Healthcare is one of the most attractive targets for cybercriminals. First, institutions manage vast amounts of highly valuable data about most individuals in our society. Then, consider the financial resources that hospitals and clinics have and how critical it is for everyone to keep their infrastructures up and running.
Every single incident related to cybersecurity that hits a hospital put in serious risk to an entire population, not only to the responsible professionals behind the hospital. The worst side of this problem is that many times the crime occurs from within.
So, how to protect hospitals from cyberattacks?
Before addressing the complex dynamics between cybersecurity and healthcare, it is essential to make this clear: most of the time, the enemy is part of the in-house staff.
It is a harsh truth that the healthcare industry has learned over the years. In 2018, the Verizon Protected Health Information Data Breach Report showed us how 58 percent of the cybersecurity incidents involved insiders; yes, the workers were directly involved in the crime.
For any organization, this is a harsh reality to face. It becomes more difficult to grasp such reality in healthcare as we all expect professionals in this industry to have the highest ethical and work standards among all.
Patients and their Privacy
The main goal of cybercriminals when attacking hospitals and clinics are stealing medical records. These records include abundant data that can easily use for fraud, such as names, social security numbers, addresses, phone numbers, birthday, and insurance information.
Every time a data breach occurs, the dark web flooded with new listings. These criminal vendors sell the medical records starting at $0.60 per record and going all the way up to $15 per record. These numbers can be stunning if we take into consideration that when a single data breach takes place, several million medical records stolen at once.
This situation creates a huge market that is worth billions in the dark web. This illicit business is moving sensitive data and opens the doors to many more billions in potential frauds.
Patient Monitoring and Cyberterrorism
Another face of cyberattacks hitting hospitals is everything related to monitoring devices. Patient monitoring is a fragile aspect of healthcare. There are thousands of critical patients in our systems, especially now that we are going through the COVID-19 pandemic crisis.
Early this year, DHS’ CISA and CyberMDX found severe vulnerabilities in GE Healthcare’s patient monitoring products. These vulnerabilities received “critical severity” ratings, and according to the analysts, such vulnerabilities could exploit to make the monitoring devices unusable and steal PHI.
Cyber-criminals could use vulnerabilities in monitoring devices for commercial purposes. Still, these circumstances pose more danger, which would directly affect the patient’s wellbeing by altering critical treatment equipment connected to the hospital’s network.
How to Protect Hospitals from Cyberattacks?
In the US, there are strict regulations, such as HIPAA, that affect the healthcare sector. These regulations cover how data and digital devices used and managed in hospitals, clinics, insurance companies, and more. Being compliant with regulations is a good start to keep organizations safe from cyberattacks.
Now, what else could we do? The main principle in cybersecurity applies here as well, which is proper security awareness training for the staff. Employees must have healthy habits online to prevent social engineering attacks and misuse.
The next layer of security should be multi-factor authentication and high-end data encryption. Single-factor authentication and unencrypted devices continue to be severe problems not only for hospitals but for all industries that manage critical data. The reality is that these technologies have become (for obvious reasons) the standard of how data treated, mainly when the data holds sensitive information.
Finally, we need to keep the in-house enemy in check. Zero-trust security models are necessary for access to privilege control in health care. Access to sensitive data must be minimal and role-based, guaranteeing full control and checking of what happens between access-enabled users and protected data. All these practices will require the support of a cybersecurity specialist to deliver the best results possible. An experienced professional can audit the current infrastructure to determine if there are potential vulnerabilities and implement the right mechanisms to protect the hospital and its systems.