Cybercriminals across the globe continue to target healthcare organizations, exploiting any vulnerability they can. Healthcare entities are still struggling to protect themselves against these hackers, whose tactics are getting more sophisticated by the day.
Below are three changes that cybersecurity experts think need to happen in order to strengthen the healthcare industry’s defense posture.
All healthcare employees need cybersecurity training
Internal human error is one of the most common factors that cause cyberattacks at enterprises across all industries, pointed out Anurag Lal, CEO of NetSfere, a cybersecurity company offering a secure messaging platform.
“Most attacks happen at the hands of an employee who simply made a mistake,” he said. “These mistakes have detrimental impacts though, which is leading to a growing fear among staff members. In fact, according to a survey, some cybersecurity professionals say that they haven’t reported a breach due to fear of losing their jobs.”
To address this problem, companies need to create an open-door policy in the workplace so employees feel empowered to talk about any and all risks that their organization may be facing, Lal recommended.
Companies must also ensure that all employees understand how to recognize cybersecurity risks, as well as educate all workers on how to communicate or transport patients’ electronic health information properly, he added.
“Healthcare companies need to assign clear job roles and descriptions and ensure it is communicated throughout the organization,” Lal remarked. “Healthcare entities need to make certain that workforce members are equipped with the necessary knowledge, skills, and abilities to fulfill particular roles and that these requirements are included as part of the personnel hiring process.”
Lal also noted that employees’ cybersecurity training should be an ongoing, evolving process that is responsive to environmental and operational changes.
The government must establish minimum cybersecurity standards
The federal government has yet to set a standard for a minimum set of cybersecurity protections across all industries, noted Joel Burleson-Davis, senior vice president of worldwide engineering and cyber at digital identity security company Imprivata.
“There are a few issues that arise from the lack of a governmental cybersecurity program,” he said. “The first issue that arises is the mentality shift for organizations that are making hard choices — when controls are a ‘should’ versus a ‘must’ implement, resource-strapped organizations may veer away from implementing them.”
The lack of a strong government program leads to inconsistent security practices across the healthcare sector, making it easier for hackers to exploit vulnerabilities — and this is becoming even more of an issue as healthcare organizations become more interconnected and in many cases, consolidate, Burleson-Davis pointed out.
Organizations like the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have released cybersecurity guidelines and frameworks for healthcare organizations, but they haven’t been very effective, he said.
“While these guidelines provide helpful information, they have not established any firm standards, incentives or accountability for organizations to proceed with implementing updated best practices. They are just recommendations — meaning organizations can take or leave them,” Burleson-Davis declared.
The lack of consequences in the event of an attack also allows healthcare organizations to gamble with their security and patient safety when they fail to implement best practices or appropriate back-up and data recovery methods, he added.
The impact of the Change Healthcare cyberattack is a key example.
“Many were aware that Change Healthcare was the single point of failure for all payment processes — yet, they did not implement a backup method, as it was deemed too expensive and time-consuming of a process,” Burleson-Davis remarked.
Last month’s attack on Ascension is another timely example, he noted. Ascension is one of the largest health systems in the country, with 140 hospitals across 19 states — if it can get attacked, then every health system in the U.S. is at risk of suffering a devastating cyberattack, he said.
In Burleson-Davis’ view, the number one thing that needs to change for healthcare cybersecurity to improve is the establishment of minimum, government-enforced cybersecurity standards specific to the healthcare industry — along with incentives and resources to ensure healthcare organizations can successfully build and maintain their cybersecurity programs.
“Real change will come when standards and initiatives are introduced alongside the means needed to achieve them,” he declared. “Budgeting is a routine issue for smaller healthcare providers as their leaders know that cyberattacks have dire privacy and financial consequences. When they’re forced to choose between an urgently needed MRI machine for their patients or a new cybersecurity product, they’ll understandably choose the former.”
Healthcare organizations should collaborate to address shared vulnerabilities
Cyberattacks are pretty horizontal, but the entry points are vertically oriented, said Gaurav Kapoor, CEO of cybersecurity software company MetricStream.
He noted that when a cyberattack occurs in the finance industry, stakeholders from all over the sector often collaborate to solve the issue as quickly as possible. The finance sector also works collaboratively in a proactive sense — banks all over the world have established networks where they regularly share new risks that are emerging and how to get ahead of them, he stated.
But in the healthcare cybersecurity world, there doesn’t seem to be the same type of speedy, cooperative approach.
“I feel like there can be more collaboration in healthcare in terms of plugging up where the leak points are,” Kapoor remarked.
Healthcare providers that have been hacked should share details with other organizations throughout the sector so they can be aware of what to patch in their own systems, he recommended.
Photo: JuSun, Getty Images
