(8 min read)
Know how cyber attacks happen and how you can protect your organization, patients, and colleagues from a data breach
A typical patient medical record contains the individual’s full name, address, birthdate, phone number, email address, Social Security (or similar) number, emergency contact details, health insurance details, and in some cases credit card and bank account information.
This is everything a cybercriminal needs to commit identity theft, leading to an untold number of cybercrimes against the victim.
The average payout for a stolen healthcare record on the dark web is $1,000 USD. This is extremely high when compared to the $110 paid on the dark web for stolen credit card data.
This highlights why the healthcare sector is a prime target for cyber attacks. Cybercriminals do not discriminate against the size, location, or healthcare niche – all they want are the healthcare records.
- Attack on University Hospital Brno, Czech Republic. In the midst of the COVID-19 pandemic, the hospital was forced to shut down its entire IT network forcing the cancellation of surgeries and requiring the transfer of patients to other hospitals. University Hospital Brno is the Czech Republic’s second largest coronavirus testing laboratory.
- Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak. The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor..
- Ransomware Attacks on Healthcare Providers Rose 350% in Q4 2019. A Corvus analysis reveals the vast majority of ransomware attacks on healthcare providers stem from phishing incidents, as attacks jumped a whopping 350 percent in the last quarter of 2019.
Cybercriminals know that the push to electronic records, medical IoT, the sharing of data across providers, healthcare companies, and third-party vendors, and the latency in upgrading IT networks have opened up numerous cracks that are ripe for attack.
Nurses, doctors and other medical professionals who are too busy dealing with life or death situations do not have time to notice a cyber attack or notice a device that has been infected by malware.
A September 2019 article in Healthcare Business & Technology drills into the cyber threat risk rate in the healthcare industry:
- There were more than 2,500 reported cyber data breaches between 2009 and 2018
- 62% of healthcare organizations experienced a breach in a 12-month period
- The average cost of a medical center data breach is $3.62 million
In our 2019 Gone Phishing TournamentTM, we collected phishing email click rate data across a range of industries, sizes, and locations. We learned that of our surveyed healthcare organizations, 32% of phished individuals who opened the email and clicked the link, submitted their credentials.
And this is exactly the tactic that so many cybercriminals rely on to penetrate healthcare organizations to steal patient records, infect networks with viruses, and to shut down healthcare.
The Biggest Cyber Security Challenges Facing Healthcare
Every healthcare organization across the globe is under immense pressure to provide state-of-the-art patient care, manage costs, and keep pace with the latest rules and regulations around electronic health care records, IT security, and patient data security.
This puts an immense strain on a workforce and system that is already working under 24/7 pressure. And unfortunately, this reality is what makes the healthcare sector so appealing for cybercriminals. These criminals know that healthcare professionals are now expected to also be data security experts – something that they are not trained for nor have the time to do.
In the fight against cybercriminals and cyber attacks, healthcare experts, security leaders, CISOs, and organization face three major cyber security challenges:
- Medical Device Security. With the influx of new technologies, medical IoT, tablets, and smartphones, it is challenging for security leaders to ensure medical device security. In the health sector, keeping medical devices operational is crucial in maintaining patient care and even saving people’s lives.
Ensure all medical devices, networks, operating systems, tablets, and smartphones have the latest operating system and software versions installed.
- Human Behavior. The human tendency is to trust and to want to help others. This makes people an easy target for social engineering, phishing, ransomware, and other cyber attacks.
Ensure all employees receive consistent security awareness training that uses real-world scenarios to highlight the security risks that came through email, text messages, and phone calls. An awareness program can help you clarify and communicate responsibilities necessary for handling information and technology resources. This way everyone becomes involved and realizes their role in keeping the organization secure.
- Economic Pressures. Hospitals, research centers, clinics, etc. are all operating under tight budgets, making it difficult to prioritize spending on IT security and security awareness training. In fixing a system, it’s important to think beyond the cost of IT. You also need to consider productivity costs, such as the cost in staff hours and backlog if an MRI machine is not operational for several days.
Ensure that management and leaders understand the economic costs of a cyber attack and data breach and how these can be mitigated with updated software and innovative security awareness training campaigns.
6 Cyber Security Best Practices for Healthcare CISOs and Security Leaders
As a healthcare CISO or security leader, remember these six cyber security best practices:
- Create a cyber secure culture. Provide all employees with regular and consistent security awareness training and phishing simulations. Give employees access to interactive and engaging security awareness training that uses real-world scenarios to change human behavior.
- Regularly monitor employee awareness of phishing and ransomware and knowledge retention rates with phishing and ransomware simulations.
- Remind employees to create and use strong passwords on all mobile devices. If your organization uses a bring your own device (BYOD) program, hold regular training sessions about mobile device cyber security.
- Perform regular risk assessments on your network, technologies, software and applications, and your employees. Know where the risks are so you can install patches, upgrades, new software, and provide the right security awareness training.
- Limit network access. Only give access to people who need it and ensure that these people have superior security awareness knowledge and regularly receive training on the latest cyber attack methods.
- Ensure that all applications, internal software, network tools, and operating systems are up-to-date and secure. Use firewalls, white-listing applications, install malware protection and anti-spam software, and control both physical and virtual access.
This next section is intended directly for users
and employees of the health sector
How To Stay Cyber Secure at Work – 7 Tips For Users
You are our first line of defense against cyber security attacks. Cybercriminals use savvy social engineering tactics with convincing emails, text messages, and phone calls to convince you to click links, fill out online forms, and disclose confidential information.
By remembering and practicing these seven cyber security best practices, you are doing so much to keep our healthcare organizations cyber secure and safe:
- Do not open, click, or respond to emails from senders you do not know. The best approach is to be suspicious of every third-party or external email you receive.
- Carefully read all emails thoroughly, look for spelling and grammatical errors, inconsistencies in language, and pay very close attention to the sender’s email address and any embedded links. When in doubt – do not respond or click.
- Participate in security awareness training. We know that you’re very busy but the more you understand about how cyber attacks happen, the easier it is for you to recognize a malicious email, text message, or phone call.
- Do not use the same password for your email, network access, mobile devices, tablet, and software logins. Talk to our IT support team about a password storage tool that makes it easy to access your passwords should you forget one.
- Do not leave documents, files, charts, or patient records out on your desk, workstation, or other common areas. Follow all policies regarding patient security and data privacy.
- If you are using your own personal smartphone or tablet at work, please talk to your cyber security team leader about how to keep your devices secure and protected.
- When in doubt about an email, text message, or phone call do not respond. If the communication is from someone you know, speak directly with this person about their request. Remember cybercriminals mask their identity and pretend to be a friend, family member, colleague, or third-party associate.
Together, we can create a cyber secure and safe workplace. This protects you, patients, organizations, and partners from cybercriminals who have one goal – to steal and harm.
Talk to your manager or security team leader about our internal security awareness training and about any questions you have about cyber security.
Protect Yourself from COVID-19 Cyber Scams Kit
Stay safe and protected from cyber criminals during the COVID-19 pandemic. Download this kit for security awareness best practices.