Medical practices of all sizes need to pay attention to cybersecurity, but it’s not a one-size-fits-all scenario.
Cyberattacks pose a clear and present danger to all healthcare stakeholders. These days, cyberthreats are so mainstream that the question is no longer if an attack will occur, but when.
A 2018 cybersecurity survey by Black Book Market Research found that 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent reported more than five breaches. In 2017, a task force working under the U.S. Department of Health and Human Services deemed cybersecurity in healthcare was in “critical condition,” a claim that was followed by many sizeable breaches in 2018.
The outlook is indeed sobering and likely to leave the average resource-strapped physician’s practice feeling helpless. How do small- to mid-sized healthcare operations tackle this mammoth challenge when most physician practices lack IT departments and in-house cybersecurity experts?
When it comes to securing systems and data, it’s important for organizations to take a step back, start simple and move forward strategically. Cybersecurity is a journey, not a destination - and you don’t always need to tackle everything at once. Every practice environment faces different threats, so it’s important to understand your own unique situation and plan your approach accordingly. Outlined below are three key steps physician practices should take to gain a better understanding of their cybersecurity needs and to determine their next steps.
Current reports suggest that ransomware and other cyberattacks are on the rise. Notably, ransomware attacks are expected to quadruple in healthcare by 2020. Meanwhile, Gartner, a leading industry research and advisory firm, expects the global cloud services market to grow 17.3 percent in 2019, opening the door to new vulnerabilities and threats online.
The industry is also witnessing growing threats related to advanced phishing and password spraying and stuffing - dangers that often fly under the radar. Phishing employs social engineering to trick users into giving away sensitive information by posing as a legitimate person, usually through an email that appears to be from someone they trust. Password spraying occurs when an attacker obtains a list of emails and usernames from an organization, usually through scripts that crawl Google and LinkedIn, and then attempts to gain access to accounts through commonly used passwords. Password stuffing is even easier, since the hacker gains access to username and password pairs and then applies them to large numbers of accounts until they gain access to the network.
“CEO fraud” is also on the rise in healthcare. In these instances, criminals impersonate an executive as part of an email scam. Using similar writing styles and email signatures, the sender will request that a certain action be performed. For example, a criminal posing as an HR executive may ask an employee to change payroll accounts or to wire certain transactions to different account numbers.
Many physician practices have not taken the critical step of conducting regular vulnerability assessments because they believe their organization is too small to attract an attacker. But not knowing your vulnerabilities can hurt you, as both large and small organizations are exploited continually.
A comprehensive assessment will simulate potential attacks and test infrastructures to identify weaknesses and risks. That gives practices a complete picture of their environment from an attacker’s perspective.
Quarterly vulnerability assessments are recommended not only to test for new risks, but also to ensure that previous issues were fully remediated. When deployed properly, these analyses should provide practices with information on which devices and applications are vulnerable along with possible risks. It’s important that all key stakeholders come away from these assessments with a full understanding of each vulnerability, its perceived risk level and its potential solution.
In addition to vulnerability assessments, a penetration test should be conducted annually. This technique produces a more in-depth examination of security controls by employing a cybersecurity professional to conduct a “test hack” by attempting to find ways to breach an organization’s network system.
Once a practice’s weaknesses are identified, the next step is remediation. Far too often, healthcare organizations make less-than-optimal choices because they react out of fear or they choose the most affordable solution as a band aid approach.
It’s understandable on one level. Most small- to mid-sized physician practices are not in a position to purchase an expensive and comprehensive cybersecurity platform to address every angle of the security landscape.
A better approach begins with understanding that there is no cookie-cutter solution to cybersecurity. More than ever, healthcare executives, owners and administrators need customized strategies that provide practice-specific tools and filter out unnecessary elements that can keep physician practices from addressing their own unique security situations.
The right partner can help you identify where to start by focusing on priority areas that represent the most bang for your cybersecurity buck. Perhaps the first goal is optimizing firewall management. Or, perhaps the greatest need is stronger security of appliances and devices such as phone systems, Wi-Fi, email gateways or network access control. Expert guidance is critical to defining and developing a practice’s cybersecurity strategies at the right time and with the right tools to minimize the potential for breach and ensure the most cost-effective solution.
Physician practices face unprecedented demands on their time and resources. While current trends demand that organizations prioritize cybersecurity, it’s important to remember that the best approach does not generally take a linear path.
Sean Nobles is president of NaviSec, a veteran-owned IT security firm. He holds OSCP, NSE4 and CCNP certifications in network security and has spent more than 20 years in the service provider, military, financial services, value added reseller and call center industries. He is a combat veteran of the U.S. Marine Corps.