Developments in technology continually improve the way business is conducted. Improvements to bandwidth, connectivity, remote devices, and mobile accessibility have enabled the transfer and management of information. One such sector that has experienced significant reform through technology is healthcare. National databases have enhanced the transfer of patient information between treating physicians, hospitals, and clinics, and the treatment of patients has been improved through portable medical device inventions.
It’s no question that our healthcare professionals perform an amazing and strenuous job, providing care and lifesaving capabilities to the community. While the healthcare sector has been enabled by improvements to technology, there is the risk that their efforts can be harmed by technology too. In February this year, the Cabrini Hospital in Melbourne had 15,000 medical files encrypted with ransomware. The hospital paid the ransom, but many patient files were unrecoverable (1). Criminals are also heavily targeting medical devices. It is so widespread it has been given a name, “MEDJACK”, or “medical device hijack”. In these scenarios, criminals utilise medical devices, connected to the internet or internal network, as a means of stealing sensitive information. More concerning, however, these types of attacks may also endanger the lives of patients, by hacking into life support equipment or pacemakers (2). So, with multiple attack vectors and threats, it becomes challenging for healthcare employees to mitigate these threats.
The healthcare industry has consistently been the worst breach offender since Australia’s data breach laws came into effect (3). They are the only industry with over 50% of data breaches caused by human error (4). The average cost when a record is stolen is three times as great as other sectors, which makes security awareness critical in protecting sensitive information (5). However, healthcare workers show a below-average knowledge when it comes to security awareness and are twice as likely to enter sensitive information when prompted (6). Large-scale attacks by cyber criminals are not the issue; the fact is that many breaches are caused by human error; however, the cause is more complacency than accident and, that’s what cyber criminals are counting on.
A cost-effective solution
Implementing the latest technical controls can be time-consuming and expensive, and requires a clear strategy. Furthermore, it requires resident subject matter expertise to facilitate. When there is no strategy and a lack of understanding as to why a technical control is implemented, it becomes little more than a stand-alone procedure open to exploitation. It is critical that organisations take a proactive approach to protecting their critical assets. The Economist Intelligence Unit highlights that a proactive security strategy reduces the likelihood of a breach by 53%. However, being proactive doesn’t mean applying expensive technical controls in a scattered “catch-all” approach. By following some simple, cost-effective steps, healthcare organisations can significantly improve their resilience to cyber threats. Here are ARX Risk’s top ten tips.
Many security and risk management companies provide this as a free service. It will identify where existing vulnerabilities are, and the current state of cyber security maturity within the organisation. Without a benchmark, it is difficult to measure improvements.
Conduct a working group to determine what information is most critical to the organisation. Then identify where that critical data is located, who has access to it, and how it is accessed.
The executive team must implement a security strategy, communicate that strategy, and then empower the workforce to manage and drive it.
All critical data should be encrypted. There are numerous free encryption tools available.
Multi-factor authentication (MFA)
More often than not breaches occur through weak password policies. MFA is an absolute must.
Develop an inventory of all devices connected to the internet, configure those connections by implementing application whitelisting, secure browsing, virtual private networks, password management tools, and restrictions to Wi-Fi and Bluetooth.
Privileged access management
Not everyone needs privileged access. Control the access tightly and actively monitor who has accessed what data and when i.e. monitoring and logging.
You are only secure as your weakest link
Third parties such as managed service providers (MSP) need to be held accountable. The Australian Cyber Security Centre has a list of questions on their website that organisations can ask of their MSPs. If they can’t or won’t answer them, then it’s time to find a new provider.
Staff awareness training
A cyber breach is more likely to be caused by human error than by a technical issue. A comprehensive training program will significantly mitigate both the chances and impact of a breach.
Rehearse, rehearse, rehearse
Having a regularly tested plan in place is critical to limiting the effects of a breach such as regulatory fines, damage to reputation and financial losses.
The healthcare sector is under constant attack from criminals and insiders looking to exploit valuable, sensitive information. It is not a matter of IF a breach is going to occur but rather WHEN. Therefore, the healthcare sector must enact more robust measures that proactively secure critical data, mitigating identified risk with a clear strategy, which is supported by an educated workforce and security controls that have been implemented in the areas that matter most to the organisation.
5. Ponemon Institute – “2018 Cost of Data Breach Study: Global Overview”dated July 2018.
6. Proofpoint – “State of the Phish Report”, dated January 2019