Defending Against Healthcare Cyber Threats: People, Not Technology, are the Key
It’s impossible to work in healthcare today and not be concerned about the daily barrage of news about cyberattacks on hospitals and health systems. Last year, more than 5 million patient records were exposed through data breaches, and ransomware, a type of malware that blocks access to systems and files unless a ransom is paid, continues to wreak havoc in healthcare, taking hospital networks offline and disrupting patient care and services.
The immediate financial, legal and regulatory impact of an attack can be devastating. And according to a Deloitte study, there are other hidden costs that can ripple for years, including reputation damage, operational disruption or loss of proprietary information or other strategic assets.
The hard question is what to do about these threats, and how to avoid being intimidated by all of the technology associated with defending against them.
In the end, it’s about people
Dealing with cyber threats can be intimating for many in healthcare who don’t consider themselves technologists. Our post-acute customers are in the business of providing patient care, not tech systems. In addition, these customers—therapy providers, skilled nursing facilities, outpatient clinics, home health agencies and hospice providers—are managing their operations with limited staff and resources. Tech insecurity plus limited time and resources can easily lead to inaction, which can leave healthcare providers vulnerable to cyber threats. The security industry doesn’t help the matter by focusing their conversations around speeds, feeds and other tech-speak, which can make implementing even the most basic security strategies overwhelming.
We hear these concerns daily from our customers. It’s a problem, for sure, but it’s important to put the security issue into perspective. Yes, implementing firewalls, antivirus software and other security technologies is absolutely important. However, many security issues arise from something much simpler and more human—employees falling victim to hackers’ social engineering schemes that trick users into clicking where they shouldn’t. Put differently, technology protections will matter little if your facility was hacked because an employee unwittingly downloaded a virus onto your network and gave the cybercriminal access to your patient data and systems.
Education is the key to preventing a large majority of security issues that currently plague the industry. While not every attack can be prevented, the numbers are clear. Opening bad attachments in emails is still the main cause of data breaches and other security incidents (at 66%), according to the Verizon Data Breach Investigations Report. This means that to a large extent protecting your organization has nothing to do with technology. It’s about helping your employees understand how cybercriminals and other fraudsters are using everyday communication tools like email, social media or even the phone to trick them into taking an action or divulging sensitive information.
Avoiding cyber scams
Here are two common ways cybercriminals are gaining access to healthcare organizations, as outlined by the Center for Internet Security (CIS).
- Phishing emails – These emails are designed to get a user to click on a link or open an attachment to download malware or be redirected to a website that will prompt the user to provide sensitive information, such as login credentials and passwords. Often these emails evoke a sense of urgency or other emotion to get the user to do what they want—with headlines like “you missed a delivery!” or “you’re locked out of your account, please update your record.” Spear phishing is a targeted form of phishing, where the cybercriminal sends a more personalized email that appears to come from a known or trusted source to an individual or small group of users.
- Business Email Compromise (BEC) – This is when scammers use a spoofed email or compromised account to trick employees into initiating a money transfer to an alternate (fraudulent) account. Often, the criminal has done research and pretends to be someone within your organization, such as your CFO, to get you to perform the task thinking that it was a legitimate request.
For advice on how to help your employees avoid these tricks, consider a few of the user recommendations provided by CIS. Ultimately, the most important takeaway is that despite all the frightening headlines, there is much you can do to minimize your risk of a data breach or cyberattack. Oftentimes, the problem has more to do with how people behave—the human element—than any security technology on the market. If you can tackle the “people part” of the security equation, then you’ve already make enormous headway in preventing security problems down the road.
This should be encouraging news because perhaps more than any other type of business, healthcare providers understand the value of educating clinicians and staff to achieve optimal outcomes. In this case, the outcome is improved security.
For more information and tips on how to prevent a specific type of cyber threat—a ransomware attack, see our blog post: Healthcare Security: What is Ransomware and How Do I Prevent an Attack?