Healthcare Data records were digitized to help avoid medical issues such as misdiagnoses and mistakes with medication. Still, the EHR (electronic health records) have made it possible for bad actors to access patients’ highly sensitive information.
Cyberattacks on healthcare centers and hospitals are “growing exponentially year after year,” Ellen Neveux posted in secure remote access provider SecureLink’s blog.
“In the black market, healthcare data is important because it includes all of the personally identifiable information of an individual, as opposed to a single marker that can be found in a financial breach,” Neveux said. Often, such attacks see “hundreds of thousands of data exposed or stolen from patients.”
The biggest concerns of healthcare IT professionals are more vital or more frequent cyberattacks. Users are ignoring cybersecurity guidelines, as reported in the 2020 Cyber Threats Report by security software company Netwrix.
According to cybersecurity firm CI Security, the number of recorded healthcare data breaches and compromised records dropped between January and June. Still, cyber-attacks are expected to increase by the end of the year.
This was because CI Security claims that patient medical records “are worth as much as ten times more than a credit card numbers on the Dark Web.” “Healthcare organizations will need more cybersecurity diligence than ever before.”
Big Tech giants role to Safeguard Healthcare Data
Microsoft, Google, and Apple already stepped into the healthcare sector while Facebook is planning to do so.
The Google Cloud services for healthcare and life sciences involve Google’s efforts, signing a 10-year strategic agreement with the Mayo Clinic to store and protect the clinic’s data, and proceeding on an EHR model using machine learning to predict and forecast the health outcomes of patients.
By the end of this month, Microsoft will be releasing the Microsoft Cloud for Healthcare, which will include self-service portals and apps that, among other things, help patients connect directly with healthcare teams.
With health organizations in the United States, such as the American Heart Association and the American Cancer Society, Facebook provides a preventive health service that links individuals to healthcare services and reminders for checkups and vaccinations.
Facebook claimed that information users would be “securely stored and access is limited” to company employees who work on the product or manage its systems.
Ongoing Data Privacy Issues of Tech giants’
In terms of data privacy, Google and Facebook have bad records, both of which have been regularly punished by the European Union for violating privacy laws.
The US Federal Trade Commission charged Google for US$ 22.5 million in 2012 for circumventing the Safari Web browser’s privacy rights to monitor iPad, iPhone, and Mac users on Safari.
Last year, Google and YouTube were fined $170 million by the FTC for breaching child privacy legislation.
Google is currently facing a $5 billion lawsuit in the US for covertly monitoring the Internet’s use by users through browsers set in “private” mode, whether or not they click on advertising that it runs. And though they opt out, the company is already facing a lawsuit over monitoring users in apps.
For Facebook, for breaching user privacy, the FTC slapped it last year with a $5 billion fine and sweeping new privacy restrictions.
For its role in the Cambridge Analytica fiasco, millions of Facebook users’ data was obtained without their permission; the social media site was fined around $650,000 by the UK.
In March, Paul Bischoff wrote on the pro-consumer tech website Comparitech, a database containing 309 million Facebook user IDs, phone numbers, and names were left exposed on the Web for anyone to access without needing a password or other form of authentication. As a download, the information was also posted to a hacker website.
A second server was leaked on the Web later in March, presumably by the same criminal gang. This included 42 million more documents than the first.
To date, Apple and Microsoft have not yet experienced these kinds of problems, but Microsoft published approximately 250 customer care and support information on the Web in January, Bischoff reported.
These included logs of communications between 2005 and December 2019 between Microsoft support agents and customers worldwide. The information was available to anyone with a web browser and, in particular, “may be useful to tech support scammers,” Bischoff said. These scammers also pretend to be Microsoft members and try to speak to victims about allowing their computers to be accessed remotely.
The presence of vulnerabilities in Microsoft’s Azure cloud service was also revealed by Ronen Shustin of cybersecurity company Check Point Research in January.
Shustin said, “Cloud protection is like voodoo.” “The cloud providers and the security they offer are blindly trusted by clients.”
The most common cloud vulnerabilities concentrate on protecting the customer’s applications, not the architecture of the cloud provider itself, Shustin said. “We wanted to refute the hypothesis that cloud infrastructures are secure.”
In July, over 240 domains hosted on Azure were hijacked by bad actors. At the time, a Microsoft spokesman said in a statement by Rhoades Clark from Microsoft’s PR firm WWE-Worldwide, “This was a subdomain takeover, which is a typical industry-wide threat.” Microsoft then gave recommendations on how to keep this from occurring.
Hate and Fear Among Consumers
There is no faith that Facebook will hold to its commitment to protecting privacy.
“As many market watchers know, two separate aspects are what Facebook promises it will do and what Facebook does in reality,” Victoria Rohrer wrote for The Motley Fool, a financial and investment advisory company.
All high-tech businesses say they will eliminate personally identifiable information, but that may be an empty promise, especially if they partner with healthcare institutions.
“Theoretically, from a de-identified data collection, the tech company may not be able to re-identify the patient. But when the tech company already has large amounts of information about just about everybody.
The risk of the person being identified increases” said Marti Arvin, executive advisor at CynergisTek, a healthcare cybersecurity consulting firm.
For instance, Google monitors individuals on their smartphones via smart home devices, smart cars, Google Assistant, likely via their use of Google Voice and Google Fiber, and their online searches.
A newly added feature in Google Assistant allows customized suggestions based on the user’s search history and smart device data for restaurants and recipes.
Jerrold Wang of Lux Research wrote that this “reconfirms the new trend of using customer data to evaluate their demands and drive personal offerings.” Google “can use data gathered from its various collection modes, such as its search engine, wearables, and home devices, to shape the sales of various consumer packaged goods with highly personalized product recommendations.”
In several forms, Facebook tracks users. Facebook will carry in data from Instagram and WhatsApp, both of which it owns, in addition to monitoring them when they click on its advertising or communicate with others on its sites.
The social media giant also has collaborations with several marketing agencies and ad networks, so it is possible to merge activities on other platforms with the Facebook profiles of users. Often monitoring users is the Facebook pixel, which helps websites and online retailers to get information about their visitors.
The WiFi networks users connect to, the type of phone they have, the other applications they have enabled, and everything they do on Facebook’s network are logged by Facebook mobile and other mobile devices.
Google and Facebook generating revenue from advertisements, and “when you build a dispute between doing what’s right makes money, the money typically wins,” said Rob Enderle, principal of The Enderle Group’s business advisory group.
Healthcare data protection is only possible as Group Effort.
Alphabet (Google’s parent company), Amazon, IBM, Oracle, Salesforce, and Microsoft vowed in 2018 to endorse a shared set of principles to facilitate healthcare data exchange across suppliers.
This set of principles, referred to as Quick Healthcare Interoperability Tools (FHIR), describes how, regardless of how processed, healthcare information can be shared between various computer systems.
Ilia Sotnikov, Netwrix’s VP of Product Management, said, “Compliance is also not equal to cybersecurity.” Compliance criteria are often viewed by organizations as a set of checkboxes to fill in.
“Sotnikov noted,” This assists with passing enforcement inspections but does not deal with cyber risk.
“A mutual obligation between the healthcare data facility and the service provider is to protect data in the cloud,” Sotnikov said. “Physical protection and patching will be the responsibility of the cloud provider, but it won’t protect you against threats from social engineering or insider attacks.”
Sotnikov suggests that healthcare organizations invest in additional layers of protection to improve data security, such as:
- Data access control
- User behavior tracking to more easily identify irregularities such as copying bulk files or accessing data without authorization.
- Utilizing employee screening
The cloud helps to reduce hardware and maintenance costs. Still, to make strategic decisions, a team to enforce security processes, and software and policies to do this work, there is always a need for a qualified cybersecurity professional, “Sotnikov said.”
Robert Ackerman, founder and managing director of AllegisCyber, says that private cloud providers’ protection is not up to snuff and suggests encryption.
“Encryption protects against unauthorized access by employees of the cloud provider, but it is not a magic bullet,” said Sotnikov of Netwrix. “If the encryption key is readily accessible to all employees or if it is not properly managed to access the application that runs on top of this data, all encryption efforts are in vain.”
In healthcare data protection, the insider risk is’ too high’ because many ERH programs provide many workers with access to patients’ healthcare data to promptly ensure that patients can promptly get the correct treatment, Sotnikov said. “Security threats often grow when data is over-exposed.”
Techjury, a community of software experts, considers insider danger one of the cybersecurity fields that are often overlooked.
In March, The Healthcare and Human Services Department finalized regulations that would give patients more control over their healthcare records in the US. This does not quite work out the way it was intended, however.
CynergisTek’s Arvin said, “The Information Blocking Rule allows patients more control over access to and exchanging their information, but not more control over the information as it remains with the healthcare data protection organization.”
Supported Attention Required
In terms of HIPAA compliance, there is a broad variance among healthcare data entities, Arvin noted. Often, the human aspect comes into play. “It just takes one person to click on the wrong link.”
Also, hackers are actively creating increasingly sophisticated data access methods, “so it’s a regular challenge for organizations to get ahead of bad actors,” said Arvin. At best, they could even linger.
High-tech firms’ attitude toward privacy problems doesn’t help. For example, the company on Oct. 1 argued in court in the case against Google for monitoring customers on apps without their permission that users have agreed to share their data and have not been affected, reports Law360.
“To deal with big data, tech firms have expertise and technology, but we need regulation, media and public scrutiny to track how this data is used,” Sotnikov said.