As cyber attacks become more sophisticated and increasingly focused on healthcare, security concerns are growing among hospital systems and healthcare organizations. In fact, you might recall some attention-grabbing headlines from 2016 about data breaches in major hospital systems. Healthcare was hit so hard by hackers in 2016 that the Identity Theft Resource Center (ITRC) reported that healthcare systems exposed more Social Security numbers than any other industry.
But why is healthcare at such a high risk for IT security breaches? For starters, the ITRC found that healthcare was more susceptible to employee error or negligence than other sectors. On top of that, the industry as a whole hit hardest by hacking, phishing, and skimming attacks. Improper employee training, outdated technology, and a lack of proper security testing can put your data at risk. Specifically, for security problems that potentially harm your patients and your organization.
If you’re thinking of maturing your IT security posture, it’s important to identify your potential weaknesses from the get-go. Here are some top healthcare security concerns that should be on your radar:
As healthcare technology changes, many new medical devices connected to one another wirelessly. While connectivity can help physicians and nurses tap into useful data, keep patient records up to date, and (in some cases) improve outcomes, the opportunity for a data hack may increase. It’s important to put security controls in place to protect Internet of Things (IoT) medical devices, such as ensuring all devices are connected only to the healthcare organization’s protected network, and setting up authentication and encryption communication rules.
There are thousands of new cloud-based applications and medical softwares on the market right now that improve connectivity and patient clinician interaction while storing patient health records, tracking ICD-9 and ICD-10 codes, and monitoring emerging symptoms. While these systems can help streamline clinical protocols and improve patient care, they may pose a risk to your security measures. Many employees are familiar with security protocols on site, but it’s easy to let security slip. Especially, when you can access data from a mobile device anywhere and anytime. If you plan to move to a cloud-based system, employee training is key to protecting against a data hack.
These email attacks have been leveraged against healthcare organizations for years — and they are still a top security risk for healthcare companies. Be sure to train your employees to spot signs of phishing and ransomware emails, and make sure they know what to do if they identify one or accidentally open a suspicious link or document.
Phishing attacks are a tried-and-true way for hackers to access your network and hold your data hostage. According to the Enterprise Phishing Susceptibility and Resiliency Report from PhishMe, 91 percent of cyberattacks start with a “phish” — an email or message designed to convince users to open an infected link, attachment or provide credentials. If an employee clicks on an infected link, malware or ransomware can be distributed on their computer or your entire network relatively quickly. Providing credentials may also allow a hacker direct access to your network. As with other healthcare security concerns, employee training is key to avoiding phishing and ransomware scams. However, it’s also important to know your software vulnerabilities and patch them, keep firewalls and Intrusion Prevention and Detection Systems (IDS/IPS) updated, provide robust email and web security solutions, and provide antivirus and anti-malware solutions.
Encryption is a great way to protect both on-premise users and external cloud-based devices and applications. To put it simply, encryption is the act of scrambling communication to prevent people other than the intended recipient from reading it. However, some sophisticated hackers have learned to hide undetected within encrypted data. According to a Ponemon Institute report called Hidden Threats in Encrypted Traffic, in nearly half of cyber attacks in the previous 12-month period, malware entered organizations by hiding under encryption.
In order to avoid these network attacks, healthcare organizations can add an extra layer of security to monitor encrypted traffic. Also, detect any blind spots where hackers could access your data. Plus, with this added layer of security, IT staff can analyze network traffic more easily to spot and decrypt suspicious behavior. The ability to do this will bolster security and ensure compliance. As security threats are on a rapid rise in the healthcare industry.
When it comes to IT security, employee training is of the utmost importance. Lack of training can lead to serious security breaches through phishing scams, improper mobile use, and connected devices. Be sure your employees are aware of how data breaches happen by conducting regular security training and compliance screenings. Here are some things to keep in mind:
Medical practices are typically focused on patient health, but in today’s world, a second focus on cyber health is a must. However, it may feel like a distraction, but it’s all in service of protecting your patients.
Megan Pacella is a contributor to Technology Advice, specializing in healthcare, wellness, and marketing. She has written for several healthcare organizations and marketing agencies, and served as a regular contributor to USA Today Travel.