With the rise in digitization, healthcare is finding itself in a particularly vulnerable position. The healthcare industry deals with sensitive patient data, life-saving equipment, and a dire lack of trained cybersecurity experts. We talked to the professionals in healthcare and cybersecurity to better understand the risks and challenges faced by healthcare in the wave of rising cybercrimes.
“Being a healthcare worker myself, I can tell you the amount of personal data that we store in our computers is like a gold mine for hackers. Devices like insulin pumps and defibrillators play a critical role in healthcare. But these new devices also open up more entry points for cyberattacks. All the medical devices are designed for taking care of the patient– they are not made to prevent hackers from accessing them.” (Patti Naiser)
“Our staff may be highly trained in taking care of people, but I would not add an additional responsibility of online security processes to their workload. This is one of the biggest challenges we face. Medical staff is equipped with all the knowledge about taking care of the patients, but during hiring, no one asks them if they are trained for online risks.
“Another challenge we face is that healthcare units put little thorough and effort into hiring the best IT technician, and when something goes wrong, we just call someone to come and take a look at our systems.”
Patti Naiser, CEO Senior Home Transitions
“One of the largest challenges the healthcare industry faces pertaining to protecting data is the move to a remote workforce during the pandemic, and the extension of that for account managers, data entry associates, and anyone accessing Personally Identifiable Information (PII). Making sure home networks were secure, the use of Bring Your Own Device (BYOD) in some instances and passed management for those opened up hundreds and thousands of new data points for IT and security teams to manage.
“You may also have new exposure to data by spouses or additional people who may see screens at home or co-working spaces, which require a new set of protocols and processes to turn off screens when not at their desk, protecting what is shown, especially if a spouse or roommate works for a competition healthcare firm, or working in a cop working environment where network protection and additional exposures could be a liability.
“Phishing attempts have increased, and with some of these remote environments remaining, a focus on phishing training is key to identify and mitigate the risk of an attack through malicious email links.
“Finally, as patients see more specialists in addition to the primary care physician, the distribution and sharing of patient records with various medical groups on different systems and networks advances the risk that exposures may occur. With ransomware attacks becoming more common, outdated legacy systems and proper vendor compliance will be key to make sure access points are protected.”
“Healthcare organizations, including hospitals, utilize a large and diverse number of third parties, from students to doctors and even bots, to support their goal of creating a market-leading patient experience rooted in satisfaction, safety, and privacy.
“The number and variety of third parties utilized by healthcare organizations can be limitless and unfortunately, third parties are very risky. Unlike the good systems and processes in place to manage their employees’ identities, most organizations lack the same level of rigor for third-party non-employees that are known to be high-risk users.
“As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, access is frequently not terminated when they no longer have a business need for it. Further, the daily churn of third-party workers within a health system can get into the thousands and without a streamlined and/or automated way to properly onboard, offboard and manage the lifecycle of these identities, hospitals run the risk of improperly provisioning access and sharing sensitive information with the wrong people which can lead to a data breach or cyber attack.”
David Pignolet, Founder and CEO SecZetta is a third-party identity risk management firm that helps healthcare organizations build systems that centrally track and manage their relationships with this growing number of third parties and the access to facilities, systems, and patient data they require.
“Ransomware, Data Breaches, Distributed Denial of Service Attacks (DDoS) and Internal Sabotage are the four main cybersecurity challenges the healthcare industry faces.
“Ransomware is one of the largest challenges faced by the healthcare industry. It may be one of the most dangerous. This type of attack occurs when an attacker infects the organization's operating systems with malware. The malware then encrypts electronic health records and other system data, making it impossible to access.
“The only way to regain control is to pay the attacker via wire transfer, Bitcoin, or a similar hard-to-trace method. This is dangerous also because even after control is regained, the organization doesn’t know if the data has been duplicated. In 2020 the average ransom paid by an organization in the United States for a ransomware attack was $837,344. It has reached figures as high as $10 million.
“A computer is infected with the virus via a phishing email. It is obtained when the user clicks a link or downloads an attachment. This is why it is absolutely imperative that healthcare employers train their employees on safe email and internet usage.
“Data Breaches are when hackers steal protected health information (PHI). This is also a threat to the industry. It is a problem because PHI is personally identifiable data that is associated with a patient. This includes diagnoses, test results, prescriptions, contact information, and social security numbers. Unlike a credit card, a patients’ personal history cannot be simply deleted or locked.
“The HIPAA Security Rule requires healthcare organizations to observe adequate data security practices when storing and transmitting protected health information, but many healthcare providers lack the resources they need to stay ahead of the game with up-to-date protocols and security measures.
“Distributed Denial of Service (DDoS) Attacks. This is an attempt to use internet traffic to overwhelm a website or network and disrupt its functionality. To do this, a large network of hacked computers, known as botnets, is used. The botnets send massive amounts of data to a target overwhelming the network and causing downtime. Many companies use a DDoS mitigation service to help provide defense against these types of attacks.
“Sabotage by an insider is another threat faced. This is sabotage by an employee at a healthcare organization who decides to exploit the demand for personal health information. This may be because they are disgruntled or simply occurs out of spite. This is why it is important to make sure that employees have data access levels that are appropriate for their job duties. Data logs should be implemented in order to track anyone who has accessed the information.”
LeeAnn Schudel, Co-Founder www.compliant.io