The first few weeks of January always seem to be accompanied by an influx of new cybersecurity trends, forecasts, and concerns. As expected, 2018 has followed this pattern—and with the need for secure patient information growing ever more critical and the arrival of GDPR in May, it’s no surprise that healthcare experts are deep in conversation about the pitfalls organizations might face this year.
What to expect from this blog:
In this blog, we’ve recapped five of healthcare’s biggest cybersecurity concerns for 2018. Use the following sections to learn which vulnerabilities you should be aware of, then read the related resources for information that may help your organization plan for these forecasts … or avoid them all together.
Let’s get started!
By now, everyone is aware that cyber attacks and data breaches are omnipresent risks in healthcare—and hackers often seem one or two steps ahead of our preventative attempts. Organizations are working hard to catch up with these threats, but that doesn’t keep industry experts from anticipating a breach this year.
According to a recent survey from Ponemon Institute, 67% of CISOs believe a cybersecurity attack will happen to their organization in 2018. As attacks get harder and harder to decipher (unlike the golden days of foreign princes offering you money), this survey reports that the majority (65%) thought a careless employee would cause a breach, followed by concerns over ransomware attacks and patient data being compromised at a large scale.
It’ll take time to address every concern listed in Ponemon Institute’s survey, but when it comes to the 65% who worry about their employees, you don’t have to be one of them. This blog covers everything you need to know about how implementing a security awareness program can make employees your strongest—rather than your weakest—defensive players.
Meanwhile, for those worried about compromising thousands of patient records during a data breach, this scenario (and many like it) can be avoided through the right precautions. Get started today: use these eight tips to implement strong security practices and avoid a data breach.
HealthIT Security writes that in 2017, “78 percent of [healthcare] providers report[ed] that they experienced a healthcare ransomware or malware attack.” Because of how successful these attacks have been, many expect they’ll increase in 2018, leaving providers uncertain about how to address the possibility of a ransomware and malware infiltration.
Unfortunately, Electronic Health Records (EHRs) can be affected by ransomware. Blocking ransomware and malware attacks requires broad preventative measures like employee training, properly-configured firewalls, secure systems, and strong access management policies (more on that under item 4), but you can also protect your EHRs from infection through data encryption and periodic backups.
EHR backups are one of HIPAA’s many compliance requirements; if you haven’t already, make them a priority. Take some time to create copies of your database. Update them frequently—and store them offsite, just in case an attack cripples your current infrastructure. When you’ve built policies and processes around these backups, add them to your incident response plan so you can refer to them in an emergency.
Don’t have an incident response plan yet? Create one using this blog of templates and resources.
If you use Windows systems, you already know your environment can be affected by ransomware and malware. But if you use IBM systems or servers in your organization, like many still do, it’s easy to fall into the trap of thinking that these attacks (and similar viruses) can’t affect you.
Unfortunately, that just isn’t true.
Free Virus Scan: Check Your IBM i, AIX, and Linux Servers for Threats
Healthcare organizations juggle hundreds of important responsibilities a day. They provide their patients with top-notch care, secure their technology from life-threatening risks (like power outages or equipment failure), and do everything else that comes in between.
With all these tasks to focus on, many haven’t been able to update their systems and equipment. Providers want to secure their data with the best possible technology, but investing in new equipment, software, and hardware can cost a pretty penny. On the other hand, a well-placed attack at an area of weakness can cause a breach that costs even more than it would’ve to invest in up-to-date systems.
“Healthcare facilities make extensive use of legacy systems,” writes Harvard University in this report. “In fact, numerous hospitals still rely on devices that have reached their end-of-life or that are no longer supported.” What does that mean? While it may save money in the short-term, if any of your systems are outdated or unsecured, including that one printer staff rarely use, a well-aimed cyberattack could sneak into your network and cause havoc.
Our suggestion? If you can’t afford to purchase new devices, ensure they are all up-to-date on the latest security patches. It may help to create a map of your devices too, so you can tell where you may have gaps and vulnerabilities in your network.
As healthcare technology changes due to evolving patient, vendor, and employee needs, so should cybersecurity policies and audit processes. However, this piece can be easy to overlook—and it’s become an issue that needs to be addressed in 2018.
According to Healthcare IT News and the PwC Health Research Institute, “while 95 percent of provider executives believe their organization is protected against cybersecurity attacks, only 36 percent have access management policies and just 34 percent have a cybersecurity audit process.” This means that two in three organizations don’t have the right plans in place to ensure their data is safe.
Good cybersecurity policies are important. In fact, you likely already have some implemented in your organization. But as the stats suggest, over 60% of providers lack an effective Identity and Access Management (IAM) policy, leaving them wide open to risks from inside threats like careless employees, vendors, and users.
We recommend reviewing your current IAM policy to ensure all your gaps are covered. The following blog discusses five recommendations from the DHS’s OCR (Office of Civil Rights) that you can use to get on the right track.
To combat any business vulnerabilities you might have, your organization should strive to complete frequent risk assessments. This is already a requirement of HIPAA and HITECH compliance. However, it doesn’t hurt to also conduct them during specific events, like when introducing new third-party vendors, adding new locations or offices, or integrating new devices.
There are different ways to run a risk assessment. You can run it manually, but this is typically a resource-heavy process and leaves room for error. You can also use software to automate your evaluations. Good software will track activity logs, encrypt files, give you control over your keys and certificates, and let you build reports on important system information. An even better solution, like managed file transfer, will do all that for your Windows, Linux, and IBM i systems—and help you meet HIPAA compliance requirements too.
As cyber attacks evolve with today’s growing technology and devices, industry experts are concerned that hackers will change their strategies of getting patient data. Instead of holding patient data hostage, some organizations are worried that attackers will tamper with records to falsify their information.
Falsely altered records mean more than compromised data and financial ruin. According to this article on the vulnerabilities of unsecured systems and health devices, “hackers can change medical record information on allergies, diagnoses, or doses of prescribed drugs. Incorrect information on even one medical record could be fatal.”
So, how does an organization safeguard against this sort of attack? Having audit policies in place to watch for unauthorized changes made to patient records is a start. By using a solution that scans activity logs for any out-of-place adjustments, you can be alerted to strange additions and quickly catch a problem (internally or externally created) before it escalates.
We also suggest following these four security strategies to protect EMRs from malicious tampering.
Stay ahead of today's ever-changing threats. Protect critical data with these automated security solutions.