Cybersecurity is more important in healthcare than in almost any other industry, especially with the Health Insurance Portability and Accountability Act or HIPAA, a crucial concern of every healthcare provider.
Strengthening cybersecurity also prevents cyberattacks that can shut down operations. Multiple health care providers were forced to cancel surgeries and other services in 2021 due to the disablement of systems, software, or networks.
At risk of any breach are sensitive information, reputational risk, legal costs, the cost of paying a ransom to hackers, costly immediate and extensive remediation by an IT firm, and the cost of providing free-credit monitoring to affected patients. Recent successful attacks are documented, costing healthcare systems millions of dollars and damaging the trust of their patients.
As the use of the internet of things (IoT) expands in hospitals due to its tremendous productivity and quality of care benefits, even more, hospital systems are at a heightened risk.
The Most Important Concerns for Healthcare Providers
The reasons for cybersecurity constitute a very long list for any entity, whether a healthcare system, business, private company, or non-profit. Here are the top cybersecurity concerns for healthcare providers, the potential impacts, and how to practice prevention first.
A ransomware attack is one of the most damaging things to any healthcare provider. In such an attack, foriegn-based hackers have been able to access critical systems to shut down operations or steal and lock crucial data like patient records. They will threaten not to restore access or release the records without a substantial ransom paid to them in a cyber currency like Bitcoin.
While the ransoms were once in the 10s of thousands, hackers now demand 100s or millions of dollars to return access. Some providers pay the ransom to get back online; others call expert cybersecurity firms to try and resolve the issue. In either case, compromised data is out there with no guarantee that hackers won’t exploit or sell it.
The costs to providers in terms of lawsuits have often been multi-million dollar settlements.
Prevention is an absolute necessity and includes:
- Assessing data integrity
- Protecting data
- Reducing access points to the network
- Protecting critical systems
- 24/7 network monitoring
- Installation of all software updates
- Use of robust anti-virus/malware protection software
- Blocking access to nefarious websites by employees
Internal data compromise
Disgruntled employees happen no matter how well their employer treats them and can be a potential threat to sensitive data. The result might be stolen patient records sold online or held as an act of retribution.
The results include:
- A lack of patient trust
- Reputational damage in the community
- Protection costs for those impacted
The best way to protect data from unauthorized internal access is to evaluate what individual employees need access to and what they do not. Then ensure they may only access what they need for their jobs. Also, ensure all employees lock their computers when they walk away for a break, head to a meeting, or go to lunch.
Phishing is as simple as an employee clicking on a link or opening an attachment on a website or in a malicious email. It installs malware on the computer and spreads throughout the network. The phishing email might also trick employees into providing sensitive or proprietary information.
Phishing results might be obtaining passwords or other information or an entire ransomware attack. In every case, the healthcare provider is exposed to:
- Data compromise
- Operational downtime
- Reputational costs
- Ransom payment
- Emergency IT support costs
- Legal costs
Protecting the organization from phishing comes down to employee training and blocking potentially malicious sites. Great virus protection software will catch online phishing attacks and stop them, but employees need training on how to recognize deceptive emails and report them immediately.
Too many healthcare providers rely on outdated systems or software and no longer receive manufacturer support. As a result, software updates and patches that adapt the systems to newer security threats are not provided.
“The failure to move to updated and supported systems opens up backdoors for hackers to exploit,” says Hazim Gaber, mechanical engineer and CEO of ehZee Engineering corporation and HSM Global. “This can expose the hospital or healthcare provider to potential data theft, operational downtime, or a complete loss of access to critical systems.”
The consequences vary based on the severity of the attack and can range from some lost information to an entire data breach that comes with extensive costs.
Monitoring hardware and software inventories and ensuring their timely replacement are crucial. Additionally, take steps to protect information on the systems with proper hardware disposal.
Healthcare providers need a roadmap that is specific to their operations to prevent these and other threats. The goal is defense-in-depth, so if one control fails, another takes its place. Should a security event happen, a robust incident response plan must be in place.
The list of steps to take is extensive, and the use of an expert cybersecurity vendor is recommended. They will take a complete inventory of systems, understand network design, put a roadmap and protocols in place, monitor the network, and ensure industry standards are met or exceeded.
Proactive data and systems protection is one of the most essential healthcare considerations, and a comprehensive approach cannot begin soon enough.