The healthcare industry is subject to many types of existing and new cybersecurity threats. With technology constantly developing and information considered to be highly valuable, cyber criminals see this industry as a gold mine of sorts. Crime can also occur internally, with employees playing the part of "bad actor."
Healthcare organizations must cover their bases when protecting personal health information (PHI) against technology threats of loss and theft. These measures include upholding standards set out as part of the Health Insurance Portability and Accountability Act (HIPAA). Although there are many threats to be aware of, IT professionals down to frontline employees should prioritize the five top cybersecurity threats we will outline below. As we dive deeper into these vulnerabilities, we will also discuss best practices for prevention.
Five Common Cybersecurity Threats to Watch for in Healthcare
With new innovations in the IoT medical sector, it comes as no surprise that the industry is already generating billions of dollars in revenue worldwide. These devices can come in many forms, including things like smart pens, wireless vital monitors, temperature sensors and so much more. Although they all serve different purposes and conditions, they were ultimately created to improve patient care, while reducing costs incurred by a provider.
The Risk: Despite the benefits they bring to the table, many of these technologies have proven to be hackable, with cyber criminals able to breach them in ways not initially imagined. For example, smart pens seem small and unsuspecting, but actually present a significant cybersecurity threat. Since they store plenty of data, they are attractive targets. Hacking a smart pen can also provide a cyber criminal with a gateway to a larger data storage source.
This clearly shows that data protection is truly an all-encompassing practice, and goes far beyond desktop and laptop computers. Just because a device is small, does not mean it is not a target.
The amount of daily data that passes through various terminals at a healthcare provider can be significant. It is made more significant due to the sensitivity of that data, meaning that if it is lost, it can spell trouble for both provider and patient alike.
The Risk: So, what is data loss? Do not let the generic phrasing fool you. Data loss is one of the most common, current cybersecurity threats today. A side-effect of digital technologies, this usually occurs when information goes to the wrong individual via email or another form of electronic communication.
To put into perspective just how common this issue is, Tessian has collected a few alarming statistics. Perhaps the one that stands out the most is that, in organizations of 1,000 employees, approximately 800 emails are sent to the wrong person every year. When emails are missent, it is hard to trust that they will be deleted, not shared, or viewed. This malpractice is one of the easiest ways to "lose" data.
Along the lines of data loss, is theft. Data loss is more often the result of poor attention to detail or a genuine mistake. Theft is serious, and it could indicate that bad actors are employed by the very company they are sabotaging. Despite this, theft is one of the most common cybersecurity threats today, and it is often overlooked due to the fact that management and IT professionals do not suspect their very own co-workers would be responsible.
The Risk: There are two main risks when it comes to theft. Since we are talking about cybersecurity, physical theft of equipment or PHI is not considered here.
- External theft: Can involve a cyber criminal stealing PHI via a hack. This can result in serious consequences such as identity theft of a patient or employee.
- Internal theft: These are the bad actors who work within an organization. They can conduct their illicit behavior in several ways, including sharing confidential company information with competitors or to assist in beginning their own venture. In the Tessian piece, cited above, they note that, "35% of employees working in healthcare have downloaded, saved, or sent work-related documents to personal accounts before leaving or after being dismissed from a job." This statistic backs the notion that healthcare organizations, and their IT teams must monitor more than just threats from the outside.
One of the top cybersecurity threats to businesses today is ransomware. It holds a victim's data hostage until a ransom is paid - usually in Bitcoin or other form of cryptocurrency. This scenario is particularly concerning in healthcare due to the sensitivity of data on hand. It puts organizations in a difficult position - many feel compelled to pay the ransom to get themselves out of a tricky situation which could become more costly as time passes. An IT manager's worst nightmare, ransomware mainly enters a system through phishing emails that fool unsuspecting employees. Learn more: Six Most Damaging Types of Ransomware That Every Business Should be Aware of
The term may not sound familiar, but the cyber threats within its realm are some of the most dangerous known to those in the IT field. So, what is social engineering? Essentially, these are attacks that attempt to fool victims into providing information like login credentials or downloading harmful files, which are then on a mission to infect other parts of a system. Social engineering attacks happen in a series of actions. It is a classic formula. First, the attacker prepares by identifying the victim and learning about its potential access points and vulnerable security processes; then the attacker engages the victim, hopefully earning its trust on various levels, causing the victim to let down its guard. Finally, the attacker strikes, most likely in one of the following forms.
Types of Social Engineering Attacks:
- Phishing: Cybercriminals posing as legitimate institutions for the purpose of stealing personal or company data
- Whaling: A phishing attack meant for high-profile targets, like company executives
- Baiting: Encouraging victims to click on links or plug-in un-authorized devices
- Pretexting: Elaborate scenarios created to lure a victim into supplying sensitive information
- Scareware: Designed to fool victims into accessing a malware-infected website
The common theme among different types of social engineering attacks is a cyber criminal's desire to trick a victim into providing the keys to the sensitive information - and in some cases, handing that sensitive information over on a silver platter. When a social engineering attack hits the healthcare industry, it can mean the loss of data, a tarnished reputation, fines, and potential jail time for an organization's officers.
On a side note, not all social engineering attacks are virtual. Here are a couple brief examples of social engineering that can happen inside a physical environment, potentially causing major cyber damage with the stolen information:
Fake hospital employee: All it takes to look like you belong and are employed in a healthcare situation is a set of scrubs and a fake ID. If personnel are not diligent, a skilled imposter may be able to impersonate a healthcare or IT worker and mix in to gain access to all kinds of information and processes without being noticed.
Fake new hire: An imposter might be able to introduce themself as a new hire to a staff member and request a tour or to shadow someone on their rounds and gather desired information.
The Bottom Line: Be Mindful of Network Security Threats and Solutions
A cyber attack in the healthcare industry can cause a domino effect of unfortunate events. Downtime, leaks of sensitive information, tarnished reputations, and fines by the U.S. Department of Health and Human Services are just a few repercussions. With the advancement of technology, healthcare organizations have more than just a few desktop computers to monitor. Nowadays, everything from laptops to items as small as smart pens can be targeted by cybercriminals. The smallest of devices can be gateways to main networks.
Top executives at healthcare organizations must be mindful of network threats while working to build teams to assist with preventative solutions. Building a strong IT team and educating employees is one of the best first steps to avoid being caught by one of the cyber threats mentioned in this piece. Preventative measures are a top-down task that involves almost everyone in an organization in some capacity - especially with technology integrated into more day-to-day tasks around the workplace.