Cybersecurity in Healthcare: 11 Steps the Industry Must Take to Improve Security

    

Cybersecurity in Healthcare to protect medical records

Imagine your patient data being held hostage by hackers. Healthcare data breaches are a very real concern.The U.K.’s healthcare industry recently suffered one of the largest cyber breaches ever.

WannaCry, a fast-moving global ransomware attack shut the NHS systems down for several hours.Healthcare institutions all over the country were unable to access patient records or schedule procedures. Appointments were postponed, and operations got canceled while experts worked to resolve the issue.

Although the attack impacted other companies and industries as well, the poorly defended healthcare system took a larger hit. It was just one of the incidents that showed the extent to which healthcare institutions are vulnerable to cyber threats.

Healthcare Cybersecurity - $3.62 Million Per Breach

Cybersecurity risks keep hospital IT teams up at night, especially since attacks on medical providers are expected to increase in 2018.

This trend might be related to the fact that healthcare institutions are moving towards easier sharing of electronic records. That and a potentially nice payoff for patient information or financial records make healthcare a hot target for hackers.

For medical centers themselves, hacks can be costly. The average data breach costs a company $3.62 Million. This includes stolen funds, days spent investigating and repairing, as well as paying any fines or ransoms. Attacks can also result in a loss of records and patient information, let alone long-lasting damage to the institution’s reputation.

As much as hospitals and medical centers try to protect patient privacy, security vulnerabilities come from all sides.

Healthcare organizations want to send patient info to colleagues for quick consultations. Technicians pull and store sensitive data easily from electronic equipment. Patients email or text their doctor directly without going through receptionists, while admins often send a patient record to insurance companies or pharmacies.

So the industry finds itself in a perilous position of trying to use more digital tools to improve the patient experience while following legal requirement to safeguard privacy. No wonder IT teams continuously wonder which hospital will be hacked next.

The truth is that healthcare institutions are under a great threat. Those looking to improve security should start with steps outlined below.

11 Tips To Improve Your Healthcare Security Immediately

Malware security best practices for healthcare providers

1. Consider threat entry points

An entry point is a generic term for a vulnerability in your system that can be easily penetrated by hackers. By exploiting this vulnerability, hackers can deploy a virus to slow your network, access critical health information, or remove defenses to make your system more accessible in the future.

Malware can be introduced from any vulnerable spot in your network or operating system.

An employee can unknowingly click a file, be sloppy with passwords, download unauthorized software, or load a contaminated thumb drive. Moreover, medical software and web applications used for storing patient data were found to contain numerous vulnerabilities. Kaspersky Security Bulletin found open access to about 1500 devices that healthcare professionals use to process patient images. 

2. Learn about ransomware attacks

Ransomware is a specific type of malware which threatens to lock one computer or an entire network unless a certain amount of money is paid. 

The ransom is not necessarily an impossibly high figure either. Even demanding a few hundred dollars from a business could still be easy money for a hacker, and more manageable for individuals or companies to come up with to get their computers back.

3. Create a ransomware policy

One disabled computer does not necessarily bring much damage. However, the risk of not being able to access larger sectors where electronic records reside could be disruptive, even dangerous to patient treatment.

When such an incident happens, employees must immediately contact someone on their healthcare IT team. This should be part of their security training and the overall security awareness. They must follow healthcare organization procedures when they see a ransomware message, instead of trying to resolve the matter themselves.

Authorities warn against paying ransomware culprits since there’s no guarantee a key will be given. Criminals may also re-target companies that paid them in the past.

Many companies solve ransomware attacks by calling the police and then wiping the affected computer and restoring it to a previous state.

Cloud data backups can make it easy to restore systems in the events of an attack. Disaster recovery planning should be done before at attack occurs.

Employee Roles in Security in Healthcare

People in Cybersecurity

4. Focus on Employee Security training

Cybersecurity professionals employ robust firewalls and other defenses, but the human factor remains a weak link as was displayed in the WannaCry exploit.

To minimize human error, system admins need to constantly remind all staff about risky behavior. This can include anything from downloading unauthorized software and creating weak passwords to visiting malicious websites or using infected devices.

Educate employees on how to recognize legitimate and suspicious emails, threats,  and sites so they can avoid phishing attempts. (Unusual colors in logos or different vocabulary are both warning signs). Training should be refreshed regularly or customized for different employee groups.

5. Create or expand security Measure  risk levels

Different employee groups should be provided different network privileges.

At a hospital, nurses may need to share info with other staff in their unit, but there’s no reason for other departments to see this. Visiting doctors may receive access to only their patient’s info. Security settings should monitor for unauthorized access or access attempts at every level.

Chris Leffel from Digital Guardian suggests training/education first, followed by restricting certain apps, areas and patient healthcare data. He also recommends requiring multi-factor authentication for specific areas, which is an additional layer of protection. 

6. Healthcare Industry Cybersecurity Should Go beyond employee access

Patient concerns about sensitive data security and IT in health care should be kept in mind when creating safer, stronger systems, or improving cybersecurity frameworks after a hospital was hacked.

Patients are often already nervous and don’t want to worry about data security. Likewise, system administrators should also make sure that threat intelligence funding remains a priority, which means continuing to invest in security initiatives.

Publicizing you have taken extra steps in your patient security efforts will drive more security-conscious patients your way. Patients care.

Hardware and Cloud Security Concerns for Healthcare Organizations

Hardware security from healthcare ransomware

7. Protect Health Data on  'smart’ equipment

Desktops, laptops, mobile phones, and all medical devices, especially those connected to networks, should be monitored and have anti-virus protection, firewalls or related defenses.

Today’s medical centers also possess other connected electronic equipment such as medical devices like IV pumps or insulin monitors that remotely sync patient information directly to a doctor’s tablet or a nurse’s station. Many of these interconnected devices potentially could be hacked, disrupted or disabled, which could dramatically impact patient care.

8. Consder cloud migration FOr Your Data

The cloud offers a secure and flexible solution for healthcare data storage and backup. It also provides a possibility to scale resources on demand, which can bring significant improvements in the way healthcare organizations manage their data.

Cloud-based backup and disaster recovery solutions ensure that patient records remain available even in case of a breach or downtime. Combined with the option to control access to data, these solutions can provide the needed level of security.

With the cloud, a healthcare organization does not have to invest a lot in critical infrastructure for data storage. Cloud allows for significant IT cost cuts, as no hardware investments are needed. It also brings about a new level of flexibility as an institution's data storage needs change. 

9. Ensure vendors Are Compliant

The Healthcare Industry Cybersecurity Task Force, established by the U.S. Department of Health and Human Services and Department of Homeland Security, warned providers of areas of vulnerability in the supply chain. One of their requirements is for vendors to take proper steps to monitor and detect threats, as well as to limit the access to their systems. 

Insurance companies, infrastructure providers, and any other healthcare business partners must have spotless security records to be able to protect medical information. This is especially important for organizations that outsource IT personnel from third-party vendors.

Bring in Experts on Health Care Security

Experts on medical device cybersecurity and patient data protection

10. How HIPAA Compliance can help

Larger healthcare organizations have at least one person dedicated to ensuring HIPAA compliance. Their primary role is creating and enforcing security protocols, as well as developing a comprehensive privacy policy that follows HIPAA recommendations. 

Educating employees on HIPAA regulations can contribute to creating a security culture. It also helps to assemble specific HIPAA teams, who can also share suggestions how to restrict healthcare data or further cyber defenses in the organization.  

HIPAA compliance is an essential standard to follow when handling healthcare data or working with healthcare institutions. Its impact on the overall improvement of medical data safety is significant, and this is why everyone in healthcare should be aware of it. 

11. Push top-down cybersecurity ProGram

Every medical facility likely has a security staff and an IT team, but they rarely overlap. Adding healthcare cybersecurity duties at a managerial level, even as an executive position, can bring multiple benefits.

It can make sure correct initiatives are created, launched, and enforced, as well as that funding for security initiatives is available. With cyber security threats, being proactive is key to ensuring safety long term. Regular risk assessments should be part of any healthcare provider's threat management program.

In Closing, The Health Care Industry Will Continue to Be Vulnerable

Healthcare facilities are often poorly equipped to defend their network activities and secure medical records. However, being proactive and aware of ever-changing cybersecurity risks can help change the setting for better. 

Of course, education alone won't help much without battle-ready infrastructure. With the assistance of healthcare industry cybersecurity experts like phoenixNAP, your healthcare organization can ensure security on multiple levels.

From backup and disaster recovery solutions to assistance creating or expanding a secure presence, our service portfolio is built for maximum security.

Do not let a disaster like WannaCry happen to your company. Start building your health data threat management program today.

PhoenixNAP Security Solutions - Contact
Share      

Categories: Security