The first few weeks of January always seem to be accompanied by an influx of new cybersecurity trends, forecasts, and concerns. As expected, 2018 has followed this pattern—and with the need for secure patient information growing ever more critical and the arrival of GDPR in May, it’s no surprise that healthcare experts are deep in conversation about the pitfalls organizations might face this year.
What to expect from this blog:
In this blog, we’ve recapped five of healthcare’s biggest cybersecurity concerns for 2018. Use the following sections to learn which vulnerabilities you should be aware of, then read the related resources for information that may help your organization plan for these forecasts … or avoid them all together.
Let’s get started!
1. Cybersecurity attacks are rising, and 2018 might be the worst year yet.
By now, everyone is aware that cyber attacks and data breaches are omnipresent risks in healthcare—and hackers often seem one or two steps ahead of our preventative attempts. Organizations are working hard to catch up with these threats, but that doesn’t keep industry experts from anticipating a breach this year.
According to a recent survey from Ponemon Institute, 67% of CISOs believe a cybersecurity attack will happen to their organization in 2018. As attacks get harder and harder to decipher (unlike the golden days of foreign princes offering you money), this survey reports that the majority (65%) thought a careless employee would cause a breach, followed by concerns over ransomware attacks and patient data being compromised at a large scale.
It’ll take time to address every concern listed in Ponemon Institute’s survey, but when it comes to the 65% who worry about their employees, you don’t have to be one of them. This blog covers everything you need to know about how implementing a security awareness program can make employees your strongest—rather than your weakest—defensive players.
Read This! The Benefits of Empowered Employees: Why a Good Security Awareness Program Matters
Meanwhile, for those worried about compromising thousands of patient records during a data breach, this scenario (and many like it) can be avoided through the right precautions. Get started today: use these eight tips to implement strong security practices and avoid a data breach.
Read This! 8 Ways to Protect Your Healthcare Organization from a Data Breach
2. Healthcare organizations are worried about ransomware/malware.
HealthIT Security writes that in 2017, “78 percent of [healthcare] providers report[ed] that they experienced a healthcare ransomware or malware attack.” Because of how successful these attacks have been, many expect they’ll increase in 2018, leaving providers uncertain about how to address the possibility of a ransomware and malware infiltration.
Identify EHR vulnerabilities
Unfortunately, Electronic Health Records (EHRs) can be affected by ransomware. Blocking ransomware and malware attacks requires broad preventative measures like employee training, properly-configured firewalls, secure systems, and strong access management policies (more on that under item 4), but you can also protect your EHRs from infection through data encryption and periodic backups.
EHR backups are one of HIPAA’s many compliance requirements; if you haven’t already, make them a priority. Take some time to create copies of your database. Update them frequently—and store them offsite, just in case an attack cripples your current infrastructure. When you’ve built policies and processes around these backups, add them to your incident response plan so you can refer to them in an emergency.
Don’t have an incident response plan yet? Create one using this blog of templates and resources.
Read This! Data Breach and Incident Response Plans | 2017 Templates & Resources
Protect your IBM i data
If you use Windows systems, you already know your environment can be affected by ransomware and malware. But if you use IBM systems or servers in your organization, like many still do, it’s easy to fall into the trap of thinking that these attacks (and similar viruses) can’t affect you.
Unfortunately, that just isn’t true.
Read these blogs to learn how malware and ransomware can hurt your IBM i data, then take the free virus scan at the end to check your IBM i (or Linux or AIX) systems for compromise.
Read This! Is Your Data REALLY Safe on the IBM i (AS/400)?
Read This! Malware, Ransomware, and Viruses vs Your IBM i Server
Free Virus Scan: Check Your IBM i, AIX, and Linux Servers for Threats
3. Unsecured health systems are vulnerable to compromise.
Healthcare organizations juggle hundreds of important responsibilities a day. They provide their patients with top-notch care, secure their technology from life-threatening risks (like power outages or equipment failure), and do everything else that comes in between.
With all these tasks to focus on, many haven’t been able to update their systems and equipment. Providers want to secure their data with the best possible technology, but investing in new equipment, software, and hardware can cost a pretty penny. On the other hand, a well-placed attack at an area of weakness can cause a breach that costs even more than it would’ve to invest in up-to-date systems.
Read More: Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits | Medical Devices are the Next Security Nightmare
“Healthcare facilities make extensive use of legacy systems,” writes Harvard University in this report. “In fact, numerous hospitals still rely on devices that have reached their end-of-life or that are no longer supported.” What does that mean? While it may save money in the short-term, if any of your systems are outdated or unsecured, including that one printer staff rarely use, a well-aimed cyberattack could sneak into your network and cause havoc.
Our suggestion? If you can’t afford to purchase new devices, ensure they are all up-to-date on the latest security patches. It may help to create a map of your devices too, so you can tell where you may have gaps and vulnerabilities in your network.
4. Organizations lack cybersecurity policies and audit processes.
As healthcare technology changes due to evolving patient, vendor, and employee needs, so should cybersecurity policies and audit processes. However, this piece can be easy to overlook—and it’s become an issue that needs to be addressed in 2018.
According to Healthcare IT News and the PwC Health Research Institute, “while 95 percent of provider executives believe their organization is protected against cybersecurity attacks, only 36 percent have access management policies and just 34 percent have a cybersecurity audit process.” This means that two in three organizations don’t have the right plans in place to ensure their data is safe.
Create cybersecurity policies
Good cybersecurity policies are important. In fact, you likely already have some implemented in your organization. But as the stats suggest, over 60% of providers lack an effective Identity and Access Management (IAM) policy, leaving them wide open to risks from inside threats like careless employees, vendors, and users.
We recommend reviewing your current IAM policy to ensure all your gaps are covered. The following blog discusses five recommendations from the DHS’s OCR (Office of Civil Rights) that you can use to get on the right track.
Read This! 5 Ways to Fight Internal Health Data Breaches
Audit your organization
To combat any business vulnerabilities you might have, your organization should strive to complete frequent risk assessments. This is already a requirement of HIPAA and HITECH compliance. However, it doesn’t hurt to also conduct them during specific events, like when introducing new third-party vendors, adding new locations or offices, or integrating new devices.
There are different ways to run a risk assessment. You can run it manually, but this is typically a resource-heavy process and leaves room for error. You can also use software to automate your evaluations. Good software will track activity logs, encrypt files, give you control over your keys and certificates, and let you build reports on important system information. An even better solution, like managed file transfer, will do all that for your Windows, Linux, and IBM i systems—and help you meet HIPAA compliance requirements too.
Read This! Why Healthcare Organizations Need a Managed File Transfer Solution
5. Patient records could be maliciously altered, causing serious damage.
As cyber attacks evolve with today’s growing technology and devices, industry experts are concerned that hackers will change their strategies of getting patient data. Instead of holding patient data hostage, some organizations are worried that attackers will tamper with records to falsify their information.
Falsely altered records mean more than compromised data and financial ruin. According to this article on the vulnerabilities of unsecured systems and health devices, “hackers can change medical record information on allergies, diagnoses, or doses of prescribed drugs. Incorrect information on even one medical record could be fatal.”
So, how does an organization safeguard against this sort of attack? Having audit policies in place to watch for unauthorized changes made to patient records is a start. By using a solution that scans activity logs for any out-of-place adjustments, you can be alerted to strange additions and quickly catch a problem (internally or externally created) before it escalates.
We also suggest following these four security strategies to protect EMRs from malicious tampering.
Read This! 4 Ways to Protect Information in a Data-Driven Healthcare System
Do you share these 2018 cybersecurity concerns?
Stay ahead of today's ever-changing threats. Protect critical data with these automated security solutions.
