by Bryan Paul, Vice President IT & Information Security Officer
Last week, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the FBI issued a warning of "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." The joint alert serves as a crucial reminder to the healthcare sector that a significant effort to protect patients' personal data and operating systems is imperative.
Cybercriminals work to exploit known vulnerabilities in healthcare systems and technology either for personal gain, malicious objectives, or indirect crime-related activities. Cyberattacks can have consequences beyond financial loss and breach of privacy in the healthcare sector. Just last month, Universal Health Services (UHS), one of the largest US health systems, confirmed a malware cyberattack had affected all of its U.S. care sites and hospitals, leading clinicians into EHR downtime procedures, diverted ambulances, and delayed lab test results. It took two weeks for the organization to fully restore its IT systems.
Organizations, in the healthcare sector specifically, are forced to face various threats ranging from simple e-mail scams to full identity theft and ransomware attacks. Attackers can compromise the security of an organization within a few seconds or minutes. However, it often takes weeks if not months before the breach is detected, the damage is mitigated, and defensive measures are employed to prevent another attack from occurring. By taking strict security measures, engaging multi-layer protection, and being alert and aware, hospital systems can avert cyber intrusion and crimes.
Cyberattacks such as the UHS breach can easily cost the healthcare industry millions every year. According to IBM Security’s 2020 data breach cost report, the average data breach costs healthcare organizations approximately $7.13 million, an increase of 10% from last year. There are many different types of cybersecurity attacks – some are more costly to the healthcare industry than others. The below includes a summary of the major and more costly attacks affecting the healthcare industry today.
- Ransomware: Cybercriminals use malware and ransomware to shut down or render individual devices, servers, or possibly entire networks. In most cases, a ransom is then demanded to provide a reversal of the encryption or lock.
- Cloud Threats: An increasing amount of protected health information is now stored within cloud technology. Without proper controls and encryption, along with protection audits, this can be a weak spot for the security of healthcare organizations.
- DDoS Attacks: Distributed denial of service (DDoS) attacks are a popular tactic and technique used by cybercriminals to overwhelm a network or “flood” to the point of causing the target inoperable. This is a serious issue for healthcare providers that need access to network facilities to provide proper patient care, as access to the internet to send and receive emails, prescriptions, records, and information requires an available network.
- Insider/Employee Threat: Employees can play a role in a healthcare organization’s susceptibility to attack through weak passwords, unencrypted devices, and other failures of compliance. While an insider may be simply careless, others purposely cause destruction with intent.
- Email and Fraud Scams: This strategy sends out mass amounts of emails from seemingly reputable sources to trick individuals into initiating money transfers or to obtain sensitive information.
Strategies for Improving the Security Posture
With the increasing negative financial impact of data breaches on healthcare, organizations need a dedicated focus on the current and future state of their IT/Security posture to ensure that best cybersecurity practices are implemented and remain relevant. These strategies include:
- Establish and/or enhance a security culture: Ongoing security training and education that recognizes that every single person in your organization has an effect on the company and is responsible for protecting patient data.
- Protect mobile devices: An increasing number of healthcare providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that all information on these devices is secure.
- Maintain good computer habits: New employee orientation must include training on computer use and general security practices.
- Use a firewall: Anything connected to the internet should have a firewall.
- Install and maintain anti-virus software: Continuous anti-virus updates are required to ensure healthcare systems receive the most up to date protection.
- Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data to accomplish their role within the company.
- Protect files and devices: Use strong passwords with mandatory change intervals (90 days min).
- Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas especially when not in use or during off-hours.
- Update, update, and update: Every technology team knows that any security policy is always to keep operating systems and applications up-to-date and patched, thus continuous updates are essential.
- Back-up and validate your backups: Ensure offsite backups are maintained and do not only rely on the fact of having them, instead make periodic restoration testing mandatory.
Healthcare cybersecurity is a growing concern. Over the last few years, IT security assaults have continued to rise steadily. With continued network expansion involving a variety of different systems and devices, healthcare organizations are inherently more vulnerable to attacks.
To prevent costly data breaches and protect against network attacks, there are many tactics and technologies healthcare organizations can employ including the development of effective policies, procedures, and security awareness training programs to buoy a hospital's internal defense. But with cybersecurity, your work is never done. There’s no time for complacency as cybercriminals are always working to dismantle and upend security systems across the globe.
To learn how PatientMatters combats security risk for our partner hospitals and health systems across the country, go here.
