Hospitals, health systems, payers and any organization with stewardship of healthcare data are prime targets for cyberattacks. And there are plenty of cautionary tales showing just how much damage hackers can do, with the recent Hollywood Presbyterian Medical Center ransomware attack and last year's massive Anthem breach being just two incidents on a long list. While no healthcare organization will ever be completely invulnerable to such attacks, they can learn from others' mistakes.
Here are four lessons healthcare providers can consider when thinking about data breach prevention and preparedness.
1. Don't fall prey to known vulnerabilities. The magnitude and frequency of healthcare data breaches may seem shocking, but in most cases the root causes are anything but a surprise. "Well over 90 percent of data breaches last year were the result of hackers taking advantage of well-known vulnerabilities," says Mac McMillan, CEO and co-founder of information security and privacy consulting firm CynergisTek. "These were not super sophisticated attacks." Proper patch management, up-to-date next-generation firewalls, malware and antivirus filters and automated attack detection methods go a long way in data breach prevention. All of these security layers are standard fare. It is just common to let these strategies fall by the wayside, despite the potential for severe consequences, he says.
2. Utilize experience-based training. Data breaches are equal parts a tech problem and a people problem. The technology has to be up-to-date and prepared to detect and deflect attempted breaches, but the best technology can only do so much if the people using it are not just as vigilant. Typical hospital and healthcare cybersecurity training involves a crash course in basic terms, i.e. "What is malware," with a brief, yearly refresher.
Mr. McMillan recommends an alternate course with a much more hands-on approach. "Take a group of people and immerse them in an incident. Allow them to experience it in real time and ask themselves 'What will I do now?' This is much more meaningful. They have a better appreciation for what an incident could really be like," he says.
For example, CynergisTek creates false phishing emails tied to quick training sessions.
If an employee opens the email, he or she is immediately taken through a brief session detailing the potential consequences of opening such an email and what should have been done instead. "You can teach so much more in a 20 minute simulation than in an hour long discussion," says Mr. McMillan.
3. Consider a third party for security audits. Healthcare, though a unique field, can learn much from other from other industries. The airline and hotel industries offer insights into customer service, for instance, and startup culture shows healthcare what it can mean to innovate. When it comes to cybersecurity, healthcare can learn from the banking and financial industry, retail and nearly any other highly-targeted field. "At the end of the day, data are data and systems are systems. It does not matter what kind of information you are processing. The way the bad guys attack other industries is how they attack healthcare," he says.
Healthcare providers frequently keep all security functions in-house, but Mr. McMillan cautions against eschewing the benefit of an outside set of eyes. "We need to stop this nonsense of testing ourselves. Healthcare is the only regulated industry that thinks it can do its own security audits. You need an objective, third-party assessment," he says. A third-party firm will have the benefit of high level industry awareness and an outsider's objective ability to see what someone immersed in a hospital's data and strategies everyday cannot.
4. Create a contingency plan. No matter how ironclad a hospital or health system believes its cybersecurity strategy to be, there is always the possibility of a breach. Rather than relying on the assumption a breach will never happen, operate under the assumption it could happen at any time. Create a plan for what to do when that day comes. "That hospital [Hollywood Presbyterian] did not have a good plan for how to continue care when they lost their network."
What would happen if your organization lost access to its data, to its network or electronic communication? Have answers for those questions. Build the necessary relationships to handle any of those situations in reality. "When you are in the midst of a fire, you don't want to be running around looking for the fireman," he says.