Cybersecurity in Healthcare: Where Data is King
Amid the uncertainty and panic of the COVID-19 pandemic, healthcare services are under greater pressure than ever before. Stretched resources, busy staff, and new challenges create vulnerabilities in both physical and technological functionality.
When vulnerabilities inevitably arise, cybercriminals are ready to exploit and abuse them. A cyberattack can impact any financial and functional abilities. When that service provides medical care for the sick, the implications are far greater.
The pandemic has brought out the best in many people. Communities coming together to drop off food parcels to the vulnerable, retired doctors and nurses rejoining frontline health services, and citizens accepting serious restrictions on their day-to-day lives to reduce the spread of a deadly virus.
In any crisis, however, a minority of people show their worst sides, and none so much as the incomprehensible morality of a cybercriminal who attacks the critically ill and those trying to care for them.
Cybercriminals are now focusing attacks on the vulnerable, overburdened healthcare system.
Disrupting the flow of essential data and health technology does more than just slow a business; it can delay or interrupt life-saving treatments.
Withholding essential data and technology in such a time-sensitive and emotive environment can almost guarantee that the victims will be willing to pay significant sums of money to get their services back.
Health and Medical Data Breaches
In today’s world, data is power. The records held by healthcare providers are a particularly rich source of personal information. The healthcare industry relies on easy access to incredibly sensitive data.
Most hospitals require their patients to wear personal information and barcodes on wristbands to prevent medication or treatment administration errors.
Healthcare professionals need to be able to access medical information with ease. That data has to be able to pass from one relevant service to another seamlessly and be accessible in a timely, mobile way.
Transfer of medical records means transmitting:
● Basic identifying information such as name, date of birth, home address, next of kin details, and so on.
● Sensitive social information including ethnicity, religion, and sexual orientation.
● Alerts where the patient has previously posed a threat, i.e., patients who have been known to carry concealed weapons or who have been violent towards staff.
● Medical history, which can be incredibly sensitive in nature. Items in a person’s medical record could even make the individual a target for hate crimes or issues in the workplace.
Beaumont Health, Michigan’s largest healthcare provider, has been struck by two phishing attacks resulting in significant data breaches over the last year. The media reports successful attempts at cybercrime because it is more difficult to quantify the number of cyberattacks that were unsuccessful.
It is essential that this data be available where necessary, which poses specific issues for those responsible for preventing data theft or accidental exposure while maintaining ease of access for hospital staff.
The threat and the need for protection are incredibly real; a shocking 40 million people in the United States were affected by a breach of healthcare data in 2019.
Who Is Responsible for Cybersecurity in Healthcare Services?
In an ideal world, every healthcare service provider would have a dedicated, in-house cybersecurity division within their IT department. However, healthcare providers are many and varied, and medical records are available even to allied services of small size and smaller means.
Outsourcing to trusted, professional cybersecurity teams is essential for smaller enterprises that deal with sensitive information.
It proves that all possible steps are taken to maintain records in a safe and secure fashion. This one of the key responsibilities under HIPAA guidance. However, the maintenance of secure systems, a timely and robust plan for backup and roll-out of compromised systems and data, and a responsive approach to an ever-changing threat landscape are the bare minimum requirements.
The answer to the question of ultimate responsibility for cybersecurity is simple: it’s everyone. CISA guidance provides insight on the need for an educated and prepared workforce. Luckily, it doesn’t require a hefty investment of time and money to become a cybersecurity professional.
Securing the Chain
A vulnerability can fall anywhere within the chain of access to any IT services. Around three-quarters of cybersecurity breaches occur because of some human action or omission. Every employee in any healthcare enterprise has an email account, a login and password, and at least some level of network access. Not all the staff in a large organization need to be tech-savvy; at least some of the people with access to local networks will almost never use computers.
An effective cybersecurity program in an organization must account for the potential actions or omissions of people with no interest in or understanding of computing.
So then, how can every worker be aware of their role in cybersecurity? The answer is education.
Robust Cybersecurity Education for a Security-Alert Workforce
Anyone with potential access to workplace computers and networks should have pre-employment cybersecurity awareness training and regular refresher courses.
Unfortunately, even given the undue pressures on frontline staff during this global health crisis, the burden of cybersecurity falls on everyone. It only takes one person to click that link, expose that password, or send that unsecured data.
Regular, up-to-date training ensures that everyone knows what threats to look for and what to do about them. Good training means that cybersecurity becomes second nature. Cybersecurity training, along with targeted cybersecurity awareness events, is key.
We may not know what challenges healthcare workers will face in the coming weeks, months, and years. What we can do is give them the tools they need to ensure the safety and privacy of the organization.
During Cybersecurity Awareness Month, in partnership with the Cybersecurity & Infrastructure Security Agency and the National Cyber Security Alliance, we’re encouraging everyone to “Do Your Part.”
Whether that is educating yourself and your staff on the importance of securing your personal information or exploring cybersecurity resources to combat cybercriminals, there is always a way to #BeCyberSmart.