Blog

Increasingly, the healthcare industry is intensifying its focus on data security, as attacks from hackers looking to obtain or exploit data have grown more fierce and frequent. In fact, for 12 consecutive years, healthcare has had the highest average data breach cost of any industry, according to IBM Security’s annual Cost of a Data Breach 2022 Report.[1] From March 2021 to March 2022, the average cost of a healthcare data breach topped $10 million, a 41.6 percent increase since IBM’s 2020 report.

Not surprisingly, 95 percent of the criminals attacking healthcare entities have a financial motive, with 58 percent of breaches involving personal data and 46 percent of those involving medical data, according to the Verizon 2022 Data Breach Investigations Report.[2]

Why is healthcare data in the crosshairs?

Cybercrime in general has experienced a market revolution of Internet selling and e-commerce, just like legitimate industries. Today’s cybercriminals use online marketplaces on the Dark Web.[3] There, they seek out other criminals for buying or selling data and services that allow any of the steps necessary for penetrating and “crawling” on a business’s network, stealing information or deploying ransomware. On the Dark Web, criminals can rent or buy network accesses through infected machines or stolen credentials after a successful phishing attack. Many ransomware programs are available on the Dark Web “as a Service,” with the attacker sharing a percentage with the service provider. Even Denial of Service attacks are available “as a service,” some for as little as $30 a week.[4] Criminal talents can be found in the same way anyone might look for a contractor.

Criminals have become specialized – some concentrate on penetrating networks, while others specialize in selling data and still others are experts at impersonating identities. In this way, criminals do not need to acquire a deep technical knowledge of all the systems they want to compromise. On the Dark Web, criminal “entrepreneurs” just need cash to invest in the necessary tools and talents available through the marketplaces, while “freelance engineers” can focus on offering one specific nefarious activity and “software vendors” can propose different types of malware as a service.

Add to all this the high value of healthcare data, and the risk becomes apparent. Medical records can sell for more than $250 each on the Dark Web, while credit card numbers sell for just a little over $5 each and Social Security numbers for less than $1 each, according to cybersecurity firm Trustwave.[5] While credit card information loses value once the card reaches its limit or is canceled, personal health information can provide longer-term criminal opportunities for identity theft, fraud or “ransoms” against the targeted health systems.

How to protect the data

There are two distinct ways data is vulnerable – when it is residing on a hard drive or system, and when it is in transit between devices or systems. There are multiple measures often required to address the risks to vulnerable data, encompassing technologies and processes, ranging from user authentication and authorization, to system authentication, to data encryption. When deploying a product on their IT infrastructure, hospitals can refer to manufacturer-provided documents such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2), SBOMs (software bill of materials), hardening guides and other security guidance to determine the security features brought in by the product and the security measures the manufacturer expects the hospital to take for an optimally secure deployment.

Data can be particularly vulnerable when it is in transit, as evidenced by “man in the middle” attacks, where criminals hijack an online conversation and eavesdrop, or make the parties involved believe they are communicating with each other, when in reality the criminal is intercepting the messages and controlling the conversation. This type of scenario, combined with the increased need for data to move between devices and systems to support clinical care, means that end-to-end data encryption is more necessary than ever.

Encryption occurs when data is converted into an encoded and unreadable format in order to make the information inaccessible without a decryption key. Data appears unreadable to a person or entity accessing it without the key. Encryption helps protect patient health information when it is transmitted from one system to another (data in transit) or when being stored (data at rest).

Medical device data encryption, in particular, helps ensure that information collected by (or with) devices at a patient’s bedside, such as monitors, ventilators or critical care anesthesia machines, can be securely transmitted downstream to acute-care central monitoring stations, EMRs (electronic medical records), or other systems where the data can be integrated to support clinical decision-making. Ideally, the systems receiving and retransmitting the patient data will also have encryption capabilities to protect the data from end-to-end along its journey.

Additionally, end-to-end encryption can help address the U.S. Food and Drug Administration’s (FDA’s) recently updated draft guidance around medical device security. “With the increasing integration of wireless, Internet- and network-connected capabilities, portable media (e.g., USB or CD), and the frequent electronic exchange of medical device related health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important.”[6]

An enhanced layer of encryption: Philips Capsule MDIP 2022-2

Philips Capsule has been an advocate for data security for more than a decade by providing medical data encryption with its Neuron connectivity hub at the patient’s bedside.

Now, with the Medical Device Information Platform (MDIP) 2022-2 release, Philips Capsule introduces MDIP Secure Communications, a set of features that brings even more robust support for end-to-end encryption for data in transit. Using best in class industry standards, these features include secure outbound connections to HL7 consumers*, secure connections for user authentication, and secure connections to medical devices.**

Contact your Philips Capsule representative to learn more about the enhanced data encryption and security features in MDIP Secure Communications, available in Philips Capsule MDIP 2022-2, and how it can amplify your facility’s existing security footprint.

* HL7 consumer systems must also support encryption.
** Medical devices must support encryption. Secure connection feature is available for network connected medical devices.

About the authors

Christopher Cage is the Product Manager working on Product Management Platform & Integration at Philips Capsule.
Christophe Dore is the Product Security Officer of Philips Capsule.