IBM’s ‘Cost of a Data Breach Report 2021’ found that for the 11th year in a row, the healthcare sector had the highest average cost of a breach compared to other industries. The average cost of a healthcare breach was a startling US$9.23 million in 2021. The financial sector was the next costliest, but at US$5.72 million it stands at 38 per cent less than healthcare. The need for healthcare organisations to secure their data is clear, but the emergence of telehealth presents challenges.
The pandemic caused a significant increase in the use of telehealth, and it remains a popular option for many people. In the UAE, a recent YouGov poll found that over half of people would now consider using telehealth, which confirms that its popularity is growing. This makes sense given that cardiovascular disease remains the number one cause of death and disability in the UAE and is an area where telehealth can provide particularly valuable support for patients.
While telemedicine offers tremendous benefits to both patients and providers, it also creates many overlooked cybersecurity and privacy concerns. Therefore, it is crucial to have a good understanding of the risks.
Why is telehealth a potential cybersecurity threat?
Healthcare has always been one of the main targets for attackers for multiple reasons. Healthcare providers manage incredibly sensitive patient data that is worth a lot of money on the dark web. A 2019 Trustwave report found that a healthcare data record may be valued at up to US$250 per record on the black market, compared to US$5.40 for the next highest value record (a payment card). Unfortunately, there is a lot of money to be made from stealing health-related data which is what fuels this activity.
Also, attackers know very well that many health organisations will pay huge amounts of money because they simply cannot afford any network downtime, as it could result in life and death consequences.
Besides, the pandemic has only made healthcare an even bigger target. As many healthcare organisations are still overwhelmed by the surge in patient numbers, IT and cybersecurity are, of course, lower down the priority list compared to patient care. Ruthless hackers know this and are ready to jump in when their victims are most vulnerable.
Telemedicine is a riskier form of care from a security perspective compared to more traditional methods, mainly because it is still relatively new. And while organisations and healthcare providers are trying to quickly formulate best practices, there is a steep learning curve ahead of them. As this process progresses, attackers may see loopholes that can exploit potential weaknesses.
The practical difficulties of decentralised security
The biggest problem with telemedicine is that it decentralises the hospital network. As new devices and applications are used in hospital headquarters, in the cloud, and now at home, attackers have more potential entry points.
On top of this, patients use their own devices to access hospital resources and communicate with healthcare professionals. This equipment is often unsafe, and hospitals lack the visibility and control needed to effectively manage and secure such equipment.
Healthcare providers, including health IT staff, but also CEOs and boards, play a crucial role to combat cyber-attacks. Part of the solution also comes down to basics, such as establishing visibility, ensuring good cyber hygiene, prioritising asset management, and having solid remediation plans for when issues arise.
Beyond that, clinicians need to be part of the cybersecurity conversation as well. Maintaining a secure remote healthcare environment is not just the responsibility of health IT teams, frontline staff also need to ensure they practice safe security procedures.
Medical device manufacturers
Medical Internet of Things devices are a huge part of telehealth. The persistent problem with IoT, however, is that devices are often rushed to the market, so eager vendors can make a money grab, which has consequences.
When an attacker hacks one Internet of Medical Things device, they can move laterally throughout a network, potentially gaining access to highly sensitive medical information. That is why it is crucial that healthcare providers vet the medical devices they purchase, and health IT teams keep monitoring for any suspicious movements.
Going forward, there should be greater requirements and regulations mandating that medical device manufacturers design their products with cybersecurity in mind. Security should be built into the development process. In addition, manufacturers of these devices must be aware of potential supply chain vulnerabilities and take steps to mitigate the risks.
There are small but important things patients can do to make telemedicine safer, such as keeping their devices up to date, using multi-factor authentication, and learning about cybersecurity hygiene. But the question is how can we encourage patients to do this and take responsibility? Like clinicians, patients are at the forefront and need to find a way to engage in these conversations.
Telehealth is here to stay, but it must be secure
The pandemic highlights the prospects for telemedicine and has transformed healthcare. Given the enormous benefits, telemedicine is expected to remain a permanent feature of the healthcare system in the future. However, while this is still in its infancy, it is important to establish and programme best practices now to help protect hospitals and patients in the future.