cybersecurity

5 Tips for Creating a Safety Culture in Healthcare Cybersecurity
March 29, 2024

What if every organization was required to disclose how many days have gone by since their last accident? The industrial sector is required to do just that. It’s not uncommon to walk through a building and see signs that say something like, “100 days since last accident.” It reflects on the company’s safety standards. Fewer accidents also mean an avoidance of loss of productivity.

Safety Culture in Healthcare Cybersecurity

So, what if healthcare organizations that handle PHI had to do the same thing? What if they were required to post on the walls of their offices and on their website how many days have gone by since the last time that information was compromised? What would their clients think? 

Sounds crazy, right? But we can learn a thing or two from those hard-working, steel-toe boot wearing workers, and that’s creating a culture of safety. For the healthcare industry, it’s something that must go well beyond technological advances and hacker-blocking software. 

The unfortunate truth is that the healthcare sector is an easy target for cyber criminals because of its vast ecosystem. There are so many interconnected individuals that have access to medical and billing records – patients, dependents, specialists, physicians, hospitals, billing service providers, health insurers… the list goes on and on. Not to mention medical records are the highest valued credentials on the dark web at $20-$50 per record – that’s at least 90% higher than the value of someone’s credit card information. Because the significant rise in data theft incidents leading to litigation, our country is really facing a ransomware epidemic.

Discover more about healthcare cybersecurity and infrastructure services.

Protecting PHI must go well beyond security tools. It’s about people. Often times there are wide variations in perception of safety across a single organization. It may be high among executives but low in another unit, or vice versa. Your company may have the most intuitive healthcare cybersecurity software and direct safety processes set in place, but at the end of the day, your safety culture won’t shift until every single employee consciously decides to make the change. It requires leadership and commitment. There are certain steps you can take to create a culture of security awareness at work.

 

Tip 1 - Make Healthcare Cybersecurity Personal

In my opinion, this is the best tip because it hits home for many and creates motivation. Security awareness really affects all aspects of life, it’s not just about work. We live in an always-online culture. People are sharing a wide array of personal information online, even if they post a photo on Facebook. We’re exposed on a daily basis to data theft, phishing attempts, and all kinds of social engineering tactics and most people don’t realize it. By raising awareness of security issues in broader context, employees are more engaged and will be more interested if their emotions are sparked. For example, I led an employee presentation with our SEO Manager a few months ago on protecting your personal information from hackers on websites and social media. When employees realize that not practicing good safety habits could affect their finances or even their families, that concern carries over to the workplace.

 

Tip 2 - Don't Play the Blame Game

It's easy to point fingers, but individual blame is very much a road block to the advancement of creating a safety culture. However, there still remains the issue of accountability because some errors may seem blameworthy. To reconcile the two, try the concept of “Just Culture”, a widely used approach that focuses on identifying and addressing systems issues that lead employees to engage in unsafe behavior (such as leaving a computer unlocked, or downloading sensitive information to a USB drive) while still maintaining individual accountability by establishing zero tolerance towards recklessness, i.e. no one gets special treatment. A “Just Culture”, distinguishes between accidents, at-risk behavior (taking shortcuts) and reckless behavior (ignoring safety protocol). The response to an error is dependent on the type of behavior associated with the error, not the severity of the issue. So, regardless of whether or not someone else was put in harm’s way, the employee is treated the same way no matter what.

 

Tip 3 - Appoint Security Officers to Enforce Your Privacy Policy

Promoting safety standards isn’t just IT’s job. Try appointing a security officer within each department to help promote good practices. That way, you have more eyes and ears dedicated to the cause and spread awareness on a more granular level.


Tip 4 - Protect your Healthcare Data through Gamification

A little healthy competition never hurt anyone, especially when it comes to healthcare cybersecurity. When departments are encouraged to compete against each other towards a particular goal, you’ll raise a lot more interest in keeping data safe. For example, what department will catch the highest amount of phishing emails over the course of a week? 


Tip 5 - Use the KISS Approach

My music instructor in college used to say this to me when I overcomplicated a piece of music I was trying to play. It stands for “Keep It Simple Silly.” Silly it may sound, but it’s absolutely applicable to creating a safety culture. Try to keep your approach simple and aligned with business goals. There should always be an underlying goal to practice safety protocol no matter what you’re doing, but try to achieve incremental goals instead of attempting to achieve everything at once. Identify what behaviors and processes you want to achieve, then align them with your business goals. This will help employees understand why creating a safety culture will benefit the company as a whole.

Read More
Cybersecurity in Healthcare and You
March 29, 2024

 How much would you spend to get your life back? What about those of your patients? These are questions that many healthcare providers must ask themselves at one point or another. The healthcare sector has become one of the most popular among hackers and cyber criminals because medical identity theft is an incredibly lucrative business. Millions of patient medical records were exposed in 2016, and that number is projected to rise this year. In an industry moving towards value-based payment models, quality care must now include protecting patient health information using safe record-keeping practices.

Cybersecurity in Healthcare

 

Cybersecurity in Healthcare is Different for Every Organization

Healthcare data security is by no means "one size fits all." A small, rural practice will invest differently than a large, metropolitan hospital. Based on your business and your particular needs, you should identify what data is most important to protect, then plan your safety measures accordingly. Perhaps you'll realize that technology isn't what's needed, but people and processes instead.

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Read more about it in our white paper, "Healthcare, Cybersecurity, and You."

We're Our Own Worst Enemy

According to a recent study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), users rather than technology issues are the top causes of risk to cybersecurity in healthcare because many employees forget to follow basic cyber safety rules. It happens because of a wide range of reasons: lack of training and/or cybersecurity personnel, or simply that policies aren't truly enforced by the organization. Following your safeguards plays an important role in forming a trusting relationship between provider and patient. It's not just a collection of data you're protecting, it's someone's life. Let's discuss a few tips to get your organization's record-keeping practices on the right track. 

Establish a Security Culture

There's a major human blind spot with respect to information security: overconfidence. The "it will never happen to me" mindset. No matter the level of education or experience, the weakest link in any computer system is almost always the user. So, what can be done to ensure an organization-wide security culture?
Frequent education and training - Ongoing mitigation steps allowing for discipline, documentation and compliance. 

  • Avoid exceptionalism - You shouldn't have a get-out-of-jail-free card as an executive. Those who manage and advise should set an example and take every precaution needed - the same as everyone else - to safeguard sensitive information. 
  • Information security as a core value - It should without a doubt take a seat at the table of core values within your organization. When staff embraces accountability and willingness to take responsibility over information security, you know you truly have a shared vision.


Change STRONG Passwords on a Regular Basis

Passwords are your first line of defense when preventing hacks into any computer. No matter what type of operating system, it should require a password to login. A strong password may not be able to completely deter a hacker, but it will definitely slow down their progress. Don't choose passwords that

  • Are found in a dictionary
  • Match your username
  • Include personal information - Your name, birthday, family member names, pet names, etc. 
  • Refer to anything on your social media pages - Anything found on your social pages like Facebook and Twitter should never be used as a password, whether your profiles are private or not. Anything you post on social media CAN be found and potentially used against you.

A strong password is at least eight characters long and contains a combination of upper and lowercase letters, numbers, and at least one special character (etc. * ? !.)

 

Maintain Good Habits

Similar to eating fruits and vegetables or walking up the stairs instead of using the escalator in efforts to be healthier, a little goes a long way in system maintenance regimen. It's necessary to maintain the health of your systems and reduce risk of breach.

  • Uninstall software applications that aren't essential to running your practice - games, messaging applications, photo-sharing, etc. 
  • Don't simply accept default options when installing software on your device.
  • Read through your options and understand the choices thoroughly before accepting. 
  • Disable your file sharing and printing from remote staff. That could potentially result in accidental sharing of information along unauthorized locations. 


Plan For the Unexpected: Use Firewalls and Anti-virus

Unless your practice is completely disconnected from the Internet, you should always use firewall and anti-virus to protect against malicious intrusions. The firewall inspects all messages coming in from the outside and decides whether or not the message should be allowed in based on pre-determined criteria. Anti-virus actually stops malicious software that has already surpassed your safety measures and entered the system. 

Control Access to PHI - Both Virtually and Physically

Never forget that the devices that hold sensitive information should also be secured from unauthorized access. Believe it or not, the most common way that electronic health information is compromised is not through virtual attacks, but through the loss of the physical device itself, both accidental and theft. Thumb and flash drives, CDs, DVDs, laptops, handhelds, desktops, hard drives, backup tapes, and even entire network servers can be physically removed and compromised. Securing these devices in locked rooms only accessible to limited staff members, managing physical keys, and restricting staff from moving devices from a secure area is a great start. 

In an industry that's shifting towards value-based care and payment models, true quality care cannot be accomplished without also taking the security of your patients' health information into consideration. Protecting patients through data security practice should become second-nature to your entire staff and executive team. Once it becomes one of your organization's core values and you begin to anticipate the worst, you will truly create a long-lasting environment of cybersecurity in healthcare benefiting the health and safety of your patients and your business.

Read More
Cybersecurity Realities
March 29, 2024

American security consultant and former con man Frank Abagnale once said, “Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively.”

Cybersecurity Realities

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Download white paper, "Healthcare, Cybersecurity, and You."

Unfortunately, cybercrime is constantly evolving, and you need to be doing all you can to protect yourself and your company from it.   One in three Americans is affected by cyber related attacks every year – this equates to an attack every 35 seconds.  Chances are likely that you or your practice have been compromised at some point. Protecting critical data is one of the biggest challenges that a company will face.  In healthcare, with the added requirements of HIPAA compliance and protecting PHI, your information security posture can easily be one of your most important business decisions.

Alarmingly, it is reported that over 75% of the healthcare industry has been infected with malware and is in the top 5 industries attacked with ransomware.  In 2018, hackers stole nearly 600 million personal records, and overwhelmingly targeted healthcare practices, providers and medical manufacturers as victims of their crimes.

Over 95% of all cybersecurity breaches are a result of human error.  Bad actors always look for the weakest link, and the highest value targets as a point of infiltration.  Owners, the c-suite, accounts payable accountants, and in the case of practices, the physicians as well as the billing administrator are all considered to be valuable targets for the criminal looking for an opening to the data they want.  Once they are in, however, most companies don’t even detect that they have had a breach for a mind-boggling 6 months.

Develop a human firewall.

 One of the most challenging parts of developing a security minded focus in an organization is getting past the “this only happens to other people” or "this can’t happen to me” mindset.  It is commonplace for people to believe that they are never sloppy and are always doing the right things.  This is when most mistakes happen.  From day one of employment forward, employees should be assimilated into a security culture.  Everyone in the organization should be an integral part of the solution, lest they become the problem.  Simple steps such as locking the computer when not actively working, changing strong passwords often, reporting suspicious emails, and questioning things such as requests for payment or anything that seems “out of place” should all be part of a daily routine, to the point of creating muscle memory.

Education and training for employees.

Training and education is something that should always be done, and everyone in the organization needs to be involved in the process.  Benjamin Franklin best said, “Tell me and I forget, teach me and I may remember, involve me and I learn.”  A good cyber posture, for any company, begins and ends with the employees.  The threats are constantly evolving.  As such, your education should always be current, relevant and constant.  Consider things such as phishing tests and social engineering training with follow-up quizzes to stay sharp.

Limiting Network Access

Flexibility and remote access can be very useful to employees.  Network technologies such as instant messaging, file sharing, remote screen access and Bluetooth file dropping are also very popular.  These tools are often overlooked as being safe and convenient but are also wrought with security issues when not limited to the scope needed to complete business.  The law requires that health care information be protected due to its sensitivity and the use of these technologies should be used with extreme caution.  Practices with a solid security footing have taken the steps of disallowing these technologies altogether as they well understand the risks involved are not subverted by the benefits offered. 

Create a cyber security incident response plan 

Incident response is a well-planned approach to determine how to manage reaction after a breach or cyber-attack.  The goal is to minimize the damage, maintain business continuity and mitigate attack related losses and exposure.  To achieve this goal, it is recommended that you do two different things.

  • Get everyone in the habit of reporting anything they see that could have any impact. From strange emails, intrusive calls, or unknown attachments in email that have made it beyond the firewall.  Employees should have a short form that they can document and send to the team member tasked with cyber or IT.
  • Develop an incident response form and checklist. It should be simple, yet specific.  This is a great way to capture information that is needed and should be easily followed by those who have a “need to know.”  Your checklist should include some, if not all the following information:
  1. Identification: Who reported the incident? When was it reported? Where was the threat detected or located?  What impact does it have to operations?  What is the extent?
  2. Containment: Can the issue be isolated? Have backups been made to protect PHI and business-related files? Have all threats been removed from the system?
  3. Mediation/Eradication: Does anything need to be reconfigured to restore normal operations? Have all possible entry points been closed?  Have all affected machines been updated and patched?  Has all malicious activity been removed?

Once the threat has been eradicated, when possible, you should share with your team what happened, how it happened, and include training to ensure that it does not happen again. 

IBM President/CEO and Chairman Ginni Rometty said, “Cybercrime is the greatest threat to every company in the world.”  This prophecy has been trending toward trues as it is expected that data breaches, in the year 2020, will account for over 3 billion dollars and it is likely that cyber related crime could become one of the greatest threats to every person in the world within the next decade.

By developing a solid cyber stance in your practice, continuing education, creating a response plan, and above all being a human firewall you can be the strongest link in your organization, and work to stay one step ahead of the bad actors.

Read More
Data Hosting and Hardware Habits
March 29, 2024

Hardware, software, malware, ransomware...so many wares, ware to begin?

“Outdated systems tend to be more vulnerable to attack,” Paul Bischoff, Editor of Comparitech, notes in a FierceTech article.

Updates and reboots and releases, oh my!

System updates are often neglected by organizations where an IT team isn’t enforcing such processes on a regular basis.  Hardware and software can quickly become obsolete right under the nose of your team, causing unexpected issues, slowdowns, crashes or even cyber-attacks.

healthcare data hosting solutions

 

Another layer of complication arises when hardware that goes without updates is not supported by manufacturers, referred to as ‘end of life equipment’.  If a malfunction does happen it will be difficult to get support from the company, you purchased said hardware from due to likely agreements around required updates.

A general technology best practice is to purchase maintenance for your switches, firewalls and servers whether they are in-house or through a third-party. A good rule-of-thumb is to evaluate the age of your hardware every three to five years.

Firmware, "a software program or set of instructions programmed on a hardware device...provides the necessary instructions for how the device communicates with the other computer hardware,” according to TechTerms, can also cause issues when version releases are not installed.

Check out ImagineHostingTM, your trusted data center partner.

At the individual user level system reboots are also necessary. Consider implementing a company policy around required reboots that occur at least once a month. Weekly reboots are preferable, if your busines allows users to do so.

Just one, or all these vulnerabilities combined, can easily be used to gain access to a company’s system, exposing sensitive data. When in doubt, update and stick to a regular maintenance plan!

Physical security, bodyguard not included.

When it comes to technology, physical security isn’t typically top-of-mind for the average user.

The location of servers, in relation to disaster recovery measures especially, may ring a bell, but what about placement of workstations?

A hacker attempting to infiltrate a system will go to any length to access data, including onsite snooping.  Consider where monitors are facing and if your screen is visible through windows and to the eyes of outdoor onlookers.  While a privacy screen is not always necessary, it is a viable option for offices with many ground-level windows. Pay attention to the position of your team’s offices and consider slight adjustments to placement of computer screens.

Twofold, user profiles can present a kink in the physical security armor if not properly configured.  Regular timeouts, robust password configurations and frequent password changes are pertinent to enforce, preventing unwanted access to workstations. While the National Institute of Standards and Technology still recommends a minimum eight-character complex (mixed case, numbers, special characters) password length, longer (11-14 character) are strongly encouraged to significantly improve your security posture!

Users should be in the habit of locking their computers before leaving their desks, even for short window of time.  Not only could sensitive information easily be viewed, but someone could also maliciously infiltrate the system under your credentials which makes you accountable for any damage done.

Private cloud or on premise, assure you're protected.

Data hosting is a daunting task, especially in the healthcare realm.  Assuring PHI is totally secure puts pressure on practices and groups to regularly reevaluate their hosting situation and options.

Do you have unwavering faith in your current data center?

Assure these boxes are checked and your data center is more than just a physical home for your data:

  • 99.9% uptime guarantee

Never lose time or deal with the frustration of system downtime.

  • SOC II and PCI DSS certified

Healthcare and payment specific security certifications validate that proper protocols are in place.

  • 24/7 monitoring

Whether it’s an internal IT team or a third-party constant watch is necessary.

  • Disaster recovery

Servers should be geographically separate from your office in case of natural disaster.

  • Daily backups and updates

Preventative maintenance is key to the lifeblood of your servers.

  • Physical security

A guarded data center is a happy data center.

Read More
Data Loss Prevention, A Crucial Link in the Cybersecurity Chain
March 29, 2024

Data loss prevention (DLP), also known as data leak prevention, is a process of analyzing data in real time to stop breaches before they can occur. DLP assures users do not send critical information outside the organization network, mistakenly or intentionally. Data can be corralled with the help of various software solutions that help prevent file sharing that has not been approved by a system administrator.

data loss prevention software

Convert from your old billing system to one designed to minimize the risk of data loss.

Common components of a successful DLP Program

  • Data flow audits: email, workspace, detection of suspicious activities, etc.
  • Endpoint data protection: email and network, devices, printers, etc.
  • Cloud data safeguards: protection of cloud drives

Mitigate your risk before it’s too late.

You have a firewall and basic security measures in place you must be covered, right? Cyber hacks only happen to huge corporations, ‘surely we’re safe’, you think. These sentiments are myths, data can be leaked from virtually any electronic device, at any time.

Data leakage is most often caused by human error and defects in processes or system configurations.

In the world of healthcare, given the storage of sensitive patient information, the bullseye becomes exponentially larger, and hackers seem to spot it from a mile away. According to a Trustwave report, a healthcare record can be worth $250 on the black market.

The flow of sensitive data goes beyond dealings with PHI in your day-to-day workflow. Emails, removable storage devices, internet surfing, file sharing, instant messaging applications and social media are just a few of the methods in which data can escape the safety net of your organization.

It’s not a matter of if, but when...

80 percent of companies surveyed experienced a cybersecurity incident in the past year, according to the Better Security And Business Outcomes With Security Performance Management Report by Forrester Consulting.

The study also highlighted the importance of leveraging cybersecurity metrics to relay the pertinence of investing in a robust security program to executives, stating, “Cybersecurity is now a board-level topic and one that senior business stakeholders believe contributes to the financial performance of their firm. Develop meaningful security metrics that highlight how an effective security program helps preserve and protect brand and reputation to avoid squandering the spotlight.”

Where to begin?

Successful DLP programs start with a few simple steps:

  • Categorize your data – What is the most sensitive data flowing through your organization? What needs to be more restricted than other pieces of information? Get your company information classified before embarking on the DLP implementation journey.
  • Monitor your moving data – What mediums are used to send and receive data across your company? Where is my data at risk?
  • Build controls - Assure you put rules in place then effectively communicate them across your organization.
  • Training – Provide employees with initial and ongoing training and start detecting and preventing incidents.

The moral of the story is to prepare cybersecurity metrics to gain executive buy-in then implement a robust DLP plan to start safeguarding your data.

Read More
Encryption Doesn’t Have to be That Cryptic
March 29, 2024

Sharing of data is a common aspect of everyday workflow in almost every organization across the country, whether it’s via email, a Cloud storage system or instant messenger software, security measures are crucial to back these systems and prevent data loss.

healthcare data encryption

In 2020, data breaches exposed 36 billion records in Q2 and Q3, with an additional 2,422 million records exposed in Q4. Healthcare was the most breached economic sector in 2020, with hackers capitalizing on the COVID-19 pandemic and the stress it put on the healthcare industry, according to RiskBased. These sobering numbers should be enough to scare any healthcare company into enhancing cyber security measures. Starting with one of the most common sources of data sharing, employee email accounts, may make sense for your team.

Convert from your old billing system to a new, faster system designed to minimize the risk of data loss.

Why Encryption Matters

The process of converting common text into unintelligible content for protection or the reverse of this process is called encryption. Why would encryption be crucial to your organization’s cyber security fortress? Security holes in email systems do happen. Take the early 2021 Microsoft Exchange hack that impacted at least 30,000 organizations, according to KrebsonSecurity. As vulnerabilities are exposed and hackers enter your system, unencrypted, sensitive data is waiting on a silver platter to be taken and used to the hacker’s advantage. Credit card numbers, PHI, private conversations and proprietary company information could all be endangered.

Many see email as a simple path from their inbox to the recipient’s inbox, but there are several points on this journey that open your email to threats. Virtru explains the path an email takes once it’s launched from your inbox and the surprising stops it makes along its trek.

  1. First stop – Your email server. (hint: check your address bar in your browser for the lock symbol to denote encryption)
  2. Second stop – Your receiver's email server. Unfortunately, there is virtually no way to determine of the recipient’s server is encrypted.

With the click of a button, this email could’ve been quickly encrypted and secure along every facet of its’ expedition.

Think of it as sending sensitive information through the United States Postal Service, you wouldn’t send it on the back of a postcard for anyone along the way to see it, but rather in a sealed envelope – encryption is that sealed envelope.

The Many Benefits of Encryption with Virtru

  • Prevent third-party access to data – the most obvious upside to encrypting your organization’s emails. Keep your pertinent data in the hands of only those who should have access.
  • No manual key exchanges – some encryption solutions require users to exchange keys. Virtru hosts keys or allows your organization to host them.
  • Additional applications are unnecessary – no need to install new systems, Virtru integrates with your team’s current email system keeping workflows the same.
  • Quick and simple usage – users easily click a button embedded in their email system and Virtru does the work!

Encryption shouldn’t be a disabler, but rather an enabler of secure communications, Virtru more than meets that requirement.

Read More
Healthcare, Cybersecurity and You
March 29, 2024

cybersecurity white paper

How much are you investing in the security of your practice?

The average cyberattack for a small healthcare provider costs upwards of $1 million in recovery. In this five-page white paper, you will find a comprehensive overview of cybersecurity with best practices to confidently protect your patients and the livelihood of your business. Learn how to:

  • Establish a culture of security
  • Implement multiple lines of protection to PHI
  • Maintain your software from common sources of attacks
Read More
Phishing Phacts & Phears
March 29, 2024

Don’t take the bait...

Your computer chimes with the familiar notice of a new email, you navigate to your inbox to see the message is from the CEO of your company.  You notice their last name is one letter off and think, ‘that is a bit strange, must be a fluke,’ and proceed with opening the email.  Scanning the contents, your heart begins to race, your CEO expresses his urgent need for a $500 gift card and notes that you’ll be reimbursed immediately if you can reply to the email and send the money right now. You love your job...you need your job...$500 is a lot of money, but with moderate hesitation you send the gift card. You've just become the victim of a classic phishing swindle.

phishing in healthcare

Got any breaches? Go phish.

An astounding “91% of successful data breaches started with a spear phishing attack”. Moreover, “30% of data breaches are caused by repeat offenders from within the organization”, according to KnowBe4.  No hooks or fish were involved in the making of this statistic, spear phishing is the act of fraudulently sending emails from a seemingly trusted author to trick the recipient into revealing sensitive information.

Find out what percentage of your employees are Phish-prone with a FREE Phishing Simulation.

Rouge clicks sink ships.

Many individuals would not realize the impact one click can have on their entire organization. 34% of businesses hit with malware take a week or more to regain access to their data*. Imagine putting your entire operation out of commission for over seven days. The revenue loss would be startling, the guilt insurmountable.

How can your company stop a detrimental cyber-attack before it has the chance to ravage your data? Education is a crucial step in moving to a more secure environment. Implement internal technology regulations and required cyber security training on a regular basis to proactively prevent attacks. Identifying the common signs of a phishing attempt should be part of every employee’s repertoire. This process can seem daunting, where do you start? Performing a phishing simulation on your organization is a viable option.

Phishing is a team sport.

Start with some simple steps to get your program off the ground:

  • Initial testing – assess the results of your first phishing simulation to establish a baseline of who took the bait and who did not
  • Start training – whether it’s in-person seminars, on-demand videos or written assessments, put a training routine in place and be consistent
  • Regular phishing simulations – start sending your team periodic phishing emails with an option to report said attempts to your IT team
  • Repeat steps 2 and 3 until you’ve gathered enough data to analyze. Identify your weakest links and consider supplemental training or disciplinary action.

Interested in a free phishing simulation trial? Let us know! (link to landing page?) Happy phishing! (Simulating phishing, that is)

Read More
Risks in Healthcare Cybersecurity and How to Avoid Them
March 29, 2024

Healthcare Cybersecurity Statistics 2019

  • This year, there have been 3.68 million individuals affected by data breaches currently under investigation by the U.S. Department of Health and Human Services.
  • Healthcare data breaches are reported at a rate of one per day.
  • Security company Cybersecurity Ventures predicts that healthcare will incur two to three-times more cyber-attacks than the average of all other industries.
  • The most common locations of breaches to patient health information (PHI) are email, printed documents, and a company’s network server.
  • Hacking and IT-related incidents account for most data breaches. Other causes include misuse of administrative privilege, improper disposal, theft and unauthorized access.

risks in healthcare cyber security

 

What is Data Privacy in Healthcare?

The most widely agreed upon standard for data privacy in healthcare comes from the HIPAA Privacy Rule which establishes national standards to protect patient medical records and health information.  The rule requires appropriate safeguards for ensuring the privacy and security of PHI including who is covered by the privacy rule, the type of information that’s protected, and limitations in how PHI can be used by a company or practice.

Sensitive healthcare data can include patient data like PHI, payment records, payer and provider employee data, and data related to wired and wireless IoT (Internet of Things) medical devices.  47 states have laws that require security breaches involving personal data to be reported to the authorities in addition to HIPAA’s Privacy Rule.

 

Importance of Data Security in Healthcare

Why is information security important in healthcare? For starters, it’s a market opportunity, and it’s a goldmine for criminals!  Cyber criminals cost the global economy over $400 billion a year, according to estimates by the Center for Strategic and International Studies.  As we saw with Target in 2013, just one data breach can throw a $145 million wrench in the cogs.  Healthcare data breach costs are the highest of any industry at $408 per record.  While credit card information and PII sell for a couple dollars on the dark web, patient health information can sell for as much as $363 according to the Infosec Institute.

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Learn methods for protect your patients and the livelihood of your business in, "Healthcare, Cybersecurity, and You."
 

Types of Healthcare Data Security Threats

One of the best preventative measures you can take to secure your company’s data is to educate yourself on the methods used by hackers to access PHI.  Most threats are a combination of software and social engineering.

  • Ransomware – Ransomware is a type of malicious software where an attacker holds a user’s system or personal information hostage in exchange for payment.  The healthcare industry accounted for 88% of all ransomware attacks in the U.S. in 2016.
  • DOS Attacks – DOS or denial-of-service attacks are a type of attack where your server is bombarded with traffic requests to overwhelm and shut the service down.  Like Ransomware attacks, DOS is often used to hold a web-based service hostage.
  • Phishing – A phishing scam tricks users into unknowingly providing access to a system through an email or pop up disguised as a legitimate request.  According to a 2018 report by phishing defense company Cofense, terms most often used in email subject line for phishing attacks include “New Message in Mailbox” and “Attached Invoice.”
  • Man-in-the-middle Attacks – This is a type of cybersecurity attack where an attacker eavesdrops on communication between two entities.  Man-in-the-middle attacks can occur through your SSL, Wi-Fi network, and DNS.
  • Malware – A malicious software like a virus, worm or Trojan horse where code is injected into your computer to steal, delete or encrypt information.

Healthcare Data Security Challenges

Annual data breaches have increased by 73% between 2010 and 2017.  34% of healthcare data breaches occur from unauthorized access or disclosure.  While seemingly more threatening, malicious breaches occur half as often as breaches due to internal mistakes.

According to the FBI, an increase in healthcare cyber intrusions is likely due to a lack of resilience compared to the financial and retail industries.  Health organizations have a lot of information that’s valuable to criminals.  They often have a bunch of personal information that can be used for traditional financial fraud, as well as health insurance information that can be sold for even more on black markets.

Most healthcare breaches are motivated by financial gain, with healthcare workers most often using patient data to commit tax or credit fraud.

The unfortunate truth is that the healthcare sector is an easy target for cyber criminals because of its vast ecosystem.  There are so many interconnected individuals that have access to medical and billing records – patients, dependents, specialists, physicians, hospitals, billing service providers, health insurers… the list goes on and on.  Not to mention medical records are the highest valued credentials on the dark web at $20-$50 per record – that’s at least 90% higher than the value of someone’s credit card information.

According to a recent study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), the top cause of risk to cybersecurity in healthcare include a lack of training, lack of enforcement, and overconfidence.

 

Tips for Cybersecurity in Healthcare

Healthcare data security is by no means "one size fits all."  A small, rural practice will invest differently than a large, metropolitan hospital.  Based on your business and your needs, you should identify what data is most important to protect, then plan your safety measures accordingly.  Perhaps you'll realize that technology isn't what's needed, but people and processes instead.

  1. Promoting safety standards isn't just IT's job.  Appoint a security officer within each department to help promote good practices, you’ll have more eyes and ears dedicated to the cause and spread awareness on a more granular level.
  2. Use firewall and anti-virus to protect against malicious intrusions.  The firewall inspects all messages coming in from the outside and decides whether the message should be allowed in based on pre-determined criteria.  Anti-virus stops malicious software that has already surpassed your safety measures and entered the system.
  3. Passwords are your first line of defense when preventing backs into any server.  By ensuring that employees have a strong password, a company can all but eliminate 75-80% of cyber-attacks.
  4. If a hack or breach does occur, disclose the incident immediately to your security team.  Information can often be recovered if authorities are notified soon after a security breach.  Recovering data is extremely difficult as more time goes by because of the network of offshore channels this information is relayed through.

Your company may have the most intuitive healthcare cybersecurity software and direct safety processes. But at the end of the day, your safety culture won’t shift until every single employee consciously decides to change their habits.  It requires leadership and commitment!

Read More
Thank you Phishing Simulation
March 29, 2024

Thank you!

Thank you for registering for a FREE phishing simulation! A representative will be in touch soon to talk through the process and schedule a day for you to begin testing your employees.

Best Regards,

Ben Buchanan, Chief Marketing Officer

This email address is being protected from spambots. You need JavaScript enabled to view it.

Read More
Thank you Whitepaper Download - Cybersecurity
March 29, 2024

Thank you!

Thank you for your interest in our white paper. A copy is on its way to your inbox.

If you have any questions about this white paper or about any of our medical billing and revenue cycle management solutions, please don't hesitate to reach out to us!

Best Regards,

Ben Buchanan, Chief Marketing Officer

This email address is being protected from spambots. You need JavaScript enabled to view it.

Read More