Since October is Cybersecurity Awareness Month (both domestically and internationally), we’ve been taking a look at the inherent risks of certain new technologies, and how to take a safe, intelligent approach to deployment or installation. At the beginning of the month, we discussed how “smart” buildings can also be safe buildings; this week, we’re turning our attention to another critical use case: cybersecurity in health care.
Why It Matters
Like any new technology rollout or a business process change, instituting new cybersecurity measures can be challenging, both financially and time-wise. Robust solutions are expensive, and identifying the best available option can require a lengthy, comprehensive needs assessment. When it’s ready for deployment, extensive employee retraining may be necessary. More intractable employees may be lax in their adoption of new principles, viewing them as a time-wasting inconvenience.
However, the cost of inaction far outweighs that of any investment. First of all, attacks are more prevalent than you might think: a white paper from Protenus reports that 90% of hospitals have experienced some sort of breach in the preceding two years. In total, these breaches cost the health industry as a whole $6.2 billion, with an average of approximately $4 million per incident. The costs incurred include HIPAA fines, lost business, lawsuit settlements, and many more. Simply put, cybersecurity is a matter far too prevalent and expensive to overlook.
How You Might Be Attacked
According to a report cited by HIPAA Journal, ransomware and banking trojans are the most common forms of cyberattacks on health care organizations. Ransomware is malicious software that may lock your computer or device until a payment is made (often in the form of cryptocurrency). Banking trojans are designed to access patient banking information, and may be distributed via attachments or URLs in emails, often from senders masquerading as trusted contacts.
HealthIT.gov further identifies mobile devices (particularly phones and laptops) as an increasingly viable gateway for malicious attacks. In many cases, these devices use wireless networks, which are more vulnerable to cyberattackers in general. Furthermore, many mobile devices have weaker authentication controls and password protection than their desktop counterparts.
Another source of vulnerability is outdated operating system software on all computers. This weakness was exploited by the infamous WannaCry ransomware attack, which grabbed headlines by affecting over 300,000 computers in May 2017.
What You Can Do
The operational improvements that can enhance your network’s security are relatively straightforward. For example, you can start by making sure all verified security patches and software updates are made. Furthermore, HealthIT.gov recommends removing all non-essential software from computers and other devices that regularly access and transmit sensitive patient data. This step will reduce the number of potential entry points for cyberattackers.
After that, make sure all devices (mobile and otherwise) feature sophisticated security measures, like two-factor authentication and strong passwords. Harvard Business Review further suggests blockchain-based credential systems and use of biometric data where possible as well.
Beyond these operational improvements, it is imperative to focus on focus on developing a secure culture as well. Educational training must be comprehensive and ongoing, so all personnel (from IT staff to medical professionals) are aware of when and how they might be exposed to threats, and how to take sufficient action to mitigate it.
If you’re looking to upgrade your health care network and are (rightly) concerned about security, you may want to consider the surprising benefits of open networking model. To discuss how to integrate these solutions into your health care network, contact us today.