The past twelve months have been a strange time of evolving demands on global healthcare services, as well as staggering transformations in the digital sphere. In many hospitals, these two topics overlap, as healthcare organizations are increasingly targeted in online attacks.
Healthcare workers don’t have time to digest information about cybersecurity and password practices. But each day threat actors bang at their digital doors, on a hunt for the sensitive information locked away in hospital files, including confidential data that can be exploited and sold to other hackers.
Even if healthcare administrators are savvy to the need for a cybersecurity update, many hospitals are hesitant to engage with a complete security overhaul because the potential for disruption of services is too big. Similarly, once administrators are ready to budget for such an expansion of security, it’s hard to know where to invest first.
New threats are uncovered every day as we understand more about why exactly healthcare organizations are targets for digital warfare. Here, we delve into the top four reasons why this may be the case and provide a few key remedies for organizations to enact as soon as possible.
It should come as no surprise that hospitals store an incredible amount of confidential patient data, from health records to insurance details. Much of this personal information data can, when stolen, be easily sold. Personal information goes for a high price on the dark web, as nefarious actors seek to break into other accounts, access credit cards, and commit identity theft.
Because healthcare organizations are such gold mines of personal information, they are hotly targeted. Their internal practices come under the scrutiny of players of several different persuasions. Everyone—from the deep web to the national government—seems to have noticed the target, and the need for hospitals to lock down their patient information as soon as possible.
Healthcare organizations have a duty to protect their patients’ personal records, for legal as well as ethical reasons. Government-authorized guidelines like HIPAA (the Health Insurance Portability and Accountability Act, established in 1996) exist not only serve to protect individual’s Private Health Information (PHI), but also to enforce these protections with hefty fines in the case of noncompliance.
Financial penalties can also come in illegal forms, like data ransoms. If organizations have data stolen, the threat actors often demand the company pay a large amount to recover it. In an industry that is already strapped for everything from salaries to PPE, these are situations that must be prevented.
2. Too Many Windows: With Remote Access Comes Great Responsibility
Healthcare workers around the world would agree that their industry is a collaborative one. Hospital department teams are often cohesive units of people who rely heavily on each other to provide care to patients. Doctors, nurses, and specialists who need to access patient information are often required to work from multiple devices in their work environment, as well as from home. Even for a small team, the easiest way for all members to access a single server with specialized medical software is remote desktop protocol.
This practically translates to many different people connecting remotely from many locations, including communal areas.
While remote access from many devices can expedite care, it has a downside. The more devices connect to a network, the more possible entry points there are. If a hacker gets access to any device that has remote access to the network, not only can they access sensitive information, but they can corrupt the whole system and leave an entire organization defenseless.
3. Staying Out of the Way: healthcare workers loathe to disrupt convenient systems
It may have taken a pandemic for us to truly appreciate the front-line work that the healthcare force takes on. Hospital staff are some of the busiest and hardest-working employees in the nation and often are overstretched by hours and patient needs.
This means that they do not have the time or faculties to be diligently studying up on online security processes within the industry. Medical professionals need efficient, clean, responsive technological systems that cater to their many needs.
The lack of time and resources means that healthcare workers may not be fully trained on contemporary best cybersecurity practices. Convenience-based habits like password and account sharing, and password reuse, are rife within healthcare organizations, and digital security corners are often cut due to the need for speed.
Even when staff members are well-educated about best practices, it’s important to remember we are all still human and make plenty of mistakes.
4. Big or Small, Danger for All: Every Healthcare Organization is at Risk
Let’s be clear: all healthcare organizations are at risk from online threats.
Of course, large enterprises, with many patients and employees, hold the most data – so they represent the biggest jackpot. But smaller organizations have smaller security budgets, as well as the possibility for older and weaker technological systems. This conclusion makes smaller enterprises seem like easier targets to bad actors.
Once hackers have some personal data stolen from a small healthcare organization, they can then use it as a foot in the door to a large organization.
As the healthcare industry is a target, cybersecurity experts are also working to protect us from the many resulting types of cyberattacks. Common attack methods include email-based phishing scams, malware attacks (including ransomware and trojan horses), brute force and dictionary attacks, and even AI-based attacks.
Fortunately, despite the wide variety of attack types, there are several accessible ways you can protect your company. The solutions below can help defend against multiple attack methods.
Before anything, talk to healthcare workers and keep their needs in mind. Namely, efficiency and a seamless transition in increased security, but with minimal impact on working practices. Consider this when discussing changes in software and policy, like the ones suggested below, and find solutions that fit your situation well.
1. Set aside a budget! Ideally, something that can grow. Plan to invest in systems that fit your organization and can scale up or down with the growth you may experience.
2. Investigate and comply not only with HIPPA, but with NIST guidelines. Not only are these data-based resources for policy changes that the administration can reference and use to guide them, but they are structured to provide suggestions for varying types and sizes of organizations.
3. Screen for compromised credentials with a password filter or software, like Enzoic, that plugs seamlessly into Active Directory, so that the employee experience isn’t altered. Screening for compromised credentials can alleviate the pressure on an organization’s security daily by checking employee account data against a blacklist of exposed passwords.
4. Where appropriate, use MFA. Multifactor Authentication is an excellent way to provide an additional layer of protection to your systems. Whether a code is sent to employee phones, or they are asked to scan a badge to confirm their identity, layers of authentication make it much harder for hackers to gain access to employee information.
5. Consider whether you could use Risk-Based Authentication. For employees working across devices and hospitals, risk-based authentication (RBA) could be a good avenue to explore. RBA is a process by which IT staff set up policies that determine the risk of a given device based on factors like the user, IP address, or location. Ideally, IT is alerted when any unusual activity occurs, to make sure that sensitive patient data is protected.
6. When in doubt, seek out education. Cybersecurity is a field that is quick to change, but not many practical suggestions make it into the big headlines. Don’t be daunted by the industry. Educate yourself and your coworkers whenever you can.