This is Part 2 of a 2-part series on cyber attacks in the healthcare industry and steps to take to protect your healthcare organizations from cyber attacks. Part 1, “Understanding Cyber Attacks: A Growing Threat for the Healthcare Industry,” covered the growth of cyber attacks on the healthcare industry, why the industry is being targeted, and the vulnerabilities of the industry that makes it prone to cyber attacks.
Why are Cyber Attacks such a big Problem for Healthcare?
Cyber attacks are a big problem for healthcare due to the significant negative impacts they can have on a healthcare organization and the industry as a whole. These include:
- Breach of privacy: when a cyber attack results in a data breach, patients’ protected health information (PHI) is exposed and their privacy is breached. This is major for a healthcare organization as it has many ripple effects including possible lawsuits from patients, HIPAA fines for violations, loss of confidence in the organization which can result in a loss of potential patients, among other things. These factors all negatively impact the bottom-line of the organization.
- Reduced patient safety: cyber attacks that shut down hospital Electronic Health Records (EHRs) increase the risk to patient safety as without the ability to access these records, patients can be improperly treated. If medical devices such as MRI machines, ventilators, and infusion pumps are attacked, improper diagnoses, treatments, and deaths can result.
- Disruption of services: a cyber attack can incapacitate a healthcare facility, shutting down its systems making it unable to function. The National Audit Office’s investigation into the WannaCry attack on the NHS, found that 34 trusts were infected and locked out of their devices and 46 were not infected but reported disruptions. This resulted in 6,912 appointments being cancelled, with an estimate of more than 19,000 appointments that would have been cancelled in total, based on the normal rate of follow‑up appointments to first appointments.
- Financial loss: this is a significant factor in the burden of cyber attacks on healthcare facilities. Fines for HIPAA violations may be one of the main financial losses associated with breaches to PHI which can result from a cyber attack. On May 6, 2019, the US Department of Health and Human Services (HHS) announced that Touchstone Medical Imaging would be paying the Office for Civil Rights (OCR) of the HHS $3,000,000 for violations of HIPAA to settle a data breach that resulted in the PHI of 300,000 patients being exposed. This is a large sum of money for a single breach and could rise exponentially should further breaches occur. Some facilities choose to pay ransom demands rather than allow their systems to be compromised for any extended period. In June 2019, reports are that NEO Urology in Boardman Ohio paid hackers $75,000 in Bitcoins to unlock their computer system which was hacked and all data encrypted. The system was reportedly held hostage for 3 days and the organization told police that they lost between $30,000 and $50,000 per day. Financial loss can also result if there are lawsuits from patients affected by exposure of their PHI and from loss of business resulting from a loss of confidence in the organization.
- Damage to reputation: data breaches can damage the reputation of a healthcare organization especially if these breaches occur relatively frequently. People will eventually lose trust in an organization if they are not confident that their PHI will be secure. This will lead to a loss of business and financial loss which can ruin an organization.
What are the Key Strategies to Cyber Secure your Healthcare Organization?
As demonstrated above, cyber attacks create huge problems for healthcare organizations, therefore ensuring your organization is cyber secure by implementing cyber attack and data breach prevention strategies, should be a priority for all players in the healthcare industry. While cyber attacks and data breaches may ultimately be unavoidable, being vigilant and implementing mitigation strategies are critical to keeping a healthcare organization cyber secure. Below are some key components to creating a cyber secure healthcare organization:
- Financial investment: make cybersecurity a major line item in the budget. This is essential as it requires money to keep on top of all the current and emerging cybersecurity threats.
- Human resource investment: hire highly trained and qualified individuals to handle the IT infrastructure. Also, ensure continuous training of IT staff to ensure that they can handle new and emerging cyber threats.
- Network and infrastructure: invest in updated computer hardware and software with supported versions of Microsoft Windows. Additionally, consider implementing technical defensive strategies such as network segmentation, firewalls, next-generation firewalls/unified threat management gateways, anti-malware solutions, anti-phishing solutions, encryption technologies, breach detection systems (BDS), vulnerability scanners, and deception technologies.
- Threat modelling: risk assessment: develop a tool for assessing the overall security of your organization’s IT infrastructure by systematically identifying, classifying, and quantifying the amount of risk presented by each threat being evaluated. Conduct self-audits, penetration tests, and risk assessments to find out where the vulnerable/leak points are in your IT systems, and where there is potential for data exposure. Implement measures to reduce and/or eliminate risks identified through the threat modelling and risk assessments and ensure that all endpoints are adequately protected.
- System updates: update all systems regularly with all the latest patches.
- Policies, procedures, regulations, and standards: develop, implement, and ensure adherence to IT policies and procedures. Institute a Bring your own device (BYOD) policy that covers areas such as connecting personal devices to the organization’s network and transferring sensitive information to personal devices. Ensure that your organization in in compliance with all the requisite regulations and standards that govern the healthcare industry.
- Training: staff must be adequately trained and knowledgeable of the organization’s IT policies and procedures which must be enforced. Additionally, conduct regular social engineering training to ensure staff are able to recognize potential threats.
- Develop a security strategy: the organization should develop a security strategy that brings together all the components that govern and impact IT security. It should include an incident response protocol that stipulates how all employees ought to respond should they either discover a security breach or receive a report of a breach. A pre-established incident response team should also be in place that can be quickly mobilized in case of a breach. This team can be composed of members from different functions such as technical, risk management, compliance, human resources, legal, public relations and executive management.
- Implement vendor and third-party risk management programs: these can include only purchasing medical devices from manufacturers who go through rigorous security assessment of the products during design and manufacture; performing risk assessments on all vendors and suppliers; and identifying third-party vendor software and performing security and vulnerability testing to ensure they are safe from hackers.
- Technological investments: invest in technology to help monitor your IT systems for potential threats and to help you recover once a breach has occurred. Technologies exist that can identify and encrypt unprotected files, search your systems for sensitive data and quantify the data that may be at risk, and continuously monitor systems for any suspicious activity and protect endpoints from being hacked. It is also possible to utilize technology to monitor data in the Dark Web to ascertain what records have been compromised and steps to take to recover if your system has already been breached.
Cyber attacks on the healthcare industry are growing. They are a nuisance, they disrupt services, they are expensive, they can damage an organization’s reputation, and recovering from an attack can be difficult. However, you can take steps to cyber secure your healthcare organization by implementing the 10 strategies listed above. These will put you ahead of the game and help you prevent and/or minimize the effect of a cyber attack.
To learn more about simple Healthcare compliance and managing data risk security from cyber attacks, download the playbook here.