By Jordan MacAvoy / Special to Healthcare Facilities Today

The need for cybersecurity cuts across all industries that handle critical data, including the healthcare industry. A digital shift in the handling of private health information (PHI) opened up healthcare systems to hackers. According to Verizon’s Data Breach Investigations Report, the healthcare industry experiences more data breaches than any other sector.

Criminals are paying handsomely, up to $363 for PHI. Unfortunately, for healthcare facilities, the cost for every stolen record is as high as $355. Patients also began a target for scams and blackmail. It’s, therefore, essential for all healthcare facilities to understand cybersecurity risks and have a plan in place.

What Are the Risks for Healthcare Facilities?

Malware

Malware refers to software that intends to harm your systems or gain unauthorized access. It can include ransomware, viruses, and spyware. Hackers can deliver the malware through files and documents, inside devices, or send them via email through phishing attacks.

Hackers that use ransomware encrypt your data and demand a ransom before giving back your information. The amount could be anything from hundreds of dollars to cryptocurrencies which you give in exchange for a decryption key.

A virus is a software that replicates itself by spreading between devices and systems. It can attach itself to a document and launch once a person downloads the document. Some viruses can either destroy or corrupt your data.

Social engineering

Social Engineering refers to several attacks that use psychological manipulation to steal data or gain entry into systems. Usually, hackers first observe their prey to gain an understanding of their systems, networks, and associates. The attacks then aim to earn your trust and dupe you into providing personal details.

Some hackers lay bait through ads that lead to malicious websites or utilize scareware that tricks you into installing software based on a false attack. Phishing attacks are also frequent. These attacks create messages and emails that impersonate authentic organizations and trick you into clicking on sites and providing personal data.

Employee error

Your employees can leave your healthcare facility open to attacks. In most cases, they may not understand what they’re doing. For example, writing a password on a sticky note on the desk is a common yet innocent mistake by workers. Unfortunately, anyone can copy the password and use it to access your data.

Sometimes, your workers may use weak passwords, which hackers can easily crack and access your data. Other common errors include using unsecured devices to handle, share, and store patient information, connecting company devices to public unsecured hotspots, and giving authorization to other workers at your facility.

Cloud attacks

While using the cloud is essential for storing information, backing up data, and lowering operational costs, it also presents several challenges for cybersecurity. Crimes such as cryptojacking slow down your systems. The hackers use your cloud computing resources to mine cryptocurrencies at your costs. Hackers can also breach your security to steal PHI and sell it on the black market.

How to protect your healthcare facility from cybersecurity attacks

1. Have the right personnel

Having the right cybersecurity team, whether as direct employees or third-parties, is essential. As a health care provider, you need cybersecurity professionals to help you create secured networks and systems. The right IT team will advise you on the proper protocols, software, and habits that can help your facility prevent data breaches. You also need a team to help you train employees in your facility and advise them on issues such as access limitations, strong passwords, secure and insecure networks, and data breach protocols.

2. Secure your devices

Unsecured devices are a weak link that hackers utilize to breach systems. Most digital devices come with default usernames and passwords, which are easy for hackers to guess. All IoT devices from phones, laptops, printers, and fridges increase risk. While a hacked fridge is easy to dismiss, think of what a hacker can do by infiltrating your smart heating and ventilation systems.

To secure your devices, you need to create a data security-conscious culture which ensures that all workers participate.

• First, always remember to change default usernames and passwords on devices.
• Encourage the creation of strong passwords. Password managers help you keep a record of all your passwords and only require you to cram one overall password.
• Use multifactor authentication to ensure that only authorized personnel gain access to specific devices.
• Ensure that all your company devices only use the secured company network to access data, especially from online sources. Discourage your employees from taking office devices home or using their personal devices to share health care information.
• Always update all your firewalls, anti-malware, and antivirus software for all work devices.
• Use internal applications and servers to minimize the reliance on external hardware that may be vulnerable to cyberattacks.

3. Train your employees

An analysis by CybSafe found that human error caused 90 percent of data breaches. Having the latest policies and secure networks are almost pointless if your employees are the weak link. Training your employees is essential, not because it allows you to blame them, but because it empowers them. Educating your employees about their roles in data security ensures that they cultivate a security-conscious culture at the workplace.

Phishing, for instance, targets clueless workers. These types of social engineering attacks steal data, login credentials, and credit card information. Usually, most attackers send emails masquerading as authentic organizations and trick the user into providing information, installing viruses, or launching a ransomware attack.

Educating your workers will help them analyze emails before responding. Workers can ask themselves if they expected emails and verify addresses if they have proper training. You can also discourage employees from sharing passwords, allowing unauthorized access, and using unsecured devices and networks to share PHI.

4. HIPPA compliance

The federal Health Insurance Portability and Accountability Act (HIPAA) was among the first laws in the U.S. to regulate how private data is handled in the U.S. However, since its enactment in 1996, HIPAA has come a long way. Healthcare facilities have become a favorite for hackers, and necessary changes over the years ensure that (PHI) remains confidential when it’s handled.

Obtaining HIPAA compliance is necessary for all healthcare facilities. To pass the audit, your facility should have administrative, physical, and technical safeguards for PHI. The standard also requires health facilities, covered entities, and their associates to have a risk management plan and breach protocols. Failure to comply with the regulation in HIPAA results in hefty fines for the parties at fault.

5. Have a budget

Information security at your healthcare facilities requires a regular, steady, and adequate budget, just like other departments. You need to hire a cybersecurity team, organize training for employees and management, invest in new software and systems, and also pay for compliance.

To prepare a budget, take a look at what you’re currently spending on versus the return on investment. Updated software and hardware, regular training, and audits are necessary. However, you can choose to outsource part of the cybersecurity team or servers to save on costs based on the size of your facility.

Final thoughts

Having the right personnel is essential for cybersecurity. With the right team, you can become HIPAA compliant, secure your devices, train your employees, and also create an adequate budget for cybersecurity.

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs