Two Quick Steps to Jumpstart Your Cybersecurity Plan

If you think of keeping your healthcare organization’s data secure as an “administrative nuisance,” then you need to think again.

That’s the message of a recent Perspective article that appears in the July issue of The New England Journal of Medicine. The recent attacks against the National Health Service and a Pennsylvania-based organization highlight how cybersecurity needs to be at the forefront of industry leaders’ minds, the article authors wrote.

The threat against healthcare systems, they said, is mounting. Citing a study by the independent Ponemon Institute, the authors said that about 90% of surveyed healthcare organizations have experienced data breaches during the past two years, with 64% saying the attacks were directed toward medical files in 2016. That’s a year-over-year increase in medical-file attacks of 9%.

There’s a reason why medical files are especially valuable to hackers, the authors explained. That’s because the information contained in those files is “durable.” Unlike social security numbers, credit card numbers and insurance information can all be changed. A patient’s medical records cannot. This means hackers can sell this type of information at a premium. The authors cited the example of a hacker who sold 600,000 medical records on the dark web in June 2016.

Many of these attacks, the authors wrote, are of the denial of service (DoS) variety. Hackers behind DoS attacks often demand a ransom for the healthcare system to retrieve its data. They don’t necessarily result in exposure of patient data, but they usually derail business. Hollywood (California) Presbyterian Medical Center recently paid hackers $17,000 to free its data.

There’s also the possibility of outright manipulation of patient files and devices, the authors wrote. They cited a 2015 Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team alert about an infusion system that could be controlled remotely by hackers.

So what should healthcare system administrators do? The authors have two recommendations:

• Be practical. You could have the most secure systems in the world, the study authors wrote, but if using them is so burdensome to employees that they operate outside of those systems, then you’ve defeated the purpose. “A highly secure system that is not usable (and therefore not sued) is less secure than a moderately secure system that is adopted widely.” The authors provided the example of requiring frequent password changes. What’s to stop an employee from writing their passwords down on paper?
• Educate. “Unintentional negligence remains the biggest risk,” the authors wrote. Don’t assume your employees know the hazards of unsolicited email attachments, or questionable embedded links. Your employees need to be trained. “People are the weakest link in the security infrastructure: our systems are only as secure as the gatekeepers who use them.”

Stay up to date on the latest healthcare analytics news, views, and insights by signing up for our newsletter.

Related

Data Breach at Neurological Clinic Highlights Threat Against Smaller Practices

How AI Could Thwart The Next Large-Scale Cyberattack

Cybersecurity: How the World Measures Up, Country by Country