A report from Security Evaluators has concluded that when it comes to healthcare, digital security efforts are focused in the wrong areas.
The researchers say healthcare organizations concentrate almost exclusively on the protection of patient health records, and rarely addresses threats to patient health from a cyber-security perspective.
The report notes, “We find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself…. Defending patient health and patient records is not one-in-the-same, and placing the focus on records harshly ignores the patient health aspect. So long as this is the mission of the industry, it is unlikely that patients’ health will be adequately protected in the healthcare ecosystem.”
The research also finds that healthcare security protection is not keeping pace with the growing sophistication of the threats, saying,
“The industry is aware and speaks to organized crime and nation state adversaries, but underestimates their sophistication and motivation. The strategies aim to curtail blanket, untargeted (i.e., indiscriminate) attacks to obtain patient healthcare records, and ignores the motivations and strategies that would be employed if targeting patient health or specific victims’ health records.”
It adds, “These motivations and scenarios are highlighted in red in the above table. As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”
The report includes a number of recommendations for hospitals and the healthcare security industry as well as a blueprint step-by-step security action plan for healthcare organizations.
Download the Hacking Hospitals report