Technology is both a blessing and a curse to the healthcare industry. Applications, websites and other IT solutions help healthcare organizations deliver high-quality patient care. However, these solutions can also provide cyber-criminals with opportunities to attack hospitals, medical centers, physician offices, and other healthcare providers that use these technologies. This situation is so serious that cybersecurity is the top hazard in the ECRI Institute’s “2019 Top 10 Health Technology Hazards” list. IT solutions can lead to cybersecurity threats in many different ways. As a result, healthcare providers need to have a comprehensive strategy to mitigate risks.
How IT solutions can lead to cybersecurity threats
How can seemingly innocuous apps, websites and other solutions lead to cybersecurity threats? A common cause is that these solutions are not adequately protected and monitored. Consider the following:
- Some providers use remote-access solutions so that off-site staff or business partners can access main office computers and apps. If these remote-access solutions are not adequately protected and monitored, cybercriminals can hack the solutions to gain entry into the networks to which they are connected to and then launch an attack. For example, LabCorp, a clinical blood testing lab had 7,000 systems and 1,900 servers compromised by the SamSam ransomware in July 2018. Threats like SamSam typically bombard remote-access solutions with brute force password-cracking assaults to gain entry into organizations’ networks. Healthcare providers were the top target of SamSam ransomware attacks in 2018, according to Symantec ransomware research.
- Healthcare organizations often provide web portals that patients use to view test results, pay bills, search for doctors, and perform other tasks. However, 75% of websites have security vulnerabilities, according to an Internet Security Threat Report by Symantec. Cybercriminals often exploit unpatched vulnerabilities in websites to gain access to the server and any connected systems or networks.
- Many healthcare providers do not realize that they need to protect the solutions they put in the cloud. Typically, cloud service providers only assume responsibility for the physical security of their data centers and infrastructures.
Inadequate protection and monitoring are not the only causes of cybersecurity threats — the human element also plays a role. Cybersecurity threats can result from unintentional mistakes made by the staff. For example, even though email solutions have been around for many years, phishing emails are still prevalent — and still very effective. In 2018 alone, employees at New York Oncology Hematology, NorthStar Anesthesia, UnityPoint Health, and other healthcare organizations inadvertently fell for phishing emails, resulting in data breaches and compromised systems.
Moreover, insiders may intentionally use IT solutions for malevolent purposes. For instance, a McAfee study found that 22% of data breaches were caused by malicious insiders, including employees, contractors and suppliers. They used various internal solutions to steal customer, employee, and financial data as well as intellectual property.
How to mitigate the risks
There are numerous actions that healthcare providers should take to mitigate these threats. Beyond implementing basic protections (e.g., implementing security software, making sure all IT solutions are updated, set up securely with the latest patching), they should:
- Set up and monitor a series of layered firewalls to catch web attacks
- Implement a network anomaly detection system and vulnerability scanner to quickly detect and respond to threats
- Collect, aggregate, and analyze log data from various programs to identify potential security threats
- Secure IT solutions running in the cloud
- Monitor the networks for unusual events (e.g., unauthorized access to systems) to detect both insider attacks and external threats
- Educate staff on how to properly use an organization’s technologies, including pitfalls to avoid and best practices (e.g., phishing emails)
Managed security services to the rescue
While the list of actions that healthcare providers need to take is long, it is important for these measures to be taken. The consequences of not doing so can be costly. For example, data breaches alone cost organizations $61 million each year, according to the Internet Crime Complaint Center (IC3), which is part of the U.S. Federal Bureau of Investigation (FBI).
Healthcare organizations that want to concentrate on caring for their patients rather than trying to secure their IT solutions can rely on managed security services. With a managed security service provider, organizations can have around-the-clock protection without having to invest in advanced security systems and the staff needed to set up, manage, and monitor those systems.
This week from February 11-15, 2019 in Orlando, FL, Synoptek will be returning to participate in HIMSS19, the leading health information and technology conference that brings together 45,000+ professionals from around the world for the education, innovation and collaboration to succeed in the shared mission of transforming health. Stop by the Synoptek Booth #5785 to learn more about how we can help you tackle your biggest health IT challenges. We will also be offering complimentary cybersecurity health check assessments and presenting a cybersecurity session on Wednesday, February 13th at 11:45am about Risk Management Strategies in Today’s Patient Care. Click HERE to learn more.
About the Author
Synoptek is an established firm that provides information systems consulting and IT management services. Synoptek and its predecessors have been providing these services for 23 years.