The health care industry is consistently under attack thanks to cybercriminals who eagerly attempt to snatch valuable data, costing organizations substantial financial and reputational damage.
People often weigh in and wonder why the overall industry can’t sufficiently beef up its cybersecurity strategies. However, the headlines they see that alert the public about breaches and other issues don’t tell the whole story.
The Health Sector Appeals to Hackers
Besides the scope of the records to steal and the details that range from Social Ssecurity numbers to home addresses, hackers set their sights on the health care industry because, historically, it hasn’t kept up with the times.
A 2015 Sophos survey found 20 percent of respondents in the medical industry didn’t use encryption at all. Hackers are typically ahead of their targets. That means they likely knew about the widespread lack of encryption before researchers did.
Also, a profile of health care-related attacks in 2017 is especially eye-opening. In numerous cases, more than one security issue occurred on the same day in different locations. The frequency of attacks is a factor that’s urging health care organizations to spend billions of dollars over the next several years to make improvements.
Some facilities aren’t equipped to deal with large-scale attacks, which is alluring to hackers that want to earn notoriety for their efforts. In February 2016, ransomware attacks forced a medical center in California to endure a week-long computer shutdown while its employees relied on paper records and fax machines.
Internal Threats Are Severe
A recently released report from Verizon found the medical industry was the only one whereby internal members were the biggest risks to organizations.
The study found almost half — 48 percent — of the people on the inside who compromised data security were financially motivated, presumably aiming to use stolen data to open new lines of credit or take similar actions.
However, problems also arise when employees don’t treat data correctly due to human error or a lack of training. They might throw sensitive data into trashcans instead of shredding it, or make mistakes when sending paper documents to external companies.
Numerous Challenges Exist
Outsiders are not always aware of the massive number of obstacles involved in getting the health care industry well-equipped against cybersecurity attacks.
For example, all communications platforms used to transmit patient data must comply with the Health Insurance Portability and Accountability Act (HIPPA). This means that health care organizations have to follow strict rules in regards to the security of how they send and receive all patient information. While this does help with potential security issues, it can be extremely time consuming, though some organizations hope to change that soon.
Another issue is that people in the medical field are characteristically time-starved and focused on patient care. That means they often find it difficult to fit security training into their schedules or understand why it’s relevant.
St. Luke’s University Health Network received recognition from the American Hospital Association for its all-encompassing data security strategies. St. Luke’s sends out a quarterly scenario for employees to go through and see why cybersecurity matters. That approach is reportedly working well, probably because it keeps hospital workers’ valuable time in mind.
Ransomware Attack Mitigation Is Getting Better
The news about health care and cybersecurity is not all bad. An investigation about efforts to implement ONC SAFER Guides — which include updated material about stopping ransomware — found that hospitals are taking the recommended strategies against seriously.
Although only 18 percent of the hospitals studied showed complete adoption, more than 81 percent fully implemented the infrastructure-related guidelines.
The recommendations aim to prevent and reduce downtime of critical hospital systems. When the guidelines are in place, fiascoes such as the one experienced by the previously mentioned Californian facility should become less prevalent.
A Collective Effort Is Necessary
The most effective cybersecurity strategies are ones applied across organizations. Since many hospital systems span across states and countries, keeping everyone on the same page isn’t easy.
Exercising compliance is not enough. Instead, all people associated with respective health care organizations must work together to reduce the damage caused by cybersecurity shortcomings and promote improvements.