[Reprinted from MedCity News]
It is time for medical organizations to re-assess the potential consequences of complacency, and equip their security teams with the resources they need to keep their staff, and ultimately their patients safe.
In 2019 experts red-flagged previously unforeseen levels of attacks on healthcare providers, with the US Department of Health and Human Services investigating more than 300 cases in 2019. Almost 32 million patients’ records were breached in the first half of the year alone, more than double the records breached in all of 2018.
As a cybersecurity provider already working closely with many US-based leading healthcare providers, I have a clear understanding of the unique cybersecurity challenges facing these types of organizations. Experience has shown me that despite being packed to the brim with emerging technologies, in hospitals the weakest links remain human, rather than digital.
So, with that in mind, let’s delve into some reasons why healthcare providers have been losing the cybersecurity battle, and why existing defense systems are still leaving hospitals, their staff, and their users at risk:
Why are healthcare providers being targeted more than other organizations?
In the same way, as experienced robbers tend to target banks, rather than newspaper stands, cybercriminals are on the lookout for ‘big ticket’ targets, which can offer the most value.
Medical providers handle enormous amounts of high-value data daily. Healthcare has the highest cost per breach for any industry, with each breach costing nearly $6.5 million on average, according to IBM’s annual Cost of a Data Breach Report.
From social security numbers, insurance information, addresses, to more personal information like health conditions, hospitals patients visit and medicines they take, data stored on healthcare systems is detailed in nature, offering hackers a wealth of information which can be used for further attacks on medical users via social engineering. As such, individual medical records can sell for as high as $1000 on the dark web.
Which organizations are most at risk of cyberattacks?
It would be easy to assume that hackers would only target ‘big ticket’ larger organizations, but this is not necessarily the case. While large medical organizations hold the most amount of data, they also have larger cybersecurity budgets, and are generally part of hospital networks, meaning they share cybersecurity best practices, and closed intranets with other hospitals in the area.
Smaller enterprises may have less user data, but they also have lower security budgets and less complex and up-to-date cybersecurity solutions. This makes them easier targets and increases the risk of them being used as a launchpad for backdoor-access to hacking larger institutions, which they communicate with on a regular basis.
However, from a cybersecurity perspective, the more ‘moving parts’ (staff, devices, users) in an organization, the most risk of attacks. While hospitals may seem technologically advanced, they remain ultimately a human business. Few organizations manage such high levels of staff coming and going and so many users on a 24/7 basis 365 days per year.
Understanding the human element
Healthcare staff is notoriously overworked, making it risky to place the weight of defending systems onto their shoulders. Almost 90% of the data breaches against healthcare providers are caused by human error. A constant sense of urgency and the need to deal with multiple patients at the same time increases the risk of basic security measures — such as password hygiene and screening emails and attachments for phishing risks — being overlooked.
While many hospitals use restricted intranet systems, staff still have access to email, leaving a massive hole in defenses considering 99% of attacks rely on the user clicking on a malicious link. To do their jobs effectively, medical staff need to communicate with other practitioners, as well as with external organizations like insurance companies. This requires sending emails, and sharing attachments containing medical records, insurance information, or prescriptions regularly.
Despite phishing attacks being the most common attack on hospitals, multiple surveys flag a lack of understanding of basic cybersecurity measures amongst hospital staff. And even when training is offered using educational tools such as KnowBe4 and Cofense, this goes out the window when an employee is on their fourth 12-hour shift, and under intense pressure to save people’s lives.
What’s the answer?
Hire more security experts
As security risks and medical staff workloads increase, it is more important than ever for medical providers to hire CISOs. These professionals play an invaluable role in demonstrating the gravity of risks to leadership and ensuring that adequate budgets are assigned for training, buying security solutions, and hiring IT technicians.
Recent studies show as many as 60% of medical organizations have no CISO, and as a result, most healthcare organizations still spend less than 3% of their total IT budgets on data security.
This leaves professionals charged with security, with the unenviable task of protecting entire hardware networks from attacks. Device security is critical to minimize healthcare cybersecurity risks — 78% of devices in the medical field are unsecured –and if just one device becomes compromised, it can open up the whole network up to data breaches and hacks.
More efficient hiring will allow CISOs to impart the right type of training to staff, focusing on small, actionable measures that compliment the realities of employees’ work roles.
Focus on the most ‘actionable’ staff training
Staff need access to devices to help make the right medical choices, but hospitals need to find a way to enforce basic security measures, such as password hygiene. This could involve sending weekly reminders to staff via email to change passwords and prohibiting the use of personal devices for work communications.
Enforcing mandatory multifactor authentication (MFA) measures can reduce the risk of phishing attacks. However, it is important to note that the FBI recently flagged attacks surpassing MFA.
Using Single Sign-On (SSO) solutions means authorized users can access multiple applications using just one single set of login information – keeping their working routines quick and simple, without compromising security.
Solutions like SSO and RBA offer effective protection against potential attacks without disrupting employees’ work. However, the emerging sphere of Biometric logins may offer the most promise for success, allowing staff to log into devices with the touch of a finger, or scan of an eye.
Take advantage of emerging AI technology
Ultimately, medical providers need to harness technology which automatically shuts down attacks, thus reducing the risk of human error. Advances in NLP, machine learning and machine vision artificial intelligence offers the chance for hospitals to detect, flag, and ultimately block any potential breaches via malware, or phishing, the most common attack tactics.
However, it is important that medical CISOs roll out the right solutions, both in terms of software and hardware. After all, there is little sense in devoting large budgets to protecting hospitals’ online systems, if thousands of endpoints on infrastructure are left undefended.
2020 is going to be a challenging year for healthcare CISOs. As medical providers become more advanced technologically, so do the hackers targeting them. It is time for medical organizations to re-assess the potential consequences of complacency, and equip their security teams with the resources they need to keep their staff, and ultimately their patients safe.