There’s no denying it, your organization does amazing work everyday helping patients to meet their healthcare needs. The ability to help your patients is dependent on very sensitive data that comes into your hands everyday. If that data falls into the wrong hands or is wiped then there could be serious consequences for your practice. If you follow the news then you’re likely aware of how vulnerable the healthcare sector is to cyber attacks. However, the severity and context are not explored enough when each data breach that happens. Below you will find some of the causes of poor data security in the healthcare industry and the steps you can take to stay secure.
Data Breaches and Causes
Healthcare companies are among some of the most attacked and vulnerable sectors. The reasons are numerous, some of which are exclusive to the healthcare sector. In 2016, more than 25 million patient electronic health records were compromised in a series of attacks across the United States on healthcare organizations. For a short lived time cyber security experts and healthcare executive considered 2016 the worst year on record for cyber security incidents. That was until the summer of 2017 at least. It would seem that this year is very quickly shaping up to be another terrible year for healthcare’s cyber security standing. In 2017 alone, there have been some significant breaches, which have compromised over 10.5 million patient records already. The institutions with the most records compromised happened to be billing agencies or health insurance providers.
The breaches that happened in both 2016 and 2017 can be mainly be attributed to negligent and careless employees. This is what cyber security experts usually refer to as insider threats, which continues to be a thorn in the side for the healthcare industry. According to Cyber security Scorecard, one of the most trusted security ratings platform, healthcare ranks among the lowest (15 out of 18) in the social engineering category. Social engineering is the use of deception by hackers to trick people into giving away their credentials. With a low rating here, that means that staff in healthcare organizations are highly susceptible to even the most basic of social engineering tactics employed by hackers. This means that even if a healthcare organization has the latest and greatest security technology, it can be bypassed simply by tricking and impersonating hospital staff.
In February 2017, Protenus conducted a study of breaches that had occurred in the healthcare sector. In was revealed that about 58% of all breaches that had happened were the result of insider threats. The cause of the breach being an insider threat caused delay in discovery of the breach for up to five years for some organizations.
Are the issues of insider threats in the healthcare sector exclusive to hospitals and clinics? Of course not! However, the report from the Cyber security Scorecard present a harsh reality regarding how hospitals and clinics are in the crosshairs for cyber criminals. An amazing 96% of ransomware attacks throughout the entire healthcare industry have targeted and infected hospitals and clinics. Across the whole healthcare industry, over 75% were found to be infected with malware at some point. In context, over half of these attacks were the result of insiders.
Thankfully, there some measures that healthcare organizations can take to ensure they are safer by design. Most hackers take advantage of both poor security awareness in people, outdated systems, and poor security design.
Patient Security Culture
Healthcare facilities go to great lengths to protect their patients confidentiality, no facility would intentionally place their patients data at risk. This was especially true when patient data was recorded on paper and handled in an analog manner. However with the rapid push to electronic record keeping disrupted processes throughout the entire healthcare industry. Patient security is still important to staff, but the culture of security needs to reflect the technology that is currently employed in the organization.
When it comes to instilling security culture in an organization the challenge is in changing the perception of “it’ll never happen to me” which often leads into a false place of comfort. This is especially true if the person is more educated or have some IT skills in addition to their job. Developing a patient focused cyber culture is going to be a unique process for each organization. Despite this there are some general things you should follow when cultivating a security culture:
- Training and education should be engaging, continuous, and frequent.
- Supervisors, doctors, and hospital executive management must set a strong example and not exclude themselves from rules everyone else must follow.
- Accountability should be instilled into the core values and processes of the organization. Failure to adhere to security practices should be met with a graduated penalty system.
Every medical professional understands the importance of good body hygiene, this same concept of maintenance applies to a greater degree when it comes to your cyber infrastructure. What good hygiene in this case is policy enforcement, continuous configuration management, software maintenance, and operating system upgrades.
Cyber policy involves determining rules on the network and ensuring compliance with with government policy. This is especially true in the case of electronic health records and should extend through your clinic or hospital. Understand the minimum procedures for compliance and build around them for proper practice among all employees. Thankfully software such as Teramind offers not just data compliance but also can alert both an employee and the administrator. Software like this helps to ensure staff understands where they are failing in security and can track policy infractions. Policy and software are able to work hand in hand in many scenarios.
Configuration management involves uninstalling non-essential software, changing defaults on software, identifying “back doors” to your systems, and disabling all remote sharing and remote printing. This area will primarily involve IT and cyber security teams if you have any at your organization.
Your software and operating systems absolutely need to be up-to-date. Such upgrades should always be considered essential investments and activity. The costs of security usually increase the more out of date a system is. The famous WannaCry hack, which only stopped because of a rogue cyber security expert, was the result of the National Health Service using outdated and unsupported Windows XP. Many hackers who conduct dragnet attacks are successful because the organizations affected have out of date systems or software. Keep your software up to data and you will be able to reduce overall security costs and prevent attacks.
Insider Threat Detection
By now you understand most successful cyber attacks on hospitals and clinics are only successful because of your staff and maybe even yourself. All insiders, whether negligent or malicious, are a threat to healthcare institutions. Thankfully there is a growing wave of excellent machine learning based software that can help out. Software such as Teramind was developed to prevent insider threats, by this also allowed for a host of other applications, such as productivity analysis and remote worker management.
Insider threat prevention software would provide user behavioral analytics which establish a baseline behavior of a user and then notify you when there are deviations from the baseline. Machine learning is used to understand behavior shifts over time as well. With features such as intelligent session mining, administrators are able to gain insight into what an employee was viewing on screen. Insider threat detection doesn’t have to be an analog process, like the change from paperwork alone to digital plus paper; Teramind allows for a stronger relationship between technology and human administrators. The goal is prevention, which is what insider threat detection software aids in achieving.
Keep an eye out for more healthcare specific content from IT Security Central. Be sure to subscribe below for cyber security insights that can keep you safe.