Cybercriminals looking to make a profit are turning their attention towards an industry known for housing sensitive consumer data with weak security protocols: healthcare.
In April of 2018, Utah-based company HealthEquity reported 23,000 accounts were compromised in a data breach when an employee fell for a phishing scheme. As a result of human error, information like employee names, deduction amounts and social security numbers were exposed.
The HealthEquity breach is hardly an isolated incident in healthcare. A former employee, for example, was caught inappropriately accessing the medical records of 29,000 patients at SSM Health in St. Louis, Missouri. In Chicago, two of Sinai Health Systems employee email accounts were caught in a phishing scam, impacting the records of 11,350 patients. 2017 alone saw the U.S. Department of Health and Human Services report an approximate 477 healthcare breaches and the exposure of more than five million patient records.
While organizations can’t control the actions of cybercriminals and rogue staff members, they can address how employees approach security and mitigate the risk of a breach by strengthening internal cybersecurity habits.
Healthcare providers are feeling the impact of putting off cybersecurity for years
Historically, healthcare organizations have neglected cybersecurity best practices in order to focus on what they do best: providing excellent patient care. But this has left employees wholly unprepared to deal with cyber threats when they inevitably occur.
Given the sheer volume of breaches caused by human error, it’s no surprise to learn that 80 percent of health IT professionals are concerned about employee security awareness. Employees are the weakest link within an organization — more often than not, breaches are the result of human error because someone didn’t comply with or understand security best practices. Today, employee mistakes account for more than one third of ‘threat actions’ hurting the healthcare industry.
Seemingly innocuous activities, like sending sensitive files over email instead of a secure intranet, can actually help hackers bypass the even the strongest security measures. Similarly, connecting unauthorized applications to healthcare networks pokes holes in existing defense mechanisms. That popular messenger app everyone’s been talking about? If employees use it on a hospital’s network, it could be putting internal servers and sensitive information at risk. A recent Igloo Software survey found 30 percent of healthcare employees will use apps that provide the greatest convenience over ones that have been approved by their employer’s IT team.
Education is the key to eliminating risk brought on by human error
Healthcare organizations continue to struggle to provide sufficient awareness training to their internal teams, making it difficult for employees to strengthen their security hygiene. And IT professionals agree the lack of education is taking a toll on their organization’s ability to respond to threats. A recent study conducted by the Ponemon Institute revealed 52 percent of American healthcare executives believe the lack of security awareness impacts their security posture.
The need for security education is so important that regular training is now a requirement to demonstrate compliance with Health Insurance Portability and Accountability Act (HIPAA) Rules. Because cyber attacks are evolving every day, effective awareness programs need to provide regular training to employees whenever threat intelligence is shared. Ideally, cybersecurity updates should be given monthly while security training should be provided a couple of times per year.
Within the training program, employees should learn how to distinguish between different threats and have the opportunity to act out their response in simulated environments. A routine phishing test, for example, evaluates an employee’s ability to distinguish between a real and a fake email. Quarterly reminders about the dangers of phishing and easily accessible learning materials can also help workers keep cybersecurity top of mind. In addition to training sessions and skills tests, healthcare providers can encourage security best practices by:
- Incorporating cybersecurity education in new employee onboarding materials.
- Administering routine phishing tests and regularly assessing employees’ security knowledge.
- Notifying teams when new threats emerge with real examples and ways to respond.
Organizations can’t afford to ignore the state of their cybersecurity, not when there’s personally identifiable information (PII) at stake. In order to successfully tackle online threats, healthcare providers will need to empower their employees to be a robust first line of defense against impending cyber attacks.
Augment employee training with robust tools for total security coverage
To create a truly holistic cybersecurity environment, organizations should supplement awareness training with security tools monitoring networks and devices around the clock. Securing a healthcare environment requires a multi-pronged approach — layered defenses, not one dimensional strategies, will ensure PII and other sensitive information remain safe from criminals.
One common best practice organizations are using is requiring employees to enable multi-factor authentication (MFA) when connecting to workspace and company accounts. By adding an extra layer of security, such as a code sent via text message or fingerprints, MFA ensures stolen login credentials can’t be used to infiltrate internal systems. As employees bring their personal devices into work, healthcare organizations can deploy a bring your own device (BYOD) policy, clearly articulating what files and servers workers can connect to on their mobile device.
In addition to strengthening account security and policing mobile devices, healthcare providers can leverage tools like antivirus software and content filtering solutions to protect healthcare environments. Firewalls, analytics and machine learning tools also help hospitals detect threats in real-time and stop hackers in their tracks. Implementing an identity access management (IAM) solution enables organizations to monitor employee access to PII and immediately restrict access to information when authorized users are detected. Regularly auditing healthcare networks for vulnerabilities also allows healthcare organizations to test their cyber resiliency and make adjustments when necessary.
With proper awareness training, employees are less likely to fall for spam emails and avoid creating vulnerabilities that hackers are waiting to exploit. Using a combination of education and security software, healthcare organizations can minimize the human element risk and strengthen their overall security posture. By empowering employees with the tools to address cyber threats head on, healthcare organizations can stay a step ahead of criminals and shut down a breach before it even takes place.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.