Healthcare is one of the most attractive industries for cyberattacks.
During the first half of 2022, the healthcare industry suffered 337 breaches, – a growing wave of relentless cyberattacks putting significant financial pressure on many who are already focused on revenue. Healthcare organizations store a massive amount of sensitive data, making healthcare one of the most attractive industries for cyberattacks. The results of sophisticated attacks can be disastrous for health systems.
This is not a new problem, but the frequency of threats is increasing, especially ransomware attacks. According to a recent report, 66% of healthcare organizations reported ransomware attacks last year, almost doubling from 34% in 2020. Healthcare is largely a target due to an abundance of outdated technology and legacy systems, along with limited security resources and budgets that prevent IT teams from making large changes to improve security. While there’s no silver bullet solution, there are four specific steps that health systems can take today to protect against the cybersecurity threats of tomorrow.
1.Update outdated technology systems
Healthcare has traditionally fallen behind other industries when it comes to updating technology. Think of the advancements that other types of businesses – such as retail, banking, and travel – have made in the last 10, five or even two years. Many industries are far more technologically savvy, but healthcare is actually one of the most important areas to transform. Innovative technology is crucial to providing patients with the highest quality care. Furthermore, a data breach at a healthcare organization can put some of the most sensitive patient information at risk.
Deprecating legacy and insecure systems can be replaced and updated by deploying always-on, always-up-to-date anti-ransomware tools, anti-malware tools, intrusion prevention systems and firewalls; moving to more secure operating systems; and encrypting all sensitive data and securing it in the cloud. Organizations should also move to more secure operating systems, such as MacOS or Linux, to better prevent cybersecurity incidents.
2. Get leadership on board and encourage a culture of advancement
One of the primary concerns around updating technology is the investment cost, especially when considering the risk of using limited resources without a guaranteed reward. However, the return on investment is clear, as organizations can prevent huge expenses down the line that may occur as a result of a breach. Naturally, health system executives will have concerns when it comes to investment costs, so it is crucial to get them on board by showing them the potential ROI. It is paramount that leadership teams carve out a budget for an in-depth security program to defend against would-be hackers.
Leadership teams and employees must also approach updates to cybersecurity with an open mind, prepared to embrace change and advance the organization. Adoption of new technology and security policies can sometimes be met with backlash from staff members who are used to the way the organization has always run. Leaders in IT and security should not feel disheartened and instead should remind their colleagues of the benefits that heightened security processes will bring to the organization and its patients. By creating a work culture willing to embrace change, you will be able to more smoothly implement better business practices.
3.Educate employees on avoiding attacks
One of those organizational changes is to regularly train employees on how to recognize and avoid falling victim to potential cyberattacks. Typical mandatory security trainings provided on an annual basis often do not actually teach employees the key markers to look out for in an attack. A better approach would be to simulate attacks such as phishing and provide personalized, bite-sized, timely training to employees who fall victim. Teaching employees how they might be tricked will help them understand how to not fall prey to attacks and allows you to build your organization’s own “human firewall.”
Ensure that employees know what to look for when monitoring for security threats, along with what their next steps should be – for example, flagging suspicious emails to IT before replying to them or opening links from unknown email addresses. IT professionals can stay on top of current trends by keeping tabs on intelligence from the dark web and proactively putting measures in place to mitigate attacks in a dynamic manner with aggressive technical and administrative controls in place.
4.Prepare for new security policies and potential disasters
Finally, healthcare organizations must stay up to date on current security policies and update their own internal risk management procedures. Cybercriminals targeted hospitals and health systems while they responded to irregular patient volumes and limited resources caused by the Covid-19 pandemic. When threats emerged and healthcare systems were down, challenges were exacerbated as providers had to cancel appointments and surgeries to deal with breaches and other attacks.
Keep up to date on regulatory and compliance requirements and proactively adopt safeguards to meet policies as they change. Additionally, health systems should prioritize implementing a disaster recovery plan in the case of future security breaches, as well as other emergency events such as natural disasters. Preparation for emergencies should include regular tabletop exercises for backup and recovery, incident management, business continuity and disaster recovery. Planning and preparedness are crucial, so create organizational resilience to ensure your employees are prepared for emergencies when they do occur.
Cybersecurity threats across the healthcare industry are on the rise, and ultimately it falls on the organization to prepare for attacks and prevent loss of health system and patient data. Take care to evaluate all the potential areas for security improvement in your organization and begin preparing for a safer healthcare community in 2023.
Chandra Kalle is the Vice President of Security and Compliance at LeanTaaS, where he brings more than a decade of experience in engineering and product management.