The easily accessible, highly valuable nature of healthcare records is seeing people’s most personal data becoming increasingly accessible to cybercriminals. No other single record bank contains as much Personally Identifiable Information (PII) as that held by healthcare organisations, which makes this data invaluable to hackers.
Nowhere else are hackers able to get their hands on information that allows them to form such a thorough profile of their potential victims. Healthcare records not only offer up a patient’s name, address and social security details, but also often include their financial and insurance information – which ultimately can enable attackers to commit identity fraud and financial exploitation.
Further exacerbating this problem is the incredibly complex network of IT systems now deployed by healthcare organisations, to help patients communicate with healthcare professionals and to provide access to electronic health records and medical devices. This leaves businesses within the healthcare industry even more vulnerable to cybercriminals’ increasingly sophisticated tactics and ever-evolving techniques.
Safe and secure communications
Healthcare organisations are poorly prepared for protecting their data and that of their patients from mobile security threats. There are fundamental concerns with how these businesses approach cybersecurity, due to a complete lack of know-how, budget and resources when it comes to preventing potential cyberattacks.
Indeed, healthcare organisations have been advised that they should be spending at least 10 per cent of their IT budget on cybersecurity yet the industry average is just 3 per cent, according to the 2015 Health Information Management and Systems Society Leadership Survey.
This lack of investment is further impaired by healthcare organisations underestimating the importance of and lack of investment in mobile security, a failure to implement basic prevention measures, and ignoring key security tools such as encryption. The end result of this is offering cybercriminals an open goal to infiltrating their systems.
Embracing end-to-end encryption
In this digital age, healthcare professionals must be able to communicate with colleagues and patients as securely as if they were speaking to them face-to-face without fear of their communications being intercepted. Security tests have repeatedly proven that end-to-end security is the only way to prevent cybercriminals, intruders, corporate espionage, hackers, rogue nation states and more from violating mobile communications.
With that in mind, healthcare organisations must provide their employees with encrypted mobile communication services. We are not talking about consumer messaging platforms that have recently begun tagging encryption onto their services as an after-thought, but communications services that have been built with security in mind from the get-go.
The rapid rise in sophistication of techniques deployed by cybercriminals means that encryption has to keep on evolving too. We’re now seeing security systems that deploy RSA 4096-bit encryption, which researchers have estimated would take over 1,000 years to crack. Furthermore, they use encryption keys that are kept encrypted in a secure cloud that can only be accessed when a user validates they are who they say are – meaning even if an organisation like the NSA wanted to get to them, they couldn’t.
Through technology like this, healthcare professionals would be able to communicate with one another and their patients safe in the knowledge that their messages will only be seen their intended recipient. Furthermore, they will also be notified of any attempted attack on their privacy, giving them confidence their communications are as secure as possible.
Time to act
The vast quantity of PII available in the healthcare industry guarantees it will remain an attractive target to attackers and a weak point for employees, unless organisations make serious changes to their communications policies. Healthcare executives must place more focus on the danger that cyberattacks pose to their organisations, and put more emphasis on protecting their data and that of their patients by deploying industry-leading security tools.
Improved, ongoing security training for employees will also ensure they are onboard with this culture shift. It’s all well and good having security policies in place but if employees don’t have a thorough understanding of what the cyber threats are, how dangerous they are and how to be resilient against them, then they are rendered useless.
Now is the time for healthcare organisations to embrace end-to-end encryption and boost their chances of countering breaches and avoiding the high costs of remediation.
[su_box title=”About Jonathan Parker-Bray” style=”noise” box_color=”#336588″][short_info id=’60694′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.