Your worst day starts like this. The emergency department at your small hospital is full of high acuity patients. A Fentanyl overdose and an ectopic pregnancy keep your team on their toes, while a patient with a gunshot wound needs immediate surgery. And just as your surgeon is scrubbing in, the hospital’s systems go down. All of them, from patient billing to email to EHR systems. None of your providers can access patient data – because the hospital has been hit with a ransomware attack.
If this scenario sounds absurdly dramatic, you might be surprised to hear it’s increasingly common. Ransomware attacks on hospitals rose sharply during the pandemic, forcing hospitals to cancel surgeries and delay cancer treatment, lab testing, and prenatal care. Small clinics, private practices, and staffing companies are also prime cybercrime targets; a 2020 breach at one staffing agency provided unauthorized access to 30,000 staffers’ private information, with the staffing company paying $10,000 to each individual impacted. Healthcare is a top target for cybercriminals, who deploy attacks both stealthy and outrageous.
Because October is Cybersecurity Awareness Month, we want to share some of the steps we’re taking toward fortifying our security. We view this as a foundational requirement, not only to protect our staff but to protect the facilities we work with and their patients. Security is interdependent. One vulnerability in one system can affect multiple organizations. And the cybercrime aftermath hurts everyone, from the loss of patient trust to employee ID theft to fines and HIPAA penalties.
Healthcare is a Tempting Cybercrime Target
Over the last three years, 93% of healthcare organizations experienced a data breach. Here are a few reasons why the healthcare sector can be easy prey.
- The life or death nature of operations puts pressure on hospitals to pay high ransoms to criminals who’ve taken control of their systems.
- Dollar for dollar, the black market value of electronic protected health information (ePHI) is worth more than credit card data. A single patient record can sell for $1,000 or more.
- Even small healthcare entities are rich in data, with photos, social security numbers, resumes, birthdates, and other sensitive information in their systems – and many have weak security protections.
- Traveling clinical staff often log in and out of systems such as EHR applications from different locations and devices. Cumbersome security measures can feel burdensome in their fast-paced world. They may find workarounds to get their jobs done, even if it means flouting security policies – a gift to hackers waiting to steal their credentials.
- A small healthcare IT team is often technologically outclassed by highly skilled, well-funded criminal rings. These teams must protect an ever-changing suite of technologies across the Internet of Things, cloud-based platforms, remote access, medical wearables, and an array of internal systems spanning patient records, billing, payroll and other needs.
Despite these vulnerabilities, many healthcare leaders consider cybersecurity “just a tech issue” that eats up budget they’d rather allocate to patient care. What they don’t understand is that just one disruption can be disastrous to clinical outcomes. A patient’s greatest danger may come not from a medical error but a digital crime – making security a patient care issue.
Strengthening Your Cybercrime Security Program
You’ll often hear security teams refer to the PPT model – People, Process, and Technology. Hopefully your organization practices basic security hygiene via privileged access, risk assessments, password policies, third-party penetration testing, and other tools. However, it’s worth checking that you’re covering your people and process bases too. Here are the essential building blocks for a healthcare security program.
- Build a culture of security. Leaders should understand that security impacts all departments, from delayed chemotherapy to HIPAA fines to staff walking out the door when their private information is stolen. Employees should understand their role in protecting patients and colleagues so they follow best practices and don’t try to “cheat” security controls.
- Invest in the right technology. Tools abound across encryption, backup and disaster recovery, perimeter protection, intrusion detection, and multi-factor and adaptive authentication. But these tools must both satisfy security and compliance protocols and provide a flexible and efficient experience for clinical staff. If providers don’t have frictionless access to patient data, the tools aren’t working.
- Design an incident response plan. A recent American Hospital Association podcast described a hospital that had to buy walkie-talkies from Best Buy to keep operations going after a ransomware attack. When attackers infiltrated another hospital and encrypted its 1,300 servers and deposited malware on 5,000 devices, the hospital was forced to operate by paper for a month while they rebuilt their infrastructure. Younger physicians didn’t know how to write orders on paper; no one could access clinic schedules.
- Train staff. Employees are always your biggest vulnerability. The above mentioned attack started when an employee opened an emailed file from her homeowners association, which had been hacked. Teach staff to recognize the signs of phishing emails and CEO fraud, in which a criminal impersonates a trusted company or leader to request personnel data, gift cards, or an electronic funds transfer. Even basic tips such as hovering over links, confirming sensitive requests, using different passwords, and not opening unexpected attachments can help staff keep the door locked against criminals.
- Test clinical and administrative staff. Security vendor Barkly found that more than three-quarters of users who said they understood the risks of clicking on links in emails clicked on them anyway. Another study found that 4% of employees clicked 80% of phishing links, and 3% were responsible for 92% of malware events. Testing can identify the employees most at risk and train them before an incident happens.
Stopping Tomorrow’s Attacks with Today’s Security
The rising tide of cybercrime makes a well-fortified security program a must for every healthcare organization, large and small. Attacks will grow more sophisticated; the damage will become more severe. To protect patients, administrative staff, clinicians, and the very future of their organizations, leaders must invest in strong protection if they want to survive in the increasingly digital landscape of healthcare.