Perhaps no industry has been challenged this past year like the healthcare industry. With the rise of the COVID pandemic, clinics, hospitals, and organizations have had to rapidly adapt and work around the clock to serve their patients and community.
While COVID has brought an untold number of challenges, there are also other threats that the healthcare industry is facing. Over the last year, healthcare cybersecurity attacks have risen by 55%, affecting over 25 million patients across the United States.
Healthcare has often been a target of cyberattacks, but we witnessed a spike in attacks in 2020. Many organizations and businesses took note of the Solarwinds breach this year, refocusing efforts on network security.
Although it appears the pandemic is receding in intensity, 2020 taught us that healthcare organizations are more vulnerable than one might think. The healthcare industry needs to take new and improved measures to fight against the rise of cyberattacks. In order to properly do so, they must rise against a number of challenges to keep their organizations secure and patient and organizational data away from intruders.
Why the Rise in Healthcare Cyberattacks?
Healthcare has often been a target of cyberattacks and hackers, but why the sudden spike in 2020?
For starters, the healthcare industry is a lucrative industry for hackers, with reports saying that medical information can be up to 40 times more valuable than credit card information or social security numbers.
This information can lead to identity and tax fraud, which attackers can use to secure a large refund from the IRS or other nefarious purposes.
Healthcare organizations, like other businesses around the world, have shifted many workers to remote working. With the sudden switch, many organizations have found themselves unequipped to deal with the remote working challenges. Home networks don’t offer the same protection as your business might and employees may be a little laxer with their personal devices.
In many ways, it’s the perfect storm for attackers. There’s a chance of great reward at the end and many healthcare organizations aren’t prepared for the various cybersecurity challenges. Especially for businesses that haven’t undergone a recent security audit.
The BYOD (Bring Your Own Device) Policy
According to a 2019 study, over 60% of workers used their own devices for work-related activities. While that’s all well and fine for shooting off a quick email or making a call, what happens when private, sensitive information is shared across those devices?
Workers are likely to feel more comfortable with their own devices, but there is still risk involved. Home network security and proper device use are important.
Data theft is one of the biggest risks within the BYOD policy. Home network security often takes second place to ‘why is my Netflix quality so low’ and public WIFIs are very insecure. Sharing files and data over a weak network is a huge risk for healthcare organizations.
Device loss and theft is another risk for employees. While work devices may have remote security measures in place, a regular cell phone likely doesn’t have the same capabilities. A lost or stolen work device likely has remote protection
How to Be Secure
First and foremost, develop a strong BYOD policy for your employees. Set firm guidelines, test your policy amongst your IT staff, and conduct audits from time to time.
A BYOD policy may save your organization money while also increasing employee happiness, it’s important to think about the risk-reward aspect. Employees using their own devices can be quite risky for security.
Lack of Employee Training
Healthcare professionals went to school for years to reach their current position. Organic chemistry, med school, and additional training, the idea of a real job may have felt like a myth at one point.
Despite all that training, healthcare professionals may not have been trained for proper cybersecurity risks.
Many cybersecurity attacks start from something small, like a phishing email or a simple mistake by an employee. Inadequate or poor training is a way that employees can make huge errors, resulting in a huge headache for your organization.
Consider a program like Webroot Training to help train your employees to watch out for cyber attacks. These tests can ensure that you’ll be ready in case a real attack comes in the future.
How to Be Secure
Take employee training seriously! While a mandatory security training session may seem like the most boring thing on earth, setting basic habits can prevent huge catastrophes later.
Even just a one-hour training session can ensure that your employees know how to recognize phishing attacks, how to behave online, what apps to use, and what’s appropriate to download or not.
Outdated Operating Systems
You might be surprised to learn that the US nuclear arsenal is controlled through Windows 95 and old floppy disks. The British nuclear arsenal is controlled by Windows XP.
Software has a short lifecycle and is sustained through annoying upgrades and updates. But software will eventually become outdated. For example, Microsoft stopped support for Windows 8 back in 2016.
Worse than that, over 50% of healthcare organizations rely on its predecessor, Windows 7.
Outdated software poses a huge security risk due to its lack of updates. While updates can come with features, the vast majority of them are security patches to help protect devices. Without updates, there is no way for it to be protected against malicious attacks or advanced cyberattacks.
Old software has a higher risk of system failure as well, meaning precious data and files could be lost with no way to recover them.
How to be Secure
Change can be hard. If your staff and professionals have been using a specific system for years, perfect functionality isn’t going to happen overnight.
The US military used to shovel out $9 million a year for Windows XP support. You probably don’t have that budget and upgrading is expensive, so what do you do?
While there are temporary workarounds, you’re eventually going to have to bite the bullet and spring for the upgrade. The initial cost might be high but think about the costs and headaches you’ll save by preventing a damaging cyberattack.
Malicious Network Traffic
One of the more common attacks, malicious network traffic is any connection, file, or link that is created and received over a network that is corrupted or exposed.
Malicious traffic can be small from affecting one’s computer to large in scale, taking down, or threatening an entire network.
This malicious traffic can lead to other problems, such as malware, ransomware attacks, or even cryptojacking.
Combatting this risk can be tricky, as oftentimes the attack can implement malware without a user even noticing. Many times, it’s too late before someone realizes that an attack has occurred.
How to be Secure
Since malicious network traffic can often sneak under the radar, preventing these attacks comes from consistent monitoring. The best defense is a good offense.
Make sure you’re identifying all equipment, protecting your internal network, and monitoring all software.
MITM attacks are common and often vary in purpose. One of the oldest forms of cyberattacks on the web, an attacker using the MITM method is ‘sitting’ on the connection between two parties.
This can be done through the use of fake networks or by interfering with current networks. MITM attacks use a number of tactics, one of the most common being SSL stripping, allowing the attack to change encrypted data into unencrypted data seamlessly.
How to be Secure
Much like malicious network traffic, protecting against MITM attacks requires consistent monitoring and evaluations of your devices and software.
Since these attacks can often go unnoticed, it’s best to take proactive, precautionary methods to stop these attacks before they occur.
Some of these methods can be quite easy, such as using a VPN, creating strong passwords, and using encryption across all devices.
Protect Your Healthcare Organization from Cyberattacks
The healthcare industry saw a rise in cyberattacks in 2020 and many experts predict this trend will continue for the foreseeable future.
Having strong policies, training employees, and working with an IT team are ways you can protect your healthcare organization from any cyberattacks.
By taking proactive measures, you can lower risks and keep your organization protected.
Here at Atiba our healthcare IT experts team are experts in cybersecurity and have worked with healthcare organizations for nearly 30 years. If you have a question or want to learn more, get in touch today!