With new threats and challenges emerging in the digital world every day, maintaining optimal IT security has become a daunting task for any organization. More than ever before, healthcare organizations are feeling the heat from regulators regarding cyber security. In this blog post, we look at some of the top healthcare IT security tips you should know to keep your organization safe from cyberattacks.
With more than one billion records being compromised every year, data privacy and protection is a topic that cannot be ignored anymore by any organization without risking its reputation significantly. Considering how many patient records are digitized these days, it’s not surprising that hackers are increasingly targeting healthcare companies with ransomware attacks or other ways to get access to confidential information.
Know Your Employees And Monitor Behavior
Healthcare organizations often deal with extremely sensitive data, and thus it’s important that your employees are aware of what information is private and what information can be shared publicly. It’s also important to keep an eye on how your employees are using their devices at work.
If you notice that someone is downloading files from the network that they shouldn’t be accessing, it might be an indication of malicious behavior. It’s also important to keep an eye on the devices your employees are using. If your organization has BYOD (Bring Your Own Device) policies, it’s important to make sure that those devices are secured against malware or other threats.
Ensure Strong Passwords And Network Security
While there are many different ways for cybercriminals to break into your network, weak passwords remain a commonly exploited vulnerability. It’s important to make sure that your employees are using strong passwords containing a combination of letters, numbers, and symbols.
To avoid having to reset passwords on a regular basis, it’s a good idea to suggest the use of password managers. Another important network security tip is to implement two-factor authentication (2FA) for all critical systems. This will help to prevent unauthorized users from accessing sensitive data.
Healthcare ransomware attacks have become more common in recent years, and in many cases, caused considerable damage. At least 148 U.S. healthcare organizations fell victim to a ransomware attack in 2021, the most attacked industry, according to a March 2022 HIPAA Journal report.
With increasing threats from overseas, growing cybercriminal organizations, and the COVID-19 pandemic, it’s no surprise a sharp rise in breaches and healthcare ransomware attacks has occurred across the healthcare ecosystem.
As the situation grows more volatile, it’s vital to understand why threats like breaches and healthcare ransomware attacks exist and ways ambulatory practices can work to reduce cybersecurity risks.
The Most Valuable Record
It’s not just because the patient health information (PHI) the record contains that makes it valuable to cybercriminals, but the other information that accompanies PHI, such as addresses, birth dates, social security numbers, and even more obscure data such as insurance policy numbers, all of which someone can use to impersonate patients and commit identity theft.
With this stolen information, a cybercriminal can more easily steal someone’s identity because they now know important information no one else does. It’s what makes health records so valuable — not always the record itself, but what can be done with the information.
The average healthcare industry breach is so expensive because of the costs of remediation, recovery legal actions, and regulatory fines. In 2021, the average cost of a healthcare breach was $9.23 million, up 29.5% from $7.13 million the previous year, according to IBM Cost of a Data Breach Report 2021.
Taking it a step further, by failing to keep patient records private, an ambulatory practice could face substantial penalties under HIPAA’s Privacy and Security Rules, cause potential harm to its reputation, and patient safety can be severely impacted. A hacker’s access to private patient data not only opens the door to steal information but they can possibly even alter the data — severely impacting patient health and outcomes.
Many cyber gangs list ‘medical organizations’ as non-targets. But, that hasn’t stopped them from executing attacks on hospitals, health delivery organizations, pharmaceutical companies, and other entities in the sector.
Since 2020, the health sector has seen a rapid rise in cyberattacks. Ransomware has been the main form of attack.
Cybercriminals have claimed that healthcare providers have only been collateral victims. Yet, some have deliberately targeted hospitals to obtain classified medical records, transactions, and other sensitive patient data. This article will uncover the main cybersecurity challenges facing the healthcare industry, as well as some solutions to the main threats.
Top Cybersecurity Challenges for Healthcare Organizations
Ransomware
Ransomware gangs have stepped up their attacks on critical national infrastructure, including healthcare.
A survey from 2021 interviewed 597 health delivery organizations. 42% of them reported being victims of at least two ransomware attacks in previous years.
Ransomware is usually distributed through phishing emails containing trojan viruses. The attackers disguise the virus as a link or attachment. When a user clicks the link or downloads the attachment, the trojan is ready to strike.
By Dirk Schrader, resident CISO (EMEA) and vice president of security research, Netwrix.
Ransomware is steadily increasing each and every year, with the healthcare and hospital industries suffering among the most. In 2021, we saw that “The healthcare sector is seeing the highest volumes of ransomware attempts, averaging 109 attempts per entity, every week.”
Why is this sector being targeted specifically? They hold extremely sensitive patient data and information. Hackers are working more diligently than ever to find data, threaten hospitals and providers, and even extort individuals themselves. With such a high amount of cybercrime, how can this sector protect itself and its patients? To start, by learning about security trends and working to implement them where they can.
Here are five security trends we’ll see more of in 2022:
Cybercriminals will be increasingly greedy.
In 2022 attackers will search for new ways to monetize the access to large data troves. This may lead to changes in the tactics, techniques and procedures of threat actors. They will begin to extort individuals rather than the infiltrated companies themselves. The healthcare industry is especially prone to this trend. The data generated and held by a healthcare sector is life-changing for many people and can easily be misused.
Consider this possible scenario: by extracting and aggregating personal data about hundreds of thousands of diabetic patients (34.2 million people alone are diabetic in the US), threat actors might try to ‘offer’ cheaper drugs to the individual patients, extracting money from a highly vulnerable group. If such a scheme can trick, let’s say, ten thousand victims to pay $500 for Insulin (instead of about $1,000 on average), the amount of money on the table is substantial.
Medical device IoT will create more security gaps.
More and more medical devices are being connected using vulnerable IP stacks or old webserver packages which cannot be easily patched as it would jeopardize the devices certification for medical use. In 2017, around 10 billion medical devices were connected to the internet, with an expected jump to 50 billion by 2027. While this connectivity has created so much opportunity for advances in the medical field, it has also created a new set of vulnerabilities.
Frequently, the task of configuring a medical device is considered done when it operates within the parameters of the medical process it is supposed to support or enable. Any additional security aspects are overlooked and often neglected. As long as these medical and IoT devices remain unmanaged, unmonitored and improperly updated, this exposure risk will continue to be exploited by threat actors throughout 2022 and beyond.
With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
Cybersecurity has been a major concern facing many digitalized businesses. Hackers have developed more sophisticated ways to breach security systems and steal essential data from businesses. Such security issues may cause significant financial loss and bring a business down to its knees.
Healthcare is one of the sectors that has been hard hit by cybercrime. This is due to the sector’s adaptation of technological advancement used in areas like storing patients’ data. Unfortunately, while the technology has positively impacted the provision of services, it’s also created an opportunity for hackers to attack and steal information. As a result, healthcare becomes an easy target for cybercriminals due to the nature of their information system.
Reasons For Cyberattacks On Healthcare
As stated, the healthcare sector isn’t immune to cyberattacks and other forms of security breaches from criminals. These attacks are being targeted due to the many loopholes that the sector has.
Here are some of the reasons why healthcare is targeted:
The Password Problem
One of the major concerns affecting healthcare is the lack of good passwords. An explanation of the password problem is when healthcare workers don’t set strong passwords on their devices for fear of forgetting them. In turn, they end up using weak passwords, such as their phone numbers or names.
This makes it easy for attackers to breach security and steal important information. In addition, colleagues can guess simple passwords, and they can use them to access your accounts. The password problem affects many businesses, as well as individuals. You should, therefore, be creative with your password and make it unique.
Lucrative Medical Records
Medical records always contain important information that could be lucrative to hackers when they sell them. Such information includes names, contact information, and credit card numbers when patients pay bills through bank cards. The attackers can then use these pieces of information to directly attack the patients or sell them to other people.
Because some medical facilities aren’t well-protected from security breaches, the patients’ data aren’t safe. Therefore, attackers use these loopholes to launch attacks on people.
With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
Response from Sarah Johnson, RN and the health ambassador, Family Assets.
I’m an RN and the health ambassador for Family Assets, an eldercare and senior living resource for older adults and caregivers.
Working in eldercare and watching how telehealth technology has radically reshaped geriatric care during the pandemic, I think the most important question healthcare technology professionals should be asking themselves right now is: given that hospitals and healthcare facilities have been prime targets for cybercriminals, largely because of aging infrastructure, what needs to be done to make the rapidly expanding healthcare tech industry more secure?
I think the obvious answer to this is the development of much more robust digital security protocols at individual institutions and a massive educational initiative for healthcare providers and workers. This should include, among other things, scheduled stress testing that probes for cybersecurity vulnerabilities.
Too many organizations, within and outside of healthcare, are completely unprepared for the cyberthreats they face and are not diligent enough when it comes to monitoring and probing for weaknesses.
All healthcare technology professionals should have this issue front and center