Earlier this year, the U.S. Department of Health and Human Services (HHS) released its Health Care Industry Cybersecurity Task Force report. It found that, while the healthcare industry is making strides in adopting new and modern technology and security measures, hackers and cybercriminals always seem to be one step ahead.
“What we consistently encountered was a strategic pitfall in cybersecurity environment,” said Atlantic Council Director of the Cyber Statecraft Initiative and HHS Cybersecurity Task Force member Josh Corman, in an article with Healthcare IT News. “Healthcare cybersecurity is in critical condition.”
To be fair, the state of the rest of the world’s cybersecurity is in “critical condition” as well. Ransomware is a major problem for individuals in every industry. Kroll Ontrack reports that the WannaCry virus infected over 220,000 computers earlier this year, including “several British hospitals, Renault-a French car maker, and the German railroad operator- Deutsche Bahn.”
Nevertheless, healthcare professionals must hold themselves to a separate standard than those in other industries. HIPAA helps to define that standard, but moral responsibility dictates that first, if you are to do no harm, you need to understand how to protect the technological infrastructure you use improve patient lives. Here’s what health administrators need to know about cybersecurity:
Malware is cheaper than ever to purchase and easy to deploy
Cyberattacks are on the rise, in part, because malware is so cheap and accessible. SecureWorks’s “2017 State of Cybercrime Report” illuminates that hackers have adopted the software-as-a-service (SaaS) model, developing easy to use malware and selling it for affordable prices. This means that even criminals without a technology background or experience in cybercrime can now hop online with a nasty bug and extort users for cryptocurrency.
This is one of the reasons that Danny Palmer, writing for ZDNet, suggests that ransomware was already booming back in 2016.
“Why spend time and effort developing complex code or generating fake credit cards from stolen bank details if ransomware can result instant payments of hundreds or even thousands of dollars from large swathes of infected victims at once?” he asks. “For cybercriminals, ransomware is now the best way to make a quick buck.”
Your employees are putting your hospitals at risk…
…or, as Marc Zandelhoff, writing for Harvard Business Review put it: the biggest cybersecurity threats are inside your company: “…when you read the next salacious headline about some breach by an external hacker, remember that these attacks account for less than half of the breaches out there,” he writes. “And remember that the hacker probably used the identity of an unsuspecting employee to pull it off.”
It’s true. Social engineering and phishing attacks have risen in popularity, and one of the only things you can really do to thwart them is to educate your employees. This doesn’t mean a one-time seminar, but ongoing education that is approached diligently and occurs often.
In cases where outside hackers are at play, posing as an employee, XMedius suggests that secure file exchange programs will boost cybersecurity in healthcare IT, as attackers are now favoring email as a primary infection vector. This is because employees in all fields, not just healthcare, are falling victim to phishing and social engineering attacks.
The IoT is growing and still often unsecured
The prevalence of connected devices now in healthcare makes many things easier, but also present security risks of their own.
“An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records,” writes Dawn Kawamoto for Dark Reading.
She quoted Saurabh Harit of Spirent, the company that detected the the smart pen and IV vulnerabilities: “What makes medical data more lucrative than the financial data is the low and slow detection rate of the fraud itself.” he said. “While credit card fraud can be detected and blocked in a matter of minutes these days, medical data fraud can go undetected for months, if not more.”
Healthcare administrators should also note that not only are your connected devices and stored patient data in danger, but the growth of the IoT means we could see heightened incidence of DDoS attacks that cripple connections. Have a response plan ready and optimize uptime, and always patch software vulnerabilities. On top of that, implement a strict BYOD policy and log and monitor activity on both your administrative and guest networks.
AI offers a potential solution
Artificial Intelligence is finally at the point where it’s moved away from science fiction, and on to science fact. We’re not talking about artificial people that walk and talk, like androids, but rather about programs that are able to automate tasks such as the above BYOD policy and activity monitoring.
“Machine learning and artificial intelligence utilize the behaviors of end users and information systems to learn what is normal activity,” says Anahi Santiago, chief information security officer at Christiana Care Health System in Delaware. “Artificial intelligence can then be used to take action, without human intervention, when activity deviates from the norm.”
The truth is, health administrators need to know a lot going into 2018. Most of all, they need to know that cybersecurity is going to continue to be a major threat, and that vigilance in education is key to thwarting attacks. You won’t deter all of them, and just as important as keeping malicious actors out is knowing how to respond once they’ve hit. Hone your strategies and skills, and stay in-the-know.