With more than 2,000 breaches affecting healthcare providers between 2010 and 2017, it’s clear that attackers are targeting the healthcare industry. Cybercriminals have been launching attacks that are more frequent and more sophisticated in an effort to steal the valuable information stored by hospitals, clinics and doctor’s offices.
The fallout of these breaches is getting worse due to the breadth of the attacks and the strict compliance regulations. Health insurer Anthem had to pay a $16 million fine for a breach that exposed 78 million records. This record-breaking HIPAA fine illustrates the need to make cybersecurity a priority.
Healthcare providers need to make cybersecurity a top priority
In 2018, more than 500 separate incidents exposed over 15 million patients’ records. Patient records contain data that can be used for identity theft, a crime that is seeing an unprecedented rise, with 16.7 million cases in 2017. Healthcare providers have lagged behind corporations and other industries in terms of cybersecurity infrastructure and are seen as easy targets.
Currently, only 20 percent of providers feel confident about their ability to recover from a breach. Risks will keep increasing as attacks become even more frequent and sophisticated, and as healthcare providers adopt new tech platforms such as telehealth services and connected devices.
The importance of an effective training and awareness program
Even though the sophistication of cyber attacks is increasing, security breaches are still usually the result of human error. Education and training are often overlooked in healthcare settings, which results in complacency and involuntary breaches.
E-mails and spoofed websites are common tactics used by cybercriminals to obtain valuable data. Employees need to learn how to recognize these phishing attempts since they are likely to encounter them regularly.
Cybersecurity awareness training makes employees less likely to fall for social-engineering scams or phishing attacks. It also contributes to developing a culture where cybersecurity is a priority and where employees are aware of security and compliance risks.
How can healthcare providers improve cybersecurity?
Healthcare providers need to develop a cybersecurity plan adapted to their unique challenges and risks. Here are some strategies to consider:
- An audit or security assessment will help organizations identify current cybersecurity gaps.
- Healthcare providers can benefit from expanding their current IT teams. Hiring of senior information security leaders has risen 14 percent between 2018 and 2019.
- Roles and responsibilities need to be clearly defined if there is more than one IT leader.
- It’s crucial to develop a close relationship with vendors and understand how they manage cybersecurity risks.
- Healthcare providers can assess awareness and readiness by conducting regular phishing tests.
- Mobile devices are becoming a common tool in different healthcare workflows. These devices need to be encrypted.
- Employees should adopt strong passwords and change them regularly. Adopting two-factor authentication is another strategy to look into.
- Expired or vulnerable software represents a significant risk. Healthcare providers need to find vendors who update their products regularly.
- Data should be stored in a layered system so that only employees who need to access sensitive data have the permission to do so. Permissions should be reviewed regularly.
- It’s important to control physical access to devices.
- Healthcare providers need to adopt a secure backup solution for their records in case of a ransomware attack.
- The cybersecurity strategy should include a detailed incident response plan.
- This strategy needs to be reviewed, re-assessed and improved on an ongoing basis.
The first step toward developing an effective cybersecurity strategy is to assess current risks. This is something Internet Contrasts can do. We specialize in identifying risks and developing and implementing solutions tailored to the needs of each organization.