Cyber attacks impede a healthcare organization’s ability to provide care to patients. They’re time consuming and costly and include, downtime, productivity loss, business process disruption, forensic investigation, remediation, data loss, recovery of effected data and devices, reputational damages, and additional employee training. The best way to combat a cyber attack is to prevent it by analyzing threats and creating a cyber security program that protects both your healthcare organization and your patients.
Healthcare cyber security concerns
HIPAA fines mean that the monetary repercussions for healthcare attacks and breaches are far more significant than in other industries. Unfortunately, the healthcare industry is one of the top cyber attack victims. Electronic health records and other digital tools are convenient, but with a value of up to $1000 per record, they put a target on the healthcare industry. With sensitive personal information electronically stored and sent paired with a propensity for employee error, healthcare organizations are a gold mine for cyber criminals. In a recent study of 1,138 breaches that occurred between 2009 and 2017, 53% originated internally. Four out of five US physicians have experienced some form of a cyber security attack. The US healthcare industry accounted for 37% of all ransomware attacks in Q3 2018. Ransomware attacks are predicted to quadruple by 2020. Despite all this, healthcare cyber security doesn’t have to be hard [infographic].
Top threats
Identifying threats is a key step in defending against them. According to the Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients publication, there are five immediate threats in the healthcare industry:
VULNERABILITIES
Lack of awareness training • Lack of IT resources for managing suspicious emails • Lack of software scanning emails for malicious content or bad links • Lack of email detection software testing for malicious content • Lack of email sender and domain validation tools
IMPACT
Loss of reputation in the community (referrals dry up, patients leave the practice) • Stolen access credentials used for access to sensitive data • Erosion of trust or brand reputation • Potential negative impact to the ability to provide timely and quality patient care • Patient safety concerns
PRACTICES TO CONSIDER
Be suspicious of e-mails from unknown senders • Train staff to recognize suspicious emails and to know where to forward them • Never open attachments from unknown senders • Implement advanced technologies for detecting and testing e-mail for malicious content or links
Credit: Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
VULNERABILITIES
Lack of system backup • Lack of anti-phishing capabilities • Unpatched software • Lack of anti-malware detection and remediation tools • Lack of testing and proven data back-up and restoration • Lack of network security controls such as segmentation and access control
IMPACT
Partial or complete clinical and service disruption • Patient care and safety concerns • Expenses for recovery • The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
PRACTICES TO CONSIDER
Patch software • Be clear which computers may access and store sensitive or patient data • Use strong/unique username and passwords with MFA • Limit the rate of allowed authentication attempts to thwart brute-force attacks • Deploy anti-malware detection and remediation tools • Maintain updated inventory of assets • Implement proven and tested incident response procedures
Credit: Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
VULNERABILITIES
Lack of asset inventory and control • Lack of encryption • Lack of physical security practices • Lack of simple safeguards such as computer cable locks to secure devices within office environments • Lack of awareness that theft of IT assets from the office accounts for nearly as much as from cars • Lack of effective vendor security management, including controls to protect equipment or sensitive data • Lack of “End-of-Service” process to clear sensitive data before IT assets, including medical devices, are discarded or transferred to other users or other organizations
IMPACT
Inappropriate access to or loss of sensitive patient information occurs • Theft or loss of unencrypted PHI or PII; may result in a data breach requiring notification to affected patients, relevant regulatory bodies, and the media • Lost productivity • Damage to reputation
PRACTICES TO CONSIDER
Encrypt sensitive data, especially when transmitting data to other devices or organizations • Implement proven and tested data backups, with proven and tested restoration of data • Acquire and use data loss prevention tools • Implement a safeguards policy for mobile devices supplemented with ongoing user awareness training on securing these devices • Promptly report loss/theft • Maintain a complete, accurate, and current asset inventory to mitigate threats • Encrypt data at rest on mobile devices to be inaccessible to anyone who finds the device
Credit: Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
VULNERABILITIES
Files containing sensitive data accidentally e-mailed to incorrect or unauthorized addressees • Lack of adequate monitoring, tracking, and auditing of access to patient information on EHR systems • Lack of adequate logging and auditing of access to critical technology assets, such as e-mail and file storage • Lack of technical controls to monitor the e-mailing and uploading of sensitive data outside the organization’s network • Lack of physical access controls • Lack of training about social engineering and phishing attacks
IMPACT
Accidental loss of PHI or PII through e-mail and unencrypted mobile storage, resulting in reportable data breaches • Reportable incidents involving patients who are victims of employees who inappropriately view patient information • Financial loss from insiders being socially engineered into not following proper procedures • Financial loss due to an employee inadvertently giving an attacker access to banking and routing numbers because the attacker used a phishing e-mail disguised as originating from the bank • Patients given the wrong medicines or treatment because of incorrect data in the EHR
PRACTICES TO CONSIDER
Train staff and IT users on data access and financial control procedures to mitigate social engineering or procedural errors • Implement and use workforce access auditing of health record systems and sensitive data • Implement and use privileged access management tools to report access to critical technology infrastructure and systems • Implement and use data loss prevention tools to detect and block leakage of PHI and PII via e-mail and web uploads
Credit: Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
VULNERABILITIES
Patches not implemented promptly • Equipment not current, or legacy equipment that is outdated and lacks current functionality • Most medical devices, unlike IT equipment, cannot be monitored by an organization’s intrusion detection system (IDS); safety of patients and protection of data integrity are dependent on identifying and understanding the threats and threat scenarios. • Heterogeneity of medical devices means that the vulnerability identification and remediation process is complex and resource intensive
IMPACT
Broad hospital operational impact due to unavailable medical devices and systems • Medical devices do not function as required for patient treatment and recovery • Patient safety compromised due to breach
PRACTICES TO CONSIDER
Assess current security controls on networked medical devices • Implement information security assurance practices, such as security risk assessments of new devices and validation of vendor practices on networks or facilities • Engage information security as a stakeholder in clinical procurements • Use a template for contract language with medical device manufacturers and others • Implement security operations practices for devices, including hardening, patching, monitoring, and threat detection capabilities • Develop and implement network security applications and practices for device networks
Credit: Department of Health & Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
How to create an effective cyber security program
According to the Office of the National Coordinator for Health Information Technology (ONC), “security practices must be built in, not bolted on”. Security policies must be ingrained into your organization and dynamic. As cyber threats change and grow, so must your organization. Since hackers and cyber unsavories run rampant across the globe, cyber security is no longer something that can be ignored. Healthcare organizations must stop playing defense and adopt a proactive, offensive attitude toward security. A holistic IT security approach and a culture of cyber safety can no longer be just a pipe dream, it has to become a reality. Here are some steps you can take to start protecting your organization:
You don't have to do this alone.
ADKtechs offers managed security, employee training, and HIPAA compliance services that improve the way healthcare providers provide care to their patients.