According to a recent two-year study of hospitals and other organizations related to the healthcare industry, medical facilities on the whole are woefully unprepared to the threat of increasingly more sophisticated hackers. More specifically, their defense is focused almost exclusively on protecting patient records and is typically reactionary rather than proactive. What defenses that are out there are meant to stop blanket and more rudimentary hack attempts.
While most strategies have been designed to protect patient data, these strategies don’t take into account how disruptive something like a ransomware attack can be to a hospital’s daily operations. That aspect is in some ways a greater threat to a hospital as it can interrupt the care of sick patients. For example, Hollywood Presbyterian Medical Center, had their files held hostage and were forced to switch to using pen and paper after being hit with a ransomware attack. They only regained access after paying $17,000 to the cybercriminals responsible. Hollywood Presbyterian isn’t the only medical center to essential be shut down by hackers this year. The Los Angeles county Health Department, Chino Valley Medical Center, Desert Valley Medical Center, Kentucky’s Methodist Hospital, and MedStar Health in Washington DC have all been affected.
Basically, it’s in all likelihood going to be impossible to prevent every intrusion, so part of any organization’s plan should be to mitigate their outcomes. Unfortunately, most organizations aren’t up to the task. Greater than 80% spend less than 6% of their IT budget defending against cyberattacks, with more than 50% spending less 3%. This is a fairly damning figure considering comparable industries like finance spend 12% or more. Almost 75% say that the security is discussed some of the time in board meetings, or worse, it’s upon request.
With this information in mind, here are the top five cybersecurity issues facing the healthcare industry today:
- Ransomware. Healthcare organizations are a huge target for cybercriminals, because unlike other industries that have invested in cybersecurity, medical facilities have not. They also cannot afford to have their systems shut down since it could literally be a matter of life and death. More importantly they have the money to pay ransoms, and often do. Ransomware is a low risk high profit scam and as long as hospitals remain unprepared to deal with it and continue to pay off hackers, the threat will continue to grow. At the bare minimum these facilities need to have a robust backup system, limiting permissions, and have all their software up to date.
- Phishing awareness. While ransomware may be how cyberthieves attack, phishing is how they get into an organization’s systems. Everyone needs to be trained on how to recognize a phishing attack, but especially executives so they don’t become a victim of “whaling”. Executives have greater access to a medical facilities systems, so when they are targeted and fall victim to phishing, hackers can do everything from transfer funds to install ransomware.
- Executives need to be up to date on cybersecurity. Unfortunately, when it comes to security most executives aren’t sufficiently knowledgeable when it comes to threats. This leads to security being a low priority and a strategy that is more reactionary and less about preparedness. It’s up to executives in charge of IT to give out security information and threat assessments in ways other executives can understand. Security needs to be prioritized to the extent that at every board meeting should have a security report in the same way you’d have a financial report.
- Application security. When people think about encrypting data, they’re thinking about when it is stored or transmitted, but very few consider what happens when that data is being used by an application. During that time, data is decrypted and can be exposed not only to the general public, but to unauthorized users. In the financial industry, this is a priority, but in healthcare it isn’t. While application security tends to be a step above, it is an inevitable one.
- IoT is coming. The Internet of Things (IoT) is a term used to describe the interconnectivity and often web enabled aspects of modern technology. While this offers a lot of convenience in our everyday lives, when it comes to medical devices, it is a potential nightmare. In most cases manufacturers are more concerned with convenience and ease of use than the security risk these devices carry. While most hackers are more interested in financial gain than causing physical harm, this area has not been adequately addressed. With the rise of internet driven global terrorism and proof of concept attacks on devices like insulin pumps, this is a concern than needs to be considered.