Cybersecurity is a major challenge for all kinds of businesses, and it only seems to get more complicated. Hackers, scammers and other bad actors are constantly probing for weaknesses they can exploit. Healthcare organizations are particularly vulnerable. Not only do they face serious cybersecurity threats, but they also face substantial legal liability in the event of a breach or attack. Knowing how best to protect a healthcare organization from cybersecurity threats requires understanding the kinds of threats they face and what makes them more vulnerable than many other types of businesses.
Many healthcare organizations literally hold people’s lives in their hands. That places a high burden of care on them, and that is not all. Healthcare organizations face cybersecurity threats because of the nature of their work, the legal regulations placed upon them, their own organizational structures and financial concerns brought on by the COVID-19 pandemic.
Patient data is subject to strict legal protections under statutes like the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Healthcare providers covered by HIPAA may face serious penalties for mishandling or failing to secure patients’ protected personal information. Much of this information could be quite valuable to hackers. As the world goes increasingly paperless, the duty to protect digital patient records remains the same as when they were all physical records in file folders.
Many healthcare organizations have multiple divisions or departments operating across numerous buildings or sites. Each location might have many computers and other electronic devices on a shared network. This offers almost countless points where hackers could gain access to a healthcare organization’s system. Many employees continue to work from home, which increases the number of vulnerabilities in healthcare organizations’ systems even further.
Few industries are less equipped to deal with downtime than healthcare. A retail business could cease operations for a brief period to deal with a cyberattack, and the worst that would probably happen would be that the business loses revenue. A healthcare organization like a hospital cannot suspend operations, or people might lose their lives.
The COVID-19 pandemic placed a tremendous strain on the nation’s healthcare system. Many organizations are still feeling financial strain because of the pandemic, inflation and other recent events. Organizations that cut the budgets for IT or cybersecurity will have a harder time preparing for or protecting themselves from threats.
Attackers could also gain access to an organization’s network by bribing an unhappy or desperate employee. All it could take is the promise of more money than the healthcare organization pays.
Healthcare organizations can face the same types of cybersecurity threats as any other business. Certain risks, however, might be particularly pronounced for the healthcare industry.
Healthcare providers are entrusted with a literal wealth of patient data. In addition to private information about patients’ medical diagnoses and treatment, they usually have personally identifiable information like names, dates of birth, Social Security numbers, driver’s license numbers and credit card numbers.
HIPAA requires covered healthcare providers to report data breaches to the U.S. Department of Health and Human Services, which maintains a public list of breaches that affect at least 500 people. A robust cybersecurity strategy can help keep a healthcare organization’s name off of the “wall of shame.”
A ransomware attack involves malware that encrypts a computer or otherwise shuts down a system. An attacker can deliver the malware by a variety of means. Once it is in place, the attacker typically demands money in exchange for the decryption key. A business may decide to pay rather than incur the expense caused by downtime. As mentioned above, healthcare organizations cannot endure downtime of almost any length.
What can healthcare organizations do to prepare for or prevent cybersecurity attacks? The following list offers a few suggestions.
The healthcare industry has unique legal and practical requirements when it comes to cybersecurity. Many organizations would benefit from a risk assessment by a third-party contractor that specializes in this industry, especially those that do not have internal IT or cybersecurity departments. Having a new set of eyes take a look at your organization can help identify potential vulnerabilities and strategies for protecting yourself.
Secure information systems need more than just passwords to prevent access. Multifactor authentication requires users to go through multiple steps in order to log in to a system. Most healthcare organizations already use multifactor authentication to some extent, but they could make better use of it.
The larger an organization, the more likely its IT staff has no idea how many networked devices have access to its network. A thorough inventory of all devices, users and potential access points is an essential first step to analyzing an organization’s vulnerabilities.
Every organization needs a plan for how it will respond to the most likely cyberattacks. Ideally, they will also plan for attacks that are merely possible. What tools are in place for detecting possible attacks? If a breach occurs, can the organization isolate a compromised device or system without bringing the whole network down?
Recovery Planning
Organizations should also plan for what happens if they fail to prevent or contain a cyberattack. Do they keep backups of key data? How quickly can they access their backups? How long would a process like this interrupt their operations?
To learn more how Freed Maxick can help, fill out the form below.