The top 5 cybersecurity threats hospitals need to watch for

The healthcare industry is no stranger to cybersecurity challenges. Data breaches cost the industry about $5.6 billion each year. Healthcare organizations obviously deal with sensitive, private data every day and as hackers increasingly target the healthcare industry, hospitals in particular need to be especially watchful for these five cybersecurity threats.

1. Phishing Attacks
Phishing attacks are becoming much more common and employees need to be educated on the potential threats that lurk in their inboxes. Programs that boost employee awareness for these attacks are vital to helping employees spot and avoid these types of attacks so they don't become an entry point for hackers. There are a number of ways to identify phishing attacks. For starters they often come through emails that seem to be from a company or service that your employees deal with on a regular basis. There is usually a link within the email that is either mismatched or uses a Top-Level Domain (TLD) that is known to be associated with suspicious websites. Following the link, there is generally a request for personal information or login credentials.

Hospital staff should make sure they never open attachments or click on links from senders they are unfamiliar with. If unsure, it's best to ask an IT admin to take a look. Additionally, staff should never share personal information or credentials without reading the fine print and double checking exactly who the request came from. It's important to analyze the language used within emails and in forms.

This threat is becoming more commonplace as physicians share electronic healthcare records (EHRs). Doctors should always closely evaluate any requests that come in for file sharing, ensuring it's a real request from a verified healthcare professional before sending anything, since hackers are getting extremely creative and more convincing every day.

2. Malware & Ransomware
Malware can infiltrate a system through several channels. It can be downloaded by mistake, via a phishing attack as just described, come through software vulnerabilities, sneak into the network through encrypted traffic and more. Hospital IT staff must be vigilant and monitor all the pathways malware can enter through.

Ransomware is growing in popularity and hospitals are ideal targets because they rely on up-to-date information for patient care. For this reason, many hospitals pay up right away when they find themselves in a ransomware situation. For example, Hollywood Presbyterian Medical Center recently paid 40 bitcoins – the equivalent of $17K – to hackers who locked access to the hospital's EHRs.

The increasing number of these attacks is doubly dangerous for hospitals as patient care can suffer. Hospitals must make sure they have strong network security in place so that hackers can't gain access to the records they are looking to lock up.

3. Encryption Blind Spots
Encryption has proven to be a great tool for protecting data, especially as it transfers back and forth between on-premise users and external cloud applications. However, hackers have figured out how to hide in encrypted traffic, using it as a means to avoid detection. In fact, 50 percent of network attacks will hide in encrypted traffic by 2017, according to Gartner.

Encryption makes it even more difficult for security analytics tools to monitor and detect breaches and targeted attacks. For this reason, hospitals should have a layer of security that monitors encrypted traffic to ensure there are no blind spots within the network in which hackers can sit and wait to attack. This added security allows IT teams to analyze all network traffic for suspicious or anomalous behavior. Suspicious and malicious traffic can be selectively decrypted and inspected in a rapid fashion, while allowing known good traffic to pass through in its encrypted state. This ability to selectively decrypt and inspect network traffic ensures data privacy and compliance while bolstering security against an increasingly common threat, which should always be top of mind for hospital IT and security staff.

4. Cloud Threats
The healthcare industry has historically been hesitant to adopt cloud-based applications and storage due to security and data privacy concerns. But the benefits of cloud are compelling, and healthcare organizations are now increasingly turning to the cloud to help improve patient care and collaboration. As they begin to shift to the cloud, there are still a number of variables that need to be accounted for, such as data compliance.

In the United States, HIPAA includes provisions designed to ensure privacy and security for private healthcare information. Compliance by no means guarantees security, but nonetheless it's a requirement all hospitals need to adhere to and remember when moving data to the cloud.

If a hospital uses cloud-based services, it should understand exactly what information assets are in the cloud. It then needs to map out which systems, people and processes will need to access those assets. There should be no unnecessary or unrestricted access, therefore it's vital for hospitals to stay organized and have well-defined and understood processes in place.

Strong encryption can ensure data is protected while it's in transit from on-premise locations to the cloud as well as when it is being stored and processed in cloud applications. For example, healthcare and patient data can be replaced with a tokenized or encrypted value which is then sent to the cloud for processing and storage. As a result, the data becomes meaningless should anyone outside of the company access it on its way to the cloud or within the cloud environment. Hospitals shouldn't share encryption keys or token vaults with any third parties.

Cloud Access Security Broker (CASB) solutions can also act as security and compliance policy enforcement points, placed between cloud service providers and the hospital staff to combine and interject enterprise security policies as the cloud-based assets are accessed. These solutions can also log interactions with regulated data to facilitate the audit requirements that are frequently part of compliance regimes such as HIPAA.

5. Your Own Employees
Organizations are frequently surprised that one of the biggest threats to data security is their own staff. A breach often starts with a staff member who's simply uneducated about cybersecurity best practices. As mentioned earlier, they might not even know what a phishing attack is or what a ransomware attack looks like.

Hospitals need to have detailed data governance, risk management and data security policies in place in order to make sure employees are all aligned with the organization's cybersecurity strategy. These policies should include best practices such as: don't download or use software without IT's permission (Shadow IT) and don't open emails from unknown senders. It's not enough to just send out guidelines-- they must be enforced too. IT teams should put systems in place, like the CASB solutions referenced earlier, to alert them when employees are engaging in risky behavior. These systems can also act as early warning systems to mitigate against data loss when a legitimate employee's credentials are compromised.

Healthcare data is becoming more valuable to hackers every day. Unfortunately, hospitals are a gold mine for cybercriminals as they are filled with PHI, which can go for $50 or more for each record. Every hospital staff member needs to know how to identify threats. Just as there are medical codes and best practices that every employee is required to learn, it's time to do the same with cybersecurity. Make sure your staff knows how to spot and avoid these risks to prevent being the next healthcare data breach headline.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months