Why Healthcare Cybersecurity
Requires a Multi-Layer Approach
Healthcare organizations rely on connected devices for remote work, telehealth, and other initiatives to address staffing shortages. Cybercriminals scour healthcare networks looking for protected health information (PHI). PHI draws a high price on the black market and, unlike credit card data theft, can go undetected for years.
Patient Safety
Cyberattacks targeting healthcare systems are healthcare cybersecurity challenges that pose unique risks because of patient repercussions. Criminals can quickly sell patient medical and billing information for insurance fraud, ransomware can lock down lifesaving procedures, and internet-connected medical devices are vulnerable to tampering. The number of these devices has exploded over the past decade. The most critical consideration for healthcare cybersecurity is the integrity of patient data and the ability to respond quickly to attacks. The healthcare industry must also create a culture that puts patient safety above all other priorities, from senior management to frontline staff. A culture allowing staff to report incidents without fear of retaliation or punishment is critical for an organization that wants to maintain its reputation as an ethical and responsible defender of patient data and health. A lack of security awareness among healthcare professionals can lead to breaches that put patient safety at risk. The most common type of attack involves insider misuse, which can take on many forms. From malicious intent (theft of data for financial gain) to curiosity (accessing data unrelated to a clinical workflow) to overriding security protocols out of convenience, these activities can have serious consequences. The fluid environments of healthcare facilities also offer a complex attack surface, including networks, cloud infrastructure, desktop and mobile endpoints, network-connected IoT devices, and BYOD usage.
Business Continuity
Healthcare organizations must ensure their business can operate as expected if there is a cyberattack. A business continuity plan (BCP) includes the steps an organization will take to prevent a disruption to its operations, whether due to a cyberattack or other type of incident. A BCP also helps reduce the impact of a disruption on the business and the financial costs that may arise. Healthcare organizations should prioritize cybersecurity because of the significant risks they face. Healthcare organizations must maintain a robust and comprehensive cybersecurity posture to protect sensitive information at rest and in transit. This can be accomplished through encryption, a simple, effective measure to help prevent data breaches and meet compliance and regulatory requirements. A healthcare organization’s security needs are compounded by its reliance on legacy systems with limited security controls. This, combined with a lack of cybersecurity awareness and culture amongst healthcare employees, makes the sector vulnerable to attacks. Cybercriminals have adapted to the COVID-19 pandemic and are targeting healthcare organizations with increased sophistication. This includes attacks on call centers that support remote working and schools with virtual education, hospitals, and the broader healthcare supply chain.
Vendor Management
As healthcare becomes increasingly technologically connected, the risk of theft increases for medical devices and consumer data. Hackers can access systems by exploiting vulnerabilities found in third-party vendors. Cybercriminals can steal and expose sensitive patient information through malware, ransomware, or the exploitation of third-party services such as email, IoT video camera, and handheld devices like mobile phones. Moreover, legacy systems are more vulnerable to cyberattacks because they typically don’t have security patches and updates. The lack of support also creates a backdoor entry for cybercriminals into the system, so hospitals must have robust cybersecurity programs to protect against such attacks. Hospital C-Suite and other senior leaders must understand that cybersecurity is not just an IT issue falling under the domain of their IT departments. Instead, an enterprise issue must be incorporated into the existing enterprise risk management, governance, and business continuity framework. To help with this, healthcare organizations should establish a tiering process for third-party assessment and prioritization. For example, top-tier and high-risk vendors must demonstrate that they can safeguard patient safety. They should be able to comply with the CISO’s requirements, including those related to HIPAA. They should be able to respond quickly in the event of a breach and restore service as soon as possible.
Risk Assessment
Healthcare technology and digitization benefit patients, providers, and hospitals. These include reduced paperwork, automated tasks, and more accessible communication among doctors caring for the same patient. However, increased connectivity also introduces new attack vectors. These include cloud infrastructure, desktop, mobile, and network-connected IoT devices such as security cameras and handheld medical devices that track vital signs and transmit data in real-time. A cybersecurity capability that can withstand threats is essential to healthcare organizations of all sizes. While large healthcare providers have the resources to staff a chief information security officer and pay for the best threat intelligence services, smaller hospitals, and health systems can also be vulnerable to cyberattacks. Malware, phishing attacks, insider threats, stolen credentials, and hacked IoT devices are some of the top concerns for healthcare cybersecurity professionals. Many cybersecurity professionals believe it’s a matter of when, not if, a healthcare organization will experience a breach. As such, cybersecurity training is a must to ensure that employees understand the privacy and security policies of the organization, how to recognize a potential threat, and what to do if they encounter one. It’s also essential to regularly update the software on all connected machines so that vulnerabilities can be patched as soon as they emerge. The most effective way to reduce cyberattacks is to build a culture of cybersecurity in the workplace.