Health Care Cries for Concrete Cybersecurity
There are many protection and awareness strategies, but there's a first line of defense.
February 28, 2019
The health-care industry has a rather large target on its back. It is a beautiful mark for cybercriminals, who see it as a gold mine chock full of patient information just waiting, begging to be prospected (hacked) and sold (black market). This is heaven for malicious hackers.
Bad actors are all too aware that they can make a fortune from successfully infiltrating a health-care organization. Unfortunately, such businesses make it all too easy for them. Data breaches cost the U.S. health-care industry an estimated $6.2 billion each year, according to the Ponemon Institute.
A State of Privacy and Security Awareness Report, conducted last March, surveyed more than 1,000 medical professionals to shed light on the cybersecurity awareness of health-care sector employees. The key findings are shocking, revealing just how dire things are, and how ill-prepared the health-care industry is to protect itself against the cybercriminals eagerly waiting in the wings (in dimly-lit rooms, evilly steepling their fingers in anticipation — probably).
This throws into rather sharp relief how badly health-care organizations need MSP services. To further highlight this, here are a few key insights from the aforementioned survey, as reported by Continuum:
Twenty-four percent of physicians and other types of direct health-care providers showed a lack of awareness toward phishing emails, compared to 8 percent of their non-medical field counterparts.
One-half (50 percent) of physicians scored in the “risk” category, which means their actions make their organizations susceptible to a serious security incident.
Nearly one in four (24 percent) physicians couldn’t identify the common signs of malware, compared to 12 percent of the respondents in the general population survey.
Only 18 percent of health-care workers were able to identify phishing emails. They were presented with an email from a suspicious sender with an attachment in the email. Nearly nine in 10 (88 percent) opened the attachment. Doctors were three times worse at identifying phishing emails than their non-physician counterparts.
Another one in four (23 percent) respondents failed to identify common signs of a malware-infected computer. For example, they were unable to realize that their internet browser was repeatedly sending them to the same site, regardless of the URL they entered — a very strong sign of malware.
Almost one in five (18 percent) chose risky actions when presented with scenarios involving storing or sharing patient data. Many respondents thought it was acceptable to share patient data over personal emails or through insecure, cloud-based platforms.
See? This is not good. These are just a few examples of the widespread problem. A recent incident highlights the types of sensitive and valuable information malicious hackers usually go after.
NH-ISAC’s Denise Anderson
The Independence Blue Cross (IBC) faced a tough one last year. On Sept. 17, IBC experienced a large data breach, affecting more than 17,000 customers. The breach leaked customers’ names, dates of birth, provider information, diagnosis codes and other highly sensitive data that could be used to steal patients’ identities.
Back in 2016, the Hollywood Presbyterian Medical Center was forced to pay $17,000 in bitcoin as ransom to a cyberthug who had hacked into and seized control of its computer systems.
“They paid the ransom and they were public about it,” said Denise Anderson, president of the U.S. National Health Information Sharing and Analysis Center.
Unfortunately, this instance called attention to this type of hacking and …
… boosted ransomware in health care.
Everyone. Everyone is a target. Large or small, big hospitals, smaller practices — bad actors don’t discriminate. It’s abundantly clear that there are massive gaps in terms of proper defense in health care, with a large percentage of organizations not properly armed to defend themselves against cyberthreats. Cybercriminals are all too eager to take advantage of this.
This of course has serious implications for patient information, but it also means financial and reputational damages, loss of patient trust and legal issues (hello HIPAA).
If you’re an MSP servicing the health-care vertical, the first step needs to be education. And then more education. And then more of it. Health-care sector employees have the ability to be the first layer of defense against cyberthreats, but they need security awareness training that includes both security and privacy awareness.
As we see with the stats above, a lot of breaches happen because of employee error — simple mistakes that can wreak havoc with the stroke of a keyboard button. With the right education and information, health-care employees can be properly armed to protect their medical practices and patients. The consequences are too great not to be.
Read more about:
MSPsAbout the Author
You May Also Like