Why is healthcare so heavily and successfully targeted by cybercrime? After a record number of breaches last year – nearly 90% of all successful ransomware attacks were on hospitals – it’s one that needs to be asked.
Cybercriminals target healthcare data because hospitals need immediate access to up-to-date patient information in order to provide critical care. When malware enters the system, it prohibits access to data, and in turn, prevents hospital staff from efficiently and effectively treating a patient. The cybercriminals then demand a ransom, usually in the form of Bitcoins. Ransomware is growing in popularity because it works. In 2014 alone, the FBI estimates that the minds behind the CryptoLocker strain of ransomware received nearly $27 million in six months out of data taken hostage.
When MedStar Health, a health system serving the Baltimore/Washington region, was hit by a cyberattack in 2016, they choose not to pay the Bitcoin ransom, instead choosing to shut every aspect of MedStar Health’s electronic medical record systems off.
Hospitals are also a prime target because employees aren’t always trained on security awareness. While HIPAA aims to ensure that patient privacy is protected, in general, hospitals do not place a big enough emphasis on the importance of cybersecurity. Protecting data has always been a challenge, but an aware and invested workforce can become your company’s first line of defense.
Defeating the cybercriminals – what hospitals can do to stay secure
So, what can hospitals do to try and reduce the number of cyber-attacks, like the recent WannaCry virus which affected hospitals in England and Scotland?
The WannaCry ransomware attack was particularly effective against non-patched MS operating systems, and in particular, unsupported versions of Windows XP. To protect against attacks like these understand what software is in operation, where it is and what version is running. Begin by establishing an active patch management policy to ensure that software is being updated in a timely manner. And confirm that you can identify quickly whether or not this is happening, otherwise hackers will find and exploit those vulnerabilities for you.
Hospitals also need to look at their vendors. Third parties can add significant risk to any organization, so ensure that any vendor who may have access to your network also operates securely. Track your vendors to ensure that you have the requisite security assurances (Business Associate Agreement or Covered Entities) within your vendor contract, and/or schedule regular security audits.
Most ransomware viruses get installed by human error. Employees clicking on phishing links, downloading infected attachments, or visiting malicious websites are the main causes of ransomware entering a system. Make sure that your employees are regularly trained on the dangers of ‘click bait’ emails and headlines. Run routine training and have employees sign off on phishing awareness policies and training.
Employees need to know where data is, when they should access it, how it should be used and how it’s being protected. Only then can they become your front line of cyber defense. The greatest cybersecurity tool of all is your employees. Engage them effectively and you will make your hospital more secure.
Ostendio will be discussing the latest healthcare cybersecurity threats and cybersecurity solutions on the Healthcare Cybersecurity: Challenges and Solutions panel at the Capital Health Tech Summit on June 15. Hosted by the Northern Virginia Technology Council, the Summit will explore how tech is transforming and disrupting the business and delivery of health today and highlight the unique intersection of commercial, government and academic assets that make Greater Washington the epicenter for innovation in the health technology sector.