The chronic issue of cybersecurity
By Suzanne Widup
Healthcare institutions large and small can be left black and blue by a cyberattack. Larger institutions have more patients and thus have more user health records that attackers can compromise. Smaller institutions, on the other hand, may not have the financial resources to protect themselves against an attack or respond to one when it occurs.
In the event of an incident or breach, repairing a security system can take a massive toll on a healthcare institution, costing time, money, and staffing support to remedy. This severely affects the number of patients seen for however long it takes to address and fix the damage, which in turn causes the institution’s finances and reputation to suffer.
Healthcare institutions are vulnerable cyber targets, with thousands of patient records to protect and a federal requirement to comply with HIPAA and HITECH. These institutions lack the staffing (and sometimes the awareness) to prevent personal health data from being accessed and held by threat actors. With the constant demand to see and treat patients, cybersecurity hasn’t always been a top priority for these institutions. But it should be.
The call is coming from inside…
According to Verizon’s 2019 Data Breach Investigations Report, for the second consecutive year, the majority of healthcare cybersecurity breaches in 2018 were attributed to internal (rather than external) threat actors—a skew unique to the healthcare industry. These internal threat actors are typically employees working within healthcare institutions (doctors, nurses, etc.). Though these employees are not always acting out of malice, the major concern here is that they have been granted access to systems to carry out their jobs; thus, they do not need to break into those systems to retrieve or expose classified information.
Across sectors, including the healthcare industry, misdelivery (sending data to the wrong recipient) is the most common error type that leads to data breaches. Typically, these errors involve mailing patient paperwork to the incorrect address, or issuing discharge papers or other private records to the wrong person.
The healthcare sector also suffers from the widespread problem of social attacks. Like many industries, healthcare institutions are under the constant threat of phishing emails that bait unsuspecting recipients to enter personal information, such as email credentials, onto fake sites. The stolen login information is then used to access the user’s cloud-based email account, thus compromising any patient data in the user’s inbox, outbox, or other folders.
Required to report
Unlike other sectors, the healthcare industry is required by law to report ransomware attacks as though they were confirmed breaches due to U.S. regulatory requirements. These attacks tend to make headlines as they disrupt an organization’s ability to carry out its primary function—patient care. While some organizations have resorted to paying the ransom demand, this is no guarantee that the criminals behind the attack will provide a valid key to restore an organization’s data—they may just take the money and run.
So how can healthcare institutions immunize themselves from cyberattacks and breaches? There is no magic pill, but there are precautions that industry leaders can put in place to better protect themselves against inside and outside threats.
Prescriptions for protecting your network
- Locate the problem areas: Practice good security hygiene by examining the current health of the network. Healthcare institution leaders and administrators should know where their major data stores are, limit necessary access for their employees and staff, and keep track of access attempts to pinpoint weak spots. Certain staff may not need complete access to files and records to perform their jobs, and practitioners can enact low-cost process controls to prevent miscellaneous errors that can erode the cybersecurity of an institution.
- Make it easier for employees to report issues: Minor errors like phishing can be infectious. Industry leaders should make it easy for their staff to report phishing when it occurs (regardless of whether the staff took the bait) so they can nip issues in the bud and prevent an influx of employees from potentially compromising the network. Leaders can incentivize the process by implementing reward-based motivations for employees to report incidents quickly, thereby limiting the people and information affected.
- Institute checks and checkups: Have a game plan that focuses on mitigating or preventing incidents and breaches, rather than nursing a security system back to health after an attack has occurred. Institutional leaders need to know which processes deliver, dispose of, or publish personal data and put up checks to ensure that a minor mistake made by an employee does not escalate into a breach. By enacting a plan and conducting regular checkups of mobile and network security, healthcare institution leaders will have a standard by which they can regularly measure the pulse of their performance.
As healthcare institutions become increasingly interconnected, leaders need a plan to address the state of mobile and network security before an attack occurs. Reframe cybersecurity as a matter of patient care: Medical devices can be hacked, a breach can cause a misdiagnosis, and personal health information stored on computers can be stolen. Not to mention, the downtime during a breach can put patients in critical danger.
Protect before you have to treat. Industry leaders must take all of the necessary measures to assess and stabilize their institutions’ cybersecurity and better thwart attacks—especially “from the inside.” By putting up safeguards for employees, including doctors and nurses, to protect themselves from accidentally compromising their network, these institutions can lessen or prevent the threat of an incident or breach.
Or you can always seek a second opinion.
Suzanne Widup, senior analyst at Verizon Enterprise Solutions, is a co-author of the Verizon Data Breach Investigations Report, and lead author for the Verizon PHI Data Breach Report. She spends quality time hunting for publicly disclosed data breaches for the VERIS Community Database (vcdb.org). She has 20 years of IT experience, including Unix system administration, information security engineering, and digital forensics in large enterprise environments. She holds a BS in computer information systems and an MS in information assurance. Widup is the author of Computer Forensics and Digital Investigation With EnCase Forensic v.7,published by McGraw-Hill.