Cyberattacks in the healthcare industry have been on the rise, the latest being the WannaCry attack that affected 20 percent of NHS facilities in the UK. A study (PDF) by the Ponemon Institute in 2016 revealed that healthcare organizations have experienced approximately one cyberattack every month. Healthcare organizations are a lucrative target because patient information (social security numbers, date of birth medical insurance and credit card information) is significantly more valuable than financial data on the dark web. Unfortunately, cyber-attacks in the healthcare industry are likely to increase because of a lack of investment in cyber security commensurate to the highly lucrative patient data. Advancements in the delivery of care while improving health outcomes have also widened the attack surface area for healthcare providers. For instance, electronic health record (EHR) systems have made it easier to access and share patient records, ensuring that treatment is delivered accurately and efficiently. However, in part because of the dependency hospitals have on EHR systems, ransomware attacks that limit access to electronic patient information have been effective. Just look at what happened to Hollywood Presbyterian Medical Center in February 2016. Additionally, the thousands of medical devices ubiquitous on hospital networks also put patient safety at risk. Undoubtedly, medical devices have improved the quality of care. However, IT security teams are often unaware of what medical devices are on the network. This lack of visibility coupled with the presence of exploitable vulnerabilities in medical devices presents an imminent and growing threat to patient safety. Research by Gartner shows that 99 percent of all cyber-attacks are caused by known vulnerabilities. In other words, most cyberattacks occur in spite of existing knowledge of those vulnerabilities. Similarly, the recommendations below to improving your organization’s security posture might seem rudimentary and obvious. However, the recent spate of attacks against healthcare organizations indicates that even seemingly basic steps to mitigate cyber-attacks, otherwise known as foundational security controls, are not being as effectively leveraged as they should be. These measures include the following:
1. Discover and protect all assets
Organizations cannot monitor and protect undiscovered assets. It is essential that IT security teams have visibility into all the assets on the network. To gain visibility, leverage cyber security tools that can effectively and efficiently discover, profile and monitor all assets on the network, or in the very least the critical assets with the highest risk of disrupting your patient care.
2. Adopt an information security framework
The HIPAA Security Rule and the NIST framework provide guidance for managing cybersecurity risks. However, implementing these frameworks and maintaining compliance without robust tools can be cumbersome. It is essential that your organization deploys secure configuration management tools that continuously monitors assets and ensures compliance with security standards.
3. User education
It is not only malicious, external hackers that are a threat to your organization’s critical assets. Insiders unaware of how they can avoid falling prey to phishing attacks and other attack vectors are also a threat. Irrespective of the cyber security tools in place, user education cannot be overlooked. All that was needed to initiate the Locky ransomware attack was one click on a malicious link by an unaware insider. Often times, patient safety and cyber security are seen as competing priorities, but as the recent healthcare cyber-attacks show, IT security and patient safety are intertwined. For more details, click here.