Every year, Symantec publishes an Internet Security Threat Report that explores the current state of cybersecurity across industries, including healthcare. This year’s report revealed a few encouraging findings that showed the healthcare industry has improved the way it approaches cybersecurity. Namely, cybersecurity spending has increased across the industry, as has staffing for security, both inside and outside of IT operations. Increased spending for cybersecurity shows a greater commitment and focus from healthcare organizations to get ahead of security threats. This shift in priorities for healthcare organizations is a result of a greater understanding of the impact of security threats in healthcare. Healthcare organizations who were victims of ransomware attacks in 2016 realized that it wasn’t just their IT operations that suffered, but their patient care, since their entire infrastructures were held ransom. Therefore, security has become recognized as not just an IT technical issue but a patient-care issue.
As the healthcare industry gains a better understanding of the importance of building and maintaining a strong security program, we must continue to study new and emerging trends, like the findings in the Symantec Internet Security Threat Report, to help influence the decisions we as healthcare organizations make to protect ourselves and the ones we serve. In the blog below, I’ve highlighted three key internet security trends that healthcare organizations cannot ignore. I’ve also included advice on how your organization can work to combat these threats and protect your patients’ data and your own.
Email is a Significant Threat Factor for Healthcare Organizations
Cybercriminals leverage email as a way to enter your system and cause destruction. There are a few different tactics cybercriminals use to attack an organization via email. One example is “phishing,” a type of social engineering that tricks an email recipient into downloading a malicious file or visiting a malicious website. Another example, which has become more common in 2016, is email-borne ransomware. The healthcare industry saw an increase in email-borne ransomware in 2016, Symantec reports. Additionally, 54 percent of emails sent to healthcare organizations in 2016 contained spam and one in 204 emails contained malware.
How can healthcare organizations prevent against email-borne security threats?
My advice: Educate your staff about the various threats that could be lurking in their inbox. Make sure every employee understands terms like “phishing” and “malware” and offer examples of these kind of attacks so they understand what to look for before opening or clicking on a suspicious email. The better educated your staff are about email threats, the less likely they are to download malicious files and put your organization’s data at risk.
Healthcare Organizations Are Easy Targets for Ransomware
Across industries, ransomware attacks are increasing at an alarming rate. According to Symantec, ransomware detections increased by 36 percent in 2016, with 1,270 detections per day. Healthcare organizations should be particularly concerned about ransomware. Cybercriminals have realized that healthcare organizations are easy targets for ransomware attacks, since there is a higher pressure to restore data and services so to not risk patient care.
How can healthcare organizations prevent against ransomware?
My advice: Ransomware is on the rise. A recent attack has organizations from countries all over the world bracing themselves for round two. The best way to prevent these attacks is to make sure your security infrastructure is as strong as possible. Make sure you are using operating systems that vendors continue to support with security updates and eliminate vulnerabilities lurking in your system by applying all available patches as soon as they are available. Invest time and resources into security systems that leverage the latest technology to keep your data safe. Finally, only work with vendors you trust and who are certified and audited at the highest levels of security and compliance. Your best defense is to implement the best protection available to your organization.
Healthcare CIOs Don’t Understand How Much Data They Have in the “Cloud”
Cloud usage has become mainstream for most businesses and individuals. As a result, criminal attacks on cloud data have increased. CIOs need to consider their data stored in the cloud when developing their security programs. However, according to Symantec, many CIOs do not have an accurate understanding of how much data they are storing on the cloud. At the end of 2016, the average enterprise organization was using 928 cloud apps, which is up from 841 at the beginning of the year. However, most CIOs estimate their organization’s usage of cloud apps to be around 30-40, which is a gross underestimation. It is very difficult to protect data in the cloud if you don’t even understand how much data your organization is storing in the cloud.
How can healthcare organizations improve the protection of cloud data?
My advice: As the data says, enterprise organizations leverage hundreds of cloud apps to complete their daily operations and store data. However, that doesn’t mean that you shouldn’t try to eliminate as many unnecessary vendors as possible. When it comes to selecting your payment vendor, work with a full stack solution that covers the end-to-end healthcare payments process. Don’t patch together a handful of different vendors that can’t even deliver the results that a full stack solution offers. Plus, keep in mind that when you try to bring together multiple systems to work and talk with each other, you often create new holes and vulnerabilities that would not otherwise exist.
Learn more about payment security for healthcare. Check out a recording of a webinar I presented with HIPAA law expert Matt Fisher: PCI, EMV, HIPAA and More: Making Sense of Security and Compliance for Healthcare Payments.