Cyberattacks pose a clear and present danger to all healthcare stakeholders. These days, cyberthreats are so mainstream that the question is no longer if an attack will occur, but when.
A 2018 cybersecurity survey by Black Book Market Research found that 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent reported more than five breaches. In 2017, a task force working under the U.S. Department of Health and Human Services deemed cybersecurity in healthcare was in “critical condition,” a claim that was followed by many sizeable breaches in 2018.
The outlook is indeed sobering and likely to leave the average resource-strapped physician’s practice feeling helpless. How do small- to mid-sized healthcare operations tackle this mammoth challenge when most physician practices lack IT departments and in-house cybersecurity experts?
When it comes to securing systems and data, it’s important for organizations to take a step back, start simple and move forward strategically. Cybersecurity is a journey, not a destination — and you don’t always need to tackle everything at once. Every practice environment faces different threats, so it’s important to understand your own unique situation and plan your approach accordingly. Outlined below are three key steps physician practices should take to gain a better understanding of their cybersecurity needs and to determine their next steps.
1. Recognize trends and challenges
Current reports suggest that ransomware and other cyberattacks are on the rise. Notably, ransomware attacks are expected to quadruple in healthcare by 2020. Meanwhile, Gartner, a leading industry research and advisory firm, expects the global cloud services market to grow 17.3 percent in 2019, opening the door to new vulnerabilities and threats online.
The industry is also witnessing growing threats related to advanced phishing and password spraying and stuffing — dangers that often fly under the radar. Phishing employs social engineering to trick users into giving away sensitive information by posing as a legitimate person, usually through an email that appears to be from someone they trust. Password spraying occurs when an attacker obtains a list of emails and usernames from an organization, usually through scripts that crawl Google and LinkedIn, and then attempts to gain access to accounts through commonly used passwords. Password stuffing is even easier, since the hacker gains access to username and password pairs and then applies them to large numbers of accounts until they gain access to the network.
“CEO fraud” is also on the rise in healthcare. In these instances, criminals impersonate an executive as part of an email scam. Using similar writing styles and email signatures, the sender will request that a certain action be performed. For example, a criminal posing as an HR executive may ask an employee to change payroll accounts or to wire certain transactions to different account numbers.