A hippocratic oath to safeguard hospitals from cyberattacks

According to the Global Cyber Alliance (GCA), healthcare email security is very weak.

This study is troublesome because it says that only 6 of the nation’s 50 largest public hospitals protect their emails from targeted attacks. That means 44 of those hospitals are vulnerable to email attacks that seek to get patients to disclose personal data or reveal data leaks.

Nonetheless, for-profit hospitals have a better safety record, in which 22 of the top 48 institutions use Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol: A defensive tool, with limited abilities, that aims to stop spear-phishing attacks.

With so much at stake, this tool should be a requirement rather than a option that few adopt or use. Or should it?

Not necessarily, and that’s because institutions like those in the study are most likely using other solutions to secure their networks and email.

Of equal concern is whether these organizations even try to ensure the emails patients send are HIPAA compliant at all. Verizon’s Data Breach Investigations Report reports that 66% of malware on most healthcare networks enters these respective system through email attachments.

This problem is not exclusive to only hospitals. It is a problem for the healthcare industry as whole. That same report found that 15% of all data breaches last year have some connection to the health and wellness space.

Unfortunately, these reports have yet to motivate a majority of hospitals to establish the necessary email security protocols to protect themselves. (V)

DMARC does not solve this particular problem, which is why hospitals need to adopt better solutions. They also need to know how they prevent this problem from happening again.

Ways to avoid these problems include email encryption, spam filters and secure email gateways.

As cyberattacks become more frequent and aggressive, hospitals must make preparedness a priority.

Threat intelligence assessments and intelligence protocols are a real-time way to stop these threats.

An easy way to advance this cause is for hospitals to train their employees to be more aware of these risks. Steps to follow include:

● Establish an email policy that is clear so employees know what to do and what not to do.
● Remind employees not to click on links or open attachments from unknown senders.
● Emphasize that employees should not respond to a spam email.
● Highlight the importance of verification, in terms of confirming the name and/or spelling of the sender of a link or attachment.

There are also phishing simulations a hospital IT administrator can do, where they can see how many employees click on a fake phishing email. That test can determine the need for additional training or greater workplace accountability.

In the end, encryption and strong inbound filters are indispensable to preventing the loss of private information, stopping hackers, maintain privacy, and honoring the spirit and letter of HIPAA compliance.. HIPAA underscores the urgency of protecting PHI, as hospitals must meet various regulatory requirements.

Hospitals need to always be on the lookout for new strategies and tactics to protect themselves and the patients they serve.

Hoala Greevy is the Founder CEO of Paubox, the easiest way to send and receive HIPAA compliant email. He likes to go kayak fishing when possible.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months