In the Decade To Come, Healthcare Organizations Can Reduce Cyber Risk with Employee Training
By Taeil Goh, chief technology officer, OPSWAT.
The healthcare industry has been at risk of cyberattack since long before the proliferation of patient networks, web applications, cloud services, and other connected devices increased the attack surface exponentially. For financially motivated attackers, attempting to obtain and then profit from patient information sold on the black market or disrupt hospital services for ransom, there’s no shortage of entry points or sophisticated attack techniques at an attacker’s disposal.
As one of 16 critical infrastructure sectors as defined by the Department of Homeland Security, the healthcare sector protects the health of the entire population from physical and digital harm, safeguarding millions of health records and private information. If the infrastructure were to collapse due to a security breach, healthcare providers would be unable to deliver necessary medical services to the public. This was most evident when a cyberattack crippled a network of Alabama hospitals, prohibiting healthcare professionals from providing medical services to new patients in need.
As a new decade approaches, the traditional networks and devices, along with Medical Internet of Things (MioT), that keep healthcare organizations afloat, remain vulnerable to cyberattacks despite advances in cybersecurity. With a single patient’s medical record being worth up to $1,000, attackers will continue to identify and attack the weakest points in their networks and supply chains to take advantage of the endless web of patient records and proprietary information.
Attempts to reduce cyber risk stall
Since 2016, more than 93% of healthcare organizations have experienced a data breach according to a recent study by Black Book Market Research. This same report also discovered that only 21% of hospitals claim to have a dedicated security executive tasked with leading the charge against cyber risk, leaving a huge gap in cybersecurity efforts. Without the support of healthcare leaders and staff who are narrowly focused on improving patient health outcomes, IT and security teams simply cannot keep up with the influx of threats that come in on a daily basis.
In addition, a report from the HIPAA Journal revealed that the biggest causes of healthcare data breaches were rooted in hacking, IT incidents and unauthorized disclosures of information. From this information we can infer two key takeaways: 1) employee training beyond the IT and security teams has not been sufficient enough and 2) the vast majority of cyber incidents were likely preventable.
Training the entire healthcare industry in cybersecurity is a “must-have”
With 2020 imminent, the burden is truly on healthcare leaders to take various steps to make all employees, regardless of role or responsibility, understand that any interaction with technology can play a role in a cyberattack. Ultimately, it’s an education of cybersecurity that goes beyond training or learning the “how,” to a shift in understanding a concept from an awareness standpoint. This type of focus will represent a change to both culture and strategy — which is never easy to deploy despite its necessity. And healthcare leaders must do so without the overuse of scare tactics but with the goal of demonstrating to all employees how cyberattacks operate and how to respond and mitigate them upon suspicion or confirmation.