Epidemiological approach may help to combat healthcare cybercrimes

What we don’t see about cybersecurity can hurt us in more ways than just our wallet. While retail cybersecurity may be the more visible cybercrime, more attention should be paid to the risks to healthcare data, according to a perspective piece published in the July 31 issue of the New England Journal of Medicine.

Not only have 94 percent of healthcare institutions been victims of cyberattacks, but the cost per record for loss is the highest in healthcare settings, costing billions to institutions and to patients, wrote Eric D. Perakslis, PhD, of Harvard Medical School in Boston.

Hospitals, clinics and other providers were targeted aggressively and specifically; 72 percent of attacks on the healthcare industry involved doctors and hospitals over provider organizations, pharmaceutical companies and health plans. A real danger to patients exists when medical devices and infrastructure are attacked, not to mention what loss of personal health information can do both to a physician’s ability to care for his or her patient and to the patient’s privacy.

But, how does an institution fight back?

According to Perakslis, medical professionals already may have the answer.

“Just as public health strategies have been developed to detect and track emerging epidemics, identify population risks and vulnerabilities, and prevent or ameliorate adverse effects, analogous approaches can be used to improve cybersecurity in health care delivery organizations,” Perakslis wrote. The three-step strategy suggested included the use of active, real-time monitoring and communication of threats, modeling risks and vulnerabilities to the system and creating effective regulation for devices that does not create new problems. Perakslis further suggested a forum to help set regulations for privacy and data security built on reports from the Institute of Medicine.

With the vulnerabilities and risks inherent in the loss or breach of healthcare data, ensuring patients’ safety – and the safety of their data – is critical. Where best to do that isn’t always clear, whether through upgrading technology, physical security measures, training or a combined approach. An active understanding of the threats, risks and vulnerabilities could provide healthcare providers with a way to get ahead of the threat by playing a game they already know, treating cybercrime as they would any other communicable disease.

“Although we cannot predict exactly what an adversary will do, we can take control of our own environments, and we must watch potential adversaries closely,” Perakslis wrote. “The threats of cyberattack are clear and present in health care. It is time to organize, convene, and focus in a way that that truly protects our patients, providers, and institutions.”