It’s no secret that the healthcare industry faces some serious challenges when it comes to protecting patient data and health information systems. Read any article on this topic, and you’ll find an abundance of statistics on the healthcare sector’s exposure to cyberattacks. At first glance, this may seem gloomy, but in some ways, this is good news.
The increased awareness of these challenges shines a spotlight on the needs of the healthcare sector, provides numerous resources and references, and continues stakeholder discussions on how to improve. It also brings attention to the issue so that practitioners, developers, regulators and industry leaders can appreciate the importance of having an actionable cybersecurity strategy.
A key and foundational component of an actionable cybersecurity strategy is one that can be implemented at the basic level and starts healthcare providers down the path of cybersecurity vigilance, maturity and compliance. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is the regulation that governs security compliance. Other laws, such as the Cybersecurity Information Sharing Act of 2015, also aim to help improve the health sector in maturing providers’ and staff’s cybersecurity awareness and posture. There are practical day-to-day approaches healthcare providers and staff can take to step up their cybersecurity defenses against some common threats. These are not new practices and they are not new, exciting cybersecurity tools, but when compared with the cost of recovering from a cyberattack, they can be critical in proving the old adage, “an ounce of prevention is worth a pound of cure.”
As defined by the U.S. Department of Homeland Security (DHS), phishing is a social engineering tactic that is used to persuade individuals to provide sensitive information and/or take action through seemingly trustworthy communications.1 Phishing attempts are delivered primarily by emails worded and targeted to elicit a “click me” response. Although phishing threats have been around for years, they are still, in 2020, wildly successful. According to Verizon’s Data Breach Digest Report, “90 percent of the data-loss incidents the team investigates have a ‘phishing or social engineering component’ to them.”2
Phishing Defense Strategy
In the frenzy of the work day, it is easy to “click” before you read. However, the primary defense against this popular email threat is to cultivate a critical eye. Be skeptical of emails from unknown sources. In addition, be critical of emails from known sources that look suspicious. Some of the elements that might be suspicious include hyperlinks or attachments in emails that do not normally include these elements, missing letters or random characters in the sender’s email address, misspelling of organization names, or email text that appears stilted, generic or includes seemingly inappropriate greetings. (See Figure 1.)
If you receive an email that looks suspicious, delete it or move it to your junk email folder. Do not click on any links or open any included attachments. As attackers become savvier, using real organization logos, for instance, it may be difficult to determine if an email is authentic. In these instances, take actions to verify the authenticity by contacting the supposed sender by phone. Taking a moment to discern the validity of emails is a crucial tool in the day-to-day defense strategy against phishing attempts.
Ransomware is a type of malicious software that encrypts system data files and prohibits access. The attacker demands ransom payment to restore access to the encrypted data files. Ransomware can affect organizations in multiple ways, causing system downtime, lost productivity and lost sales and, at its most severe, threatening patient safety. (See Figure 2.)
Ransomware Defense Strategy
Ransomware attacks are usually launched through phishing attacks. Therefore, the ransomware defense strategy starts with all of the best practices noted for phishing attacks. Additional safe practices include the following:
- Restrict Internet browsing to safe and trusted sources.
- Install antivirus software that scans email attachments.
- Ensure that software applications have security patching enabled and are scheduled to run at set dates and times.
- Establish a means to back up and restore system data files on a frequent schedule and on a separate system. This is very critical. Backing up your system data may not prevent a ransomware attack, but to recover from this kind of attack with minimum disruption of business operations, a backup is vital.
Unintentional Insider Threat
An unintentional insider threat is loss or compromise of data caused by accidental actions, such as a process or procedural mistake, a deception, process errors or circumvention of established security protocols. A 2019 report by Egress found that 79 percent of IT leaders said that employees had accidentally placed sensitive data at risk of exposure. In addition, 60 percent believed they would suffer an accidental data breach within the next 12 months.3
Unintentional Insider Threat Defense Strategy
The major defense against this type of threat is a daily dose of security training and awareness. Being aware of the value of the data that health professionals use and are responsible for protecting can help put into perspective why security policies, such as strong passwords, are so important. For example, if a bank employee received a cash deposit of $10,000, he or she would secure it right away, no matter what, right? The value of money is immediately apparent. Patient data also has a high value. According to the 2020 Vision Report by CyberMDX, highly sensitive patient information can sell for as much as $1,000 per health record on the black market.4 Thus, establishing and following organizational security policies, ensuring the use of strong passwords and taking a moment to be cautious and critical can go a long way in helping to avoid threats to valuable patient data.
As an organization’s security policies are only as strong as their weakest links, an additional defense strategy includes getting everyone involved in daily cybersecurity awareness and training. For instance, establishing a rotating “patient data defender” role to promote and communicate best security practices on a reoccurring basis can serve as an excellent awareness and training tool. This type of strategy not only can get an entire organization engaged in best cybersecurity practices but also can contribute to a larger culture of safety and security throughout the organization. An organization’s teams can realize that they are part of the defense team, and all parties (the team and patients) benefit from good cybersecurity practices.
Cybersecurity Defense Strategy Helpful Resources
Leading healthcare industry organizations and government agencies have published and distributed numerous resources, guides and training materials to assist healthcare providers in establishing good cybersecurity practices and policies. After implementing the basic and foundational steps discussed in this article, check out the resources and tools listed in Table 1 to help get to the next level in maturing a cybersecurity defense strategy.
Table 1. Cybersecurity Defense Strategy Helpful Resources
This resource list is not exhaustive but offers good references as starting points for learning about and building robust cybersecurity practices.
- Health IT Privacy & Security Resources for Providers. Posted by Health and Human Services (HHS) HealthIT.gov: https://www.healthit.gov/topic/privacy-security-and-hipaa/health-it-privacy-and-security-resources-providers
- Cyber Security Guidance Material. Posted by the HHS Office for Civil Rights (OCR), the site includes a wealth of cybersecurity educational materials: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
- Topic Collection: Cyber Security. These resources from the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR) Technical Resources, Assistance Center, and Information Exchange (TRACIE) can help stakeholders protect against, mitigate and recover from cyber threats: https://asprtracie.hhs.gov/technical-resources/86/cybersecurity/0
- Stop. Think. Connect. This Cybersecurity and Infrastructure Security Agency initiative is a national public awareness campaign aimed at increasing the understanding of cyberthreats and empowering the American public to be safer and more secure online: https://www.cisa.gov/stopthinkconnect
- Cybersecurity. The Food and Drug Administration (FDA) Cybersecurity webpage summarizes the FDA’s activities related to medical device cybersecurity: www.fda.gov/medical-devices/digital-health/cybersecurity