Patient data is under attack. In a 2019 study, the Healthcare Information and Management Systems Society (HIMSS) found that 74 percent of healthcare organizations experienced a significant cybersecurity incident in the previous 12 months.
It may seem logical to think larger healthcare systems are more attractive targets, but small- and medium-sized organizations also face huge risk. Patient data is some of the most valuable on the dark web, which makes practices of all sizes prime targets. In fact, cybercriminals may look upon smaller organizations as easier marks, as they may not have the same level of cybersecurity resources and capabilities as larger healthcare systems do.
The key ways to keeping the people and data in a practice secure are to understand the threats, implement the appropriate preventative measures, and have a clear, actionable remediation plan to reduce damage in the event of an attack.
Understanding the threats
According to the HIMSS study, the most commonly reported attacks involve attempts to access healthcare networks via phishing, spear phishing, or compromised email accounts. While the end goals for all three are the same—accessing data—they vary in approach and complexity.
Phishing involves an email that attempts to trick the recipient into clicking on a malicious link that gives the sender access to patient data. The sender poses as a known entity (i.e. an insurance company, common vendor, or parcel delivery service) to lure the recipient to complete an action or fulfill a request by clicking on the link. A single phishing email is sent to many addresses at once, so they’re often non-specific to the recipient. On the surface, that non-specificity should be a red flag, but remember: the criminal only needs one person to ignore the potential warning signs and click.
Spear phishing operates under the same premise as phishing, only it is more thoughtfully designed and executed. While phishing is a numbers game, spear phishing emails typically are sent to one specific person or specific members of groups. These emails meticulously replicate what an actual correspondence from the organization they are pretending to be would look like and, as a result, are more difficult to identify.
Compromised internal email accounts are much harder to detect as fake. This happens when a malicious actor is able to gain access to a user’s email password and sends emails from the user’s account. Since such emails are sent on behalf of someone within the organization, the message appears to be completely legitimate. People are less likely to question requests from colleagues, increasing the probability of tricking the recipient into clicking on a malicious link or performing a harmful action, such as divulging critical information or completing a fraudulent transaction.
Implementing preventative measures
These are issues most practices can address by changing the email security habits of staff. For example, treat any link from a known or unknown sender with skepticism. Hover over the link with the cursor and inspect the URL once it populates. The URL may look familiar, but check to see if there are misspellings, an extra letter or, for example, an “O” replaced by a zero. These are common tricks cyber criminals use to emulate an email or web address.
With compromised email accounts, it may be almost impossible to recognize that it is fake. For example, an email may seem to come from a colleague asking the recipient to click on a link leading to a folder within the practice’s network, when it is actually a malicious link. So, if someone on staff receives such correspondence and is even the least bit suspicious, it is best practice to simply call the alleged sender to verify the validity of the email.
Read More: Designing Your New Medical Office Space
The ways by which hackers attempt to access patient data change, so continuous training and awareness efforts for staff around the latest threats should occur annually, if not quarterly. Such training should include replication of real-life data breach attempts to prepare staff to act accordingly should an actual incident arise.
From a more technical standpoint, practice leads should ensure their IT department is installing the latest versions of antivirus protection and using security tools that can restrict the execution of unauthorized files and applications (commonly known as application white-listing). Dependent on the type of information that could be transmitted via email, data loss prevention (DLP) solutions should be deployed. Additionally, personnel should be provided encryption capabilities to ensure data is protected in transit and at rest.
Remediating an incident
While you can reduce risk from common threats, healthcare organizations should prepare for the reality that at some point an incident will occur. Criminals are creative and persistent in finding new ways to steal data and leverage the rapidly evolving nature of technology to their advantage. Thus, mistakes will inevitably occur. The key is becoming more cyber resilient—developing the ability to move quickly to respond to alerts and ensure that the damage related to a breach is minimized. Organizations should rehearse responding to such issues at least quarterly.
Creating a culture that encourages employees to report a possible incident that they may have created, without embarrassment or repercussion, is critical to successful remediation. Time is of the essence in minimizing the severity of a breach, so self-reporting must be an instinctual response to accidentally clicking on a potentially malicious link. Taking it a step further, rewarding employees who successfully report security incidents reinforces the practice’s commitment to security over blame.
The threat to patient data is not going away, and it is incumbent upon practices to proactively protect their patients’ personal information. Continuously educating staff, while implementing effective prevention and remediation protocols, will go a long way in maintaining business continuity and reduce the risk of falling victim to a compromise.