SECURITY & PRIVACY

11 Things the Health Care

Sector Must Do to Improve
Cybersecurity
by Rebecca Weintraub and Joram Borenstein
JUNE 01, 2017 UPDATED JUNE 01, 2017

No industry or sector is immune to hacking. That reality was made painfully clear in mid-May, when
a cyberattacker using WannaCry ransomware crippled health care institutions and many other kinds
of organizations around the world. In 2015 over 113 million Americans health records were exposed,
and in 2016 the number was over 16 million, according to reports submitted to the U.S. Department of
Health and Human Service’s Office for Civil Rights. At the beginning of 2017 Experian predicted that
the health care sector would be the most heavily targeted vertical industry. A March 2017 report from

COPYRIGHT © 2017 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 2
 the Identity Theft Resource Center indicated that more than 25% of all data breaches were related to
health care. The estimated loss to the industry is $5.6 billion per year. These stats should be a wake-
up call for the entire industry.

There are three reasons health care is the source of so much stolen data right now. First, health care
data can be monetized. For instance, cybercriminals can use medical data to sell fake identities,
construct synthetic identities, and enable someone to conduct medical identity theft. If that doesn’t
work, they can use the stolen information for traditional identity theft, since medical information
tends to include enough information to allow a criminal to open a credit card, bank account, or loan
in the victim’s name. If neither of those works, cybercriminals can use ransomware to extort health
care organizations to pay them money to regain access to compromised systems and data.

Second, health care organizations have been slow to adopt practices that have worked for other
industries. Most health care portals, for example, don’t have strong multifactor authentication. Many
medical personnel are unaware of the risks to data security (which is ironic given the strong emphasis
on patient privacy). And health care organizations tend to have smaller security budgets and teams
than financial services organizations.

Finally, as other industries have become more sophisticated in detecting and blocking cyberattacks,
criminals have had to find new sources of data. Aside from the fact that health care institutions
collectively hold information on the vast majority of the population, their IT systems also have links
to financial services (e.g., flexible spending accounts with their own debit cards or health savings
accounts that can have five-figure balances after two to three years).

VIDEO BOARDS NEGLECT CYBERSECURITY AT THEIR COMPANIES’ PERIL

TO VIEW, PLEASE VISIT THIS ARTICLE AT HBR.ORG

Given that most transactions in the health care sector are conducted through vulnerable hardware
and software, it’s critical for providers and payers to strengthen their cybersecurity. For an example
of how to proceed, they can look to the financial services industry, where some of the most well-
known examples of cyberattacks in the last decade have occurred. This turmoil led to huge
operational shifts in the financial services sector, where there’s more focus than ever on consumer
education, industry information sharing, and stronger forms of authentication, among other things.

Here are some specific recommendations, which are based on our collective expertise in care
delivery, health systems, financial regulation, and risk management.

Update HIPAA. Like the PCI DSS rules for debit and credit card security, the HIPAA Security Rule and
the HIPAA Privacy Rule are already well-known frameworks for defining how a health care
organization should secure its people, systems, data, and equipment. These established methods of
approaching health care security would merely need to be updated to cover new forms of
cyberattacks and new tactics employed by cybercriminals.

COPYRIGHT © 2017 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 3
 Take stock of basic housekeeping. Care providers should apply strong encryption to all patient data
and limit who has permission to access medical charts. In addition, organizations should monitor
searches and downloads from their IT systems by tracking exfiltrated data such as large batch files of
patient, research, financial, or other sensitive data.

Purchase insurance. Many financial services organizations have cyber insurance, and health care
systems should get it, too. Since this is a relatively nascent kind of insurance, most leaders of health
care organizations and boards of directors may not be aware that it exists. Significant open questions
about it remain, including who should pay for such policies and whether it should protect the
institution, the patient, or both. At the moment, the institutions themselves are paying, and this
likely will not change in the foreseeable future.

Require training for personnel. Human error, including falling for phishing attacks, is the leading
cause of major security breaches today. Health care systems should regularly remind people of the
importance of information security best practices through required training, strategic reminders, and
other means.

Protect supply chains. Hospitals and health care systems have diversified supply chains and massive
lists of vendors with whom they digitally interface. They are a tempting way for cybercriminals to
gain access to health care organizations’ IT systems. Consequently, care providers must understand
the many moving parts that are involved and protect their relationships and information exchanges
with and among those groups. Third-party vendors can help assess such risks and recommend ways
to minimize them.

Share industry best practices regarding cybersecurity. The FS-ISAC has made life easier and safer for
the financial services sector by enabling peer financial institutions to share information rapidly and
directly. Similar groups, such as the NH-ISAC, can serve as starting points for expanding similar types
of discussions and planning.

Deploy strong authentication. Health care systems should use multifactor authentication or other
types of consumer security that are already ubiquitous in the U.S. financial services arena. Most U.S.
consumers are already familiar with this type of technology and won’t need to be significantly
reeducated (a challenge the financial services sector had to deal with a decade ago).

Adopt “tokenization.” This approach, which involves substituting sensitive data with other unique
but nonsensitive data, has been in vogue in the credit card world for the past few years. It is a suitable
way to protect data in situations in which a consumer (i.e., a patient) is involved in some type of card-
based transaction. This might involve using a flexible spending reimbursement card or paying a
health care–related bill online.

Copy the chip card approach. The U.S. consumer first encountered chip cards in a significant way in
early 2015, when card issuers began to widely distribute them. Much of this was done in the run-up to

COPYRIGHT © 2017 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 4
 a shift in who was liable for fraud. U.S. consumers are now intimately familiar with how to use such
cards. (The cards have been in use for many years in France, the UK, Canada, Australia, and
elsewhere.) Public and private payers are discussing the merits of issuing chip cards to beneficiaries
to expedite patient identification and eligibility verification.

Experiment with blockchain. The technology can record transactions between two parties efficiently
and in a verifiable and permanent way. It is being used in financial services as well as other areas. For
instance, after Estonia suffered a significant cyberbreach in 2007, the country became more
aggressive about protecting its society and is now using blockchain to protect its citizens’ medical
data. A number of blockchain-based identity-credentialing systems exist, including Guardtime,
TruCred, Civic, and OneName.

Consider biometric-based security. Biometrics are increasingly being embraced as the ultimate “bio-
identifier.” Start-ups such as Simprints and RightPatient are testing its value as a verification feature
for electronic medical records. Perhaps the most ambitious application of biometrics is the Indian
government’s Aadhaar project, which has created 12-digit unique identity numbers based on
biometric and demographic information (e.g., iris scans, digital fingerprints, and a digital photo) for
nearly all of the country’s 1.2 billion citizens. But underlining the sad reality that no system is totally
safe, this new system has already faced difficulties: Last month, the Centre for Internet and Society
reported that 130 million Aadhaar numbers and around 100 million bank numbers of beneficiaries
have been leaked online.

The great boon of the digital era has been that patients’ medical data is becoming increasingly
portable. This promises to make it vastly easier to collect and share data from all the players in health
care in the years ahead. But, unfortunately, it also poses major cybersecurity risks.

In this new world, protecting patients’ health information in accordance with HIPAA will take a
highly coordinated effort among care providers, insurers, and institutions, as well as significant
investments in new tools and practices. It also will require health care institutions to look at the cyber
risks across their business, not simply in one niche area (e.g., access to patient records). In the risk
management world, that is known as taking a holistic approach.

The health care sector needs to adopt lessons from industries, such as financial services, that are
much more advanced in their ability to thwart cyberattacks. Given how badly health care
organizations are lagging others, they must make boosting cybersecurity a priority.

Rebecca Weintraub, MD, is an assistant professor at Harvard Medical School, managing director at the Draper Richards
Kaplan Foundation, and an associate physician at Brigham and Women’s Hospital.

Joram Borenstein is vice president of marketing and partnerships at NICE Actimize and is an expert in financial crime,
anti-fraud, consumer-identity and payments protection, risk management, IT audit, and compliance.

COPYRIGHT © 2017 HARVARD BUSINESS SCHOOL PUBLISHING CORPORATION. ALL RIGHTS RESERVED. 5
Copyright 2017 Harvard Business Publishing. All Rights Reserved. Additional restrictions
may apply including the use of this content as assigned course material. Please consult your
institution's librarian about any restrictions that might apply under the license with your
institution. For more information and teaching resources from Harvard Business Publishing
including Harvard Business School Cases, eLearning products, and business simulations
please visit hbsp.harvard.edu.