way for patients to monitor their vitals even without going into a doctor’s office. They are powered by Bluetooth technology and fall into the Internet of Things tech niche—items that can access or sync up with the internet to improve their functionality.

The problem with IoT is that it can serve as an easy point of entry for hackers. The information that is collected by wearables themselves, though often sensitive, is not always protected by HIPAA. That depends mostly on what information has been collected. However, even relatively benign wearables, like a Fitbit can allow access to larger systems that might contain sensitive, HIPAA-protected information. For example, cyber-terrorists have been able to access local power systems by way of smart thermostats.

Wearables are becoming safer as people begin to understand the risks, and as manufacturers work to protect against them. However, patients and healthcare workers should be aware of the potential problems they can create.

Mobile Clinics

Mobile health clinics are a great way for healthcare providers to bring their services directly to the larger public. They are particularly good for communities that may not have easy access to healthcare otherwise in a normal scenario.  Here again while not inherently dangerous they can be more vulnerable to cyber security threats than hospitals both because they are easier to access by the public, and because they may have to rely on Wi-Fi networks that are not secured or in their control.

Remote Patient Access

Remote patient access to digital health records allows people to view their information any time they want from their cell phones. This is convenient, but it also puts sensitive information that used to be only stored at hospitals at risk. Healthcare record apps are held closely to HIPAA compliance standards, which means the information is supposed to be encrypted and protected by other measures. However, the information remains vulnerable to cyber threats. Mobile technology is more likely to come into contact with insecure Wi-Fi networks, thereby exposing the sensitive PHI data to the risk of data theft.

Inadequate Staff Training

Digital records can also be compromised due to incomplete staff training. Doctors, nurses, and other hospital professionals with access to private records may not be well aware of the risks that are specific to digital records. Without proper training, it is easy to make simple mistakes that can result in significant system intrusions. The Marriott data breach was caused by a phishing email opened by a hotel employee. Once the hacker gained access to their system, they were able to stay there for years undetected. Good training procedures can keep this same thing from happening to hospitals.

Outdated Tech

Finally, outdated security systems can serve as an easy point of entry for digital bad actors. Hospitals can avoid this risk by regularly updating their systems, and by potentially considering the services of a cyber security analyst. Big businesses may keep cyber security analysts on hand at all times while smaller ones can hire them on a freelance basis. They come in, analyze systems for points of vulnerability (using methods similar to that of a hacker), and then make their recommendations.  Small issues, like a firewall that needs updating, will likely be fixed on the spot while bigger problems will be brought to your attention.

Good hospital leadership can help address most of these concerns. Cyber security isn’t just about software. It is a culture that starts at the top level by the management and is followed by everyone else down the hierarchy within an organization. Hospital leadership can help keep patient records secure by making cyber security a priority.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.