It doesn’t matter if you’re a major healthcare provider, small private practice, lab, or medical equipment manufacturer — cyber security should be at the top of your priority list.
Healthcare organizations are a melting pot of personally identifiable data, medical records, financial information, research, and intellectual property — all of which attackers can sell or hold for ransom.
But that’s not the only risk. A data breach that compromises patient data could lead to reputation damage and legal or regulatory enforcement. If the attack takes systems offline, it could cause significant financial loss and jeopardize patient safety.
The good news is, when it comes to cyber security, even the small steps make a big difference. With a little time, a lot of education, and the right investments, you can improve your healthcare organization’s security to keep patients and their data safe.
If you’re in the healthcare industry, keep reading to find out our top tips for strengthening your cyber security.
1. Train employees on cyber security
Verizon’s 2021 Data Breach Investigation Report found that 85% of all data breaches involved some element of human error. The end-user is often the weakest cyber security link, which attackers use to their advantage.
Last year, for example, suspected North Korean hackers targeted various employees at COVID-19 vaccine developer and biopharmaceutical giant AstraZeneca. Posing as recruiters, the attackers approached victims with fake job offers and files appearing to be additional information. The documents contained malicious code that could have given the attackers access to the victim’s system.
Luckily the hackers were unsuccessful, but this story highlights the importance of educating employees about cyber attacks and security.
Social engineering attacks
Education should start with one of the biggest cyber risks. Many cyber attacks use social engineering techniques to fool employees — such as physicians, assistants, and administrative staff — into clicking on malicious links or sharing credentials. If successful, attackers may then:
- Compromise private patient data, including medical records
- Intercept financial or medical insurance payments
- Shut down systems and demand ransom to restore access
Employees should be aware that phishing emails often intentionally use typos to evade spam filters or isolate easier targets. Emails may include aggressive or intimidating language to further coax the victim into responding or malicious attachments that, once clicked, download malware onto the system.
Choosing the right passwords
Passwords are the first — and sometimes only — line of defence stopping attackers from accessing accounts and compromising sensitive patient data. Far too many users rely on weak credentials, such as “password”, “123456”, and “qwerty.”
Yes, simple passwords are easy to remember, but also easy for attackers to guess.
Instead, employees should know to create a strong password. They should be long and complex with a mix of upper and lowercase letters, numbers, and symbols. Every additional character makes it more challenging and time-consuming for an attacker to crack. Something like “A$fkLLffm39@zldeG” would be strong.
We also recommend using passphrases — strings of words that make sense to the user and no one else — as these are naturally longer and harder to guess. “Green-wall-window-blind-33” is an example of a great passphrase.
Bonus tip: A password manager makes it easy for you to create, securely store, and retrieve unique and complex credentials. Look for a password manager with a strong reputation among clients and a clear commitment to security, fair pricing, and support for the platforms you use (such as iOS and Linux).
Other cyber security training topics to consider
Every healthcare organization is unique with different training needs and priorities. Regardless of what your organization’s areas of concern are, you may also want to conduct training about:
- Data privacy regulations and their impact on operations — for example, what are your responsibilities for data breach notification, both to authorities and affected clients?
- How to physically secure IT assets — ensure everyone within the organization has auto-locked turned on for their company devices and never leaves them unattended.
- How to respond to a cyber security incident — should employees forward suspicious email messages they receive? If yes, when and to whom?
2. Put the right technology in place
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is an essential tool to protect email and other accounts. It adds a defensive layer by requiring two or more authentication factors to confirm user identity.
There are typically three forms of authentication:
- Passwords, passphrases, or personal identification numbers
- Hard tokens (USB key) or soft tokens (text or app notification)
- Unique biometric characteristics (fingerprint or facial recognition)
With MFA enabled, even if an attacker obtains an employee’s password, they won’t have the keys to the kingdom. They’ll still need other credentials to gain access, limiting the success of certain cyber attacks that involve account takeover, such as business email compromise (BEC).
Use a virtual private network (VPN)
Accessing data over a shared internet connection can introduce added cyber risk. While convenient, public hotspots typically have minimal security measures, which makes them relatively easy targets.
If employees must use public Wi-Fi, a virtual private network (VPN) can help secure their connection. It works by masking the user’s internet protocol (IP) address to defend against attack techniques that target weak infrastructure.
There are several instances when a healthcare worker would want to use a VPN, for example:
- When using public Wi-Fi at a conference or café
- When travelling (especially at an airport or hotel)
- When accessing the organization’s network remotely
Choose a VPN based in a country with solid data protection laws and nearby servers for a more reliable connection. Remember that, unlike certain firewalls, VPNs can’t stop users from clicking on malicious websites or links.
3. Patch and update regularly
Cyber criminals may look for unpatched or outdated assets as a way of accessing an IT environment. Developers regularly provide software updates to address performance issues or improve software and will supply separate patches to address specific security vulnerabilities they’ve found.
The healthcare industry has made significant technological advances in the last several years. Small and large institutions have brought smart devices, electronic databases, and more into the workplace, all of which require regular updates to eliminate security loopholes that attackers can exploit.
Why is patching challenging?
We recently ran a series of patch-related polls for cyber security professionals on Twitter and the results were eye-opening. Nearly 72% of respondents said they spent zero hours per week manually looking for potential software vulnerabilities and available patches. Almost one-third said unpatched software led to an incident at their organization.
We also asked respondents to select the biggest challenge to patch management. These were the results:
- Identifying updates (14%)
- Applying patches (19%)
- Lack of resources (22%)
- All the above (45%)
To make patching as easy as possible, ensure automatic updates are always turned on and working correctly. You can also develop a formal patch management policy to identify the high-priority systems (which systems are most vulnerable if outdated?) and assign roles (who’s responsible for finding and applying updates?).
The problem with legacy systems
Sometimes, developers stop supporting software altogether. This leads to outdated “legacy” systems which the 2020 HIMSS Cybersecurity Survey found are extremely common in healthcare. Of the 168 US-based cyber security professionals who responded to the survey, 80% said their organization currently used legacy systems. Replacing legacy systems can be extremely expensive but is a pivotal step in reducing risk.
4. Have a recovery plan
The unfortunate reality about cyber attacks is that no matter how many measures you put in place, they can still happen. Attackers can be persistent — given enough time, they can find their way into your systems.
This is why disaster recovery plans are essential — especially for those in the healthcare industry where “life-or-death” is a very real possibility. Should an incident occur and limit access to critical patient files, your teams need a plan to follow to ensure critical systems stay up and running.
Make sure you’re regularly backing up critical data as part of your recovery plan. Backups make it easy to retrieve essential files and resume operations quickly after an attack.
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your company’s unique needs. For example, saving business-critical data to an external hard drive might not make sense for telehealth providers.
5. Continuously monitor for cyber threats
The best way to keep your firm secure is to monitor your network, cloud-based services (e.g., electronic medical records systems), endpoints (e.g., workstations), and Internet of Things devices (e.g., wearable devices) for threats. Comprehensive monitoring is increasingly important as hybrid work environments — a mix of in-office and remote work — grow in popularity.
Unfortunately, an in-depth assessment conducted by PwC found that many healthcare organizations lack proper internal monitoring. The firm simulated real-world cyber attack techniques and was able to compromise sensitive data in a “surprising number of cases.” Among the five steps PwC suggested to strengthen cyber security readiness? Actively monitor systems.
Having the right solution in place makes it easy to spot cyber threats in even the most complex IT environments. A holistic threat monitoring, detection, and response platform provides the end-to-end visibility needed to find and stop attacks early before they can cause too much damage.
Securing your healthcare organization for the future
Your industry experiences many conventional cyber attacks, such as BEC, ransomware, and nation-state. But cyber security is always changing, and you may not have time to keep your finger on the pulse of the threat landscape.
Instead, sign up for our newsletter below. You’ll receive the latest news about new and emerging threats, cyber security best practices and tips, informative webinar invites, and more!