“Health care records are valuable on the black market.
Most people don’t realize how valuable medical information is. But criminals do.”
“It’s quite simple, really,” explains Barbara Ciaramitaro, PhD, CISSP, CSSLP, PMP, chair of the information technology undergraduate program at Capella University. “Criminals know that health care data can often mean a matter of life and death, and therefore health care organizations will pay handsomely to get it back.”
So if health care organizations are such a ripe target for cybercriminals, why do they remain so vulnerable? Ciaramitaro says it’s the result of a perfect storm of factors.
First, with the push to make health care records electronic, real time, and accessible, health care institutions have over prioritized that connectivity in relation to security. In essence, their security protocols have not kept pace with the rush to digitize health care data.
Second, the current war for talent for IT professionals, particularly those expert in information security and assurance, means many health care organizations simply can’t compete to recruit the expertise they need to develop systems that appropriately defend against cyberattacks.
“We have some very highly connected electronic medical records and facilities today, but we have not built equally strong security around those networks,” Ciaramitaro says. “When you create connectivity, you also open up a vulnerability. We have to solve for that.”
What does that solution look like? Ciaramitaro provides the following four strategies for health care organizations to beef up their cyber defenses:
1. Emphasize basic security hygiene.
Simply put, employees of health care organizations are both the greatest defense against hackers, but also the greatest vulnerability. It all comes down to basic information security “hygiene,” Ciaramitaro says. She highlights the phishing emails can be ransomware attacks.
“This is how cybercriminals most often get in, through lax attention to security threats by frontline employees,” Ciaramitaro explains. “Robust and continuous training for all employees on what suspicious emails look like and what to do if they encounter them is critical. This training would eliminate the vast majority of cyberthreats to health care organizations. It sounds simple, but just don’t click on unknown emails.”
2. Secure networks and equipment.
Too often, health care organizations have IT systems that are not kept up-to-date. That represents a serious vulnerability. “For example, many cyberattacks zero in on flaws in operating systems that may have been patched improperly,” Ciaramitaro says. “It’s very easy for cybercriminals to scan for those vulnerabilities, and once they become aware of them, it becomes easy hunting.”
She adds that too often health care organizations don’t segment their networks. That is, all of their systems are connected and accessible to each other without any bulwarks. “If an organization doesn’t segment their networks, it makes it impossible to isolate an attack to just one area,” Ciaramitaro says. “Having the ability to isolate an attack is so very important. Doing so creates an environment of resilience, meaning an organization can withstand an attack and keep operating.”
3. Be wary of “medjacking.”
The phenomenon of medjacking, or hacking into actual medical devices, is frightening and frustrating as health care organizations are limited in their ability to defend against it.
“We are living in the time of Internet of Things, and those things include medical devices,” Ciaramitaro cautions. “It’s scary to think about, but criminals are now able to hack into medical devices like pacemakers and insulin pumps. The good news is that this has gotten the attention of the FDA, which has started to release guidance to medical device manufacturers.”
So what is a health care organization to do? While they typically don’t develop the medical devices themselves, they can advocate for increased security for those devices and ask hard questions of medical device manufacturers.
4. Cultivate existing talent.
In today’s low-unemployment environment, U.S. health care organizations are finding it difficult to compete for the kind of top-notch cybersecurity talent they need to defend against sophisticated cyberattacks. So what should they do?
“Rather than throw in the towel, smart organizations are looking inward and making an investment in their existing people,” Ciaramitaro says. “They have employees that know health care well, so there is an emphasis now on identifying employees who have the aptitude and interest to become expert in cybersecurity. It takes a significant investment, but I encourage leaders of health care organizations to develop this sort of specialized expertise within their own staffs. When done well, there is no better place to look than your own staff to fight this fight.”
The threats posed to health care organizations by determined cybercriminals will continue to evolve. By implementing the strategies highlighted above, health care organizations can be in a position to put up a robust defense and remain focused on improving patients’ lives.
Health IT professionals don’t have to look far to find knowledgeable industry resources and content. If you’re interested in exploring an education in health care IT, learn more about Capella University’s Bachelor of Science in Health Care Administration, Health Information Management program.