The healthcare industry has become more interconnected thanks to technological innovations that unify healthcare information, people and payments. While these advances can lead to better experiences and outcomes, they also make healthcare data more vulnerable to cyberattacks. CIOs and CISOs must understand the threat landscape when planning technology strategies and investments.
A Changing Digital Landscape
System integrations in healthcare have grown significantly as more organizations use technology to automate tasks and operate efficiently. The COVID-19 pandemic contributed to the trend of increased interconnectivity because people needed contact-free ways to interact. Digital adoption accelerated across the healthcare industry as a result.
Greater use of digital technology has many benefits for the healthcare industry. These include higher efficiency and accuracy of administrative tasks like payments, which are historically costly, manual and error-prone. However, this digitization can increase an organization’s vulnerability to cyber threats.
Healthcare is a Prime Target for Cyber Crime
Healthcare organizations are attractive targets for cybercriminals because of the data they handle. Cybercriminals are motivated to sell stolen personal information for profit, and patient data is lucrative. One patient record can elicit up to $250 on the Dark Web. At that price point, it’s no wonder cyber crooks target health information. The value of health information can also explain why cyber attacks are the number one cause of data breaches in healthcare. Cyber thieves can access medical records and personal data, like social security numbers and credit card information, by attacking a healthcare organization’s network and other systems. Healthcare organizations are a veritable one-stop shop for all the valuable data a hacker could want.
Cyber attacks on healthcare organizations have increased over the years and they surged even more during the pandemic. Over 40 million patient records were exposed in healthcare data breaches in the U.S. in 2021. One of the biggest reasons for these incidents is the rise in ransomware.
Ransomware gains access to an organization’s system by infecting computers with a virus, often by tricking a user into clicking a link or downloading a file in a phishing email. Ransomware attacks targeting software supply chains are rising, meaning major breaches can result from infiltration via a third-party vendor. Third-party vendors caused 60% of reported healthcare data breaches in 2021.
Hybrid and remote work environments are perfect scenarios for black hat criminals; it is much easier to perform a phishing attack on people who only interact through screens. As healthcare organizations look to support these work arrangements, developing a robust information security program that includes cybersecurity training for staff is essential.
[eBook] Cybersecurity Best Practices for Hospitals and Health Systems: How to Secure Patient Data and Payments
4 Best Practices For Healthcare CIOs and CISOs
Here are four key considerations for healthcare CIOs and CISOs navigating an evolving security landscape.
1. Verify the Security Status of Vendors You Are Working With (And Their Vendors, Too)
Even when your organization has strong cybersecurity protocols in place, your data can still be at-risk if your vendors do not meet the same strict security standards.
When selecting vendors, ask to see their security and compliance certifications – do not simply trust a vendor who self-attests to being compliant and secure. Here are the certifications you want to look for when selecting a vendor. You can also consolidate the number of vendors in your network. By minimizing handoffs with your data you reduce entry points in your supply chain and make it more difficult for hackers to compromise your data.
2. Keep Sensitive Data Off Your Network
The best way to protect sensitive data from cyberattack is to limit the data that lives on your network. Healthcare organizations can deploy technologies like point-to-point encryption (P2PE) and tokenization to protect data stored or transferred on their networks.
P2PE prevents people from viewing cardholder information and protects the confidentiality and integrity of this data. P2PE (point-to-point encryption) is a methodology for securing credit card data by encrypting it from the time a card is swiped or keyed until it reaches a secure endpoint (InstaMed) where it is decrypted.
Tokenization converts data into a token that is associated with your organization. This unique association prevents someone from using the stolen token for anything other than the intended purpose. Tokenization allows payment information – such as a credit card or bank account – to be saved online securely and used to pay for something without re-entering it. In healthcare, it is key to automating the payment process to simplify the consumer experience and help providers achieve payment assurance.
3. Regularly Scan Your Network for Vulnerabilities and Patch Your System
If you regularly scan your networks for vulnerabilities, you can detect threats sooner and move faster to prevent attacks. Along with network scans, you will want to patch your systems on a regular basis. A patch is a software or operating system update designed to fix bugs and address security vulnerabilities. Patches can protect your systems from harmful threats lurking on networked devices. You should always apply patches as soon as possible. Delaying a security update increases your risk exposure to hackers, which can lead to a data breach.
To learn more about network security threats check out Symantec’s Security Center.
4. Train Staff to Recognize Phishing Attempts
Phishing is a type of social engineering that uses emails designed to trick the recipient into clicking on a malicious attachment or visiting a malicious website. Spear phishing is a more targeted form that can appear to come from a trusted acquaintance. If a recipient of a phishing email opens a malicious attachment or clicks on a link, they might download a program that installs malware onto the system. This act alone can compromise the entire system and expose sensitive data to theft. In other scenarios, a phishing email might lure a victim to a website that appears legitimate and tricks the user into disclosing private information like a username and password or bank information. It isn’t easy to protect against social engineering. These scams can be hard to detect and fooling a person with a message that looks like it’s legitimate is not something that can be prevented with more complex passwords or a new hardware purchase. The best defense against this ever-growing threat is to train staff to look for common phishing techniques and other hacker tactics. Share this list of cybersecurity best practices with your team to help educate them about cybercrime prevention.