Electronic Health Reporter

By Taeil Goh, chief technology officer, OPSWAT.

The healthcare industry has been at risk of cyberattack since long before the proliferation of patient networks, web applications, cloud services, and other connected devices increased the attack surface exponentially. For financially motivated attackers, attempting to obtain and then profit from patient information sold on the black market or disrupt hospital services for ransom, there’s no shortage of entry points or sophisticated attack techniques at an attacker’s disposal.

As one of 16 critical infrastructure sectors as defined by the Department of Homeland Security, the healthcare sector protects the health of the entire population from physical and digital harm, safeguarding millions of health records and private information. If the infrastructure were to collapse due to a security breach, healthcare providers would be unable to deliver necessary medical services to the public. This was most evident when a cyberattack crippled a network of Alabama hospitals, prohibiting healthcare professionals from providing medical services to new patients in need.

As a new decade approaches, the traditional networks and devices, along with Medical Internet of Things (MioT), that keep healthcare organizations afloat, remain vulnerable to cyberattacks despite advances in cybersecurity. With a single patient’s medical record being worth up to $1,000, attackers will continue to identify and attack the weakest points in their networks and supply chains to take advantage of the endless web of patient records and proprietary information.

Attempts to reduce cyber risk stall

Since 2016, more than 93% of healthcare organizations have experienced a data breach according to a recent study by Black Book Market Research. This same report also discovered that only 21% of hospitals claim to have a dedicated security executive tasked with leading the charge against cyber risk, leaving a huge gap in cybersecurity efforts. Without the support of healthcare leaders and staff who are narrowly focused on improving patient health outcomes, IT and security teams simply cannot keep up with the influx of threats that come in on a daily basis.

In addition, a report from the HIPAA Journal revealed that the biggest causes of healthcare data breaches were rooted in hacking, IT incidents and unauthorized disclosures of information. From this information we can infer two key takeaways: 1) employee training beyond the IT and security teams has not been sufficient enough and 2) the vast majority of cyber incidents were likely preventable.

Training the entire healthcare industry in cybersecurity is a “must-have”

With 2020 imminent, the burden is truly on healthcare leaders to take various steps to make all employees, regardless of role or responsibility, understand that any interaction with technology can play a role in a cyberattack. Ultimately, it’s an education of cybersecurity that goes beyond training or learning the “how,” to a shift in understanding a concept from an awareness standpoint. This type of focus will represent a change to both culture and strategy — which is never easy to deploy despite its necessity. And healthcare leaders must do so without the overuse of scare tactics but with the goal of demonstrating to all employees how cyberattacks operate and how to respond and mitigate them upon suspicion or confirmation.

Consider taking some of the following steps:

• Prioritize practical, hands-on cybersecurity workforce training that is specific to understanding protection needed for a critical infrastructure sector rather than just relying on theories and concepts that are difficult to visualize.
• Set up the right incentives, performance management, training, processes, procedures and other systems to ingrain the cultural and awareness mindset required to effect lasting change.
• Train healthcare practitioners in technologies and processes that are valuable to making healthcare stronger and more resilient, but don’t neglect the processes needed to also protect mission critical IT systems
• Lead by example – mandate that all executives and managers take in-depth critical infrastructure cybersecurity training courses to become knowledgeable in healthcare cybersecurity and to not only understand how to communicate that information to everyone involved but also grasp the importance of cybersecurity awareness within the healthcare industry.
• Ensure that senior leadership agrees with the value of any cybersecurity plan before it’s implemented to instill the gravitas of the policy across the organization.

Protecting the healthcare sector against cyberattacks is a two-part problem. The industry as a whole must instill greater resiliency, more advanced security protocols and comprehensive incident response plans, but that starts with better cybersecurity knowledge across the entire workforce. Ultimately, we need to change the way everyone in the ecosystem thinks about cybersecurity. The success of the healthcare industry relies on the steps taken by the workforce to mitigate risks – and that starts with the knowledge and understanding of the nuances that make up this sector’s exposure to cyber risk.

In the decade ahead, healthcare leaders cannot afford to not train each and every employee in cybersecurity awareness — the risks to public health are simply too great to ignore.