Guest post by Greg Mancusi-Ungaro, CMO, BrandProtectGreg Mancusi-Ungaro
Since 2009, the personal health information of almost 30 million Americans has been compromised. From Partners Healthcare and Anthem to the UCLA Health System and Children’s National Health System, it’s clear that healthcare organizations are a hot target, especially as medical records include exactly the kind of valuable data cyber criminals want to get their hands on. And, since information like social security numbers and birthdates can’t be “turned off” in the ways that stolen credit card numbers can, once cyber criminals get ahold of such records, they can do significant damage with them like counterfeiting patients’ identities.
It is crucial that the healthcare industry be vigilant when it comes to cyber security. From hospitals and insurers, to medical groups and individual practices, health-related organizations must ensure they are taking all possible measures to keep the personal information of their patients – not to mention their own brand reputation and business – safe. That begs some questions: Why are healthcare organizations such a hot target? How are they (and their patients) being targeted, and, and what can the industry do to stay one step ahead of cybercriminals and mitigate the ensuing risks?
What Makes Healthcare a Prime Target?
Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets, including the personal, family and billing information of their patients. It isn’t the blood type or cholesterol reports that make electronic health records the most valuable records on the cybercrime black market; it is the virtually complete personal identity information, including social security numbers, parents, maiden names, addresses, emails, children names and, in some cases, complete information of close friends. They are the holy grail of the identity theft world.
Second, the available attack surface in the healthcare industry is very complex. The healthcare industry contains many different organizations that have, over the past few years, moved to electronic systems, but not to a truly centralized electronic system. The reality of today’s healthcare records infrastructure is that there are many networks, data formats, communications protocols, passwords and access points all patched together. Not only is this amalgamated network challenging to maintain, it creates massive opportunities for compromise. Cybercriminals know this.
Healthcare is in the Cybercrime Crosshairs
Doctors are at the center of the healthcare universe. They interact and interface with patients, insurers, services providers and hospitals. Their office networks and smart devices connect with practically every network that affects their business. But doctors are not information technology or security experts. Less than 40 percent of doctors based in the U.S. feel that their cybersecurity processes are above average. Their lack of technical savvy and security knowledge makes them easy pickings for sophisticated cybercriminals. They need education and protection.
Patients are also prime targets. The Affordable Care Act (ACA) has accelerated the dramatic shift of health insurance and medical services to a digital transaction model. With the emergence of affordable individual policies, not tied to employer offerings, and online markets for health insurance, many more individuals are using online recourses to evaluate insurance options, enroll and manage their healthcare. Patients also go online to update their records, view and manage results and appointments, and make payments. Insurers and hospitals use email to communicate and confirm transactions, or to flag issues with accounts or with payments. This is where cybercriminals see their opportunity. Additionally, the ACA has introduced healthcare options – requiring online healthcare management — to many families who are not as familiar with online risks, so they are easy prey for phishing and other cyberattacks.
Reducing the Risk of a Successful Attack
Almost all cyber events start out the same way, with a successful attack on a single individual (an employee, doctor or patient) or device. This initial incursion, whether through malware, social engineering or another means, can lead to illegal network access and records theft over the course of weeks or months. But if a healthcare organization can successfully reduce the risk of a successful first attack, they make it harder for cyber criminals to gain this access.
Since there is a high level of involvement between physicians and hospitals, health networks and insurance companies, it’s important that all organizations’ security departments understand the vulnerabilities that come along with these interwoven relationships. They also need to ensure individuals are knowledgeable about the targets painted on their backs by cybercriminals. Simple steps to raise awareness and promote safer online behavior are surprisingly effective.
For example, by periodically alerting doctors and subscribers about the perils of phishing attacks, and by diligently monitoring for attempted phishing attacks, an organization not only directly reduces its risk of having its trust identity be leveraged in a third-party phishing attack, but also reduces the risk of any phishing attack being successful. And by diligently detecting and shutting down attempted phishing attacks, the organization sends a signal to the would-be attackers: “We’re going to make it hard for you.” By making themselves a less vulnerable target, healthcare organizations discourage cybercriminals and drive them to search for other, more easily attacked victims.
In addition to this awareness, healthcare organizations can help doctors, employees and others understand the importance of choosing passwords that may be difficult to hack, or schedule regular training sessions to cover which mobile apps have been deemed ‘safe’ by the IT department. Whatever the task may be, keeping cybersecurity top of mind – and continually educating individuals – pays off in the end.
Attack Season Is Just Around the Corner
While breaches seem to occur year round, it is important to remember that cyberattacks against doctors and patients may be more seasonal in nature.
Consider, for instance, open enrollment period beginning on Nov. 1, 2015. From that day through Jan. 31, 2016, virtually every American who is not covered by an employer-provided health plan must go online and select their health coverage for 2016. Cybercriminals know that this is a busy time of year when individuals are likely to receive many email notifications – from their state, from the federal government and from their current healthcare provider, alerting them to new options or reminding them of critical deadlines. It’s easy for cyber criminals to add their email attacks into this stream of email traffic. For example, a simple phishing email could notify new patients that there was a problem with their registration, and to “click here” to update their user information. Any new registrant who clicks the link could then, unknowingly, be inviting a cybercriminal to infiltrate the network and have access to their personal information.
This is just one of the many online schemes cybercriminals use to lure victims in, and at the same time, significantly damage healthcare organizations. The opportunities for deception are virtually limitless. If a cyber attack is successful, who are the victims going to blame? It will more than likely be the trusted brand that was being impersonated, no matter the origin of the attack.
Healthcare organizations need to step up their games and monitor for these cyber threats, not just in peak seasons like around open enrollment periods, but throughout the entire year. Only then can they take the necessary precautionary measures to fend off cybercriminals and the resulting risks, whether it be customer dissatisfaction or revenue loss.
Strengthening Cyber Security Efforts
Because of the treasure trove of information found in healthcare organizations’ records, they will continue to be challenged when it comes to protecting themselves – after all, if it can be found online, chances are, someone will try to take advantage of the vulnerabilities that exist. And, it only takes one misstep – one accidentally clicked link or file opened – by a doctor, patient or healthcare organization, to give hackers a toehold inside an organization. By strengthening cyber security efforts, through comprehensive cyber threat monitoring, proper training and more, threats are more likely to be detected and mitigated early on, reducing the likelihood of harmful data breaches and the ensuing business and reputational damage.