Healthcare is unlike any other industry when it comes to cybersecurity. Criminals are prepared to take full advantage of the vulnerable nature of healthcare, as people are far more likely to comply if the threat relates to their private information and well-being. In fact, the end of 2020 saw a 45% increase in cyber attacks on healthcare organizations globally. What’s more, the pressure from legal regulations, including GDPR and HIPAA, is also a big motivation as most companies would struggle to pay the fines should they experience a data breach with subpar defenses in place.
As with most industries, the pandemic threw a major wrench in IT as many workers had to switch to working from home. Whilst this wasn’t the case for all healthcare employees, institutions still had to accommodate for remote working – something they didn’t necessarily have to previously consider. The VPNs they had in place were therefore not up to the job and became significant gaps in the companies’ defense line, creating more avenues for cyber criminals.
Money also became a significant factor in the development of cybersecurity practices. Many smaller medical institutions lack the budget to implement a state-of-the-art security system – and criminals are well aware of this. For this reason, smaller companies tend to have larger targets on their backs, as hackers know that their defenses will be weaker and easier to break through. Understanding the biggest pieces of the healthcare data security puzzle will help pave a secure future for institutions and their patients.
Migrating to the cloud is often the first step organizations take on their journey to digital transformation. The greater flexibility, accessibility, and security the cloud offers are attractive features for businesses, but there are still some barriers that hinder the progress made in healthcare. Often, it’s the well-established healthcare organizations that are less willing when it comes to cloud adoption, as they have several legacy systems in place that may not necessarily align with the cloud. These systems often include outdated data centers that do not line up with the latest security updates, subsequently leaving them vulnerable to breaches. The task of transferring the data from the old systems to the cloud is no mean feat, given the sheer number of files collated over the years. In their minds, they have already invested so much into their data centers that to undergo the transition to the cloud may seem an unnecessary effort and expense.
However, newer organizations start off in the cloud, meaning there is less effort involved in the implementation process. The cloud is popular among start-ups, for example, as they don’t necessarily have the expense and manpower needed to manage a data center, nor do they rely on other legacy systems. However, the cloud still presents plenty of opportunities for hackers if these institutions fail to deploy the necessary security measures.
While the cloud can offer businesses a whole host of benefits it also adds a new layer of complexity for security teams. Maintaining high levels of security across the entire business network becomes significantly harder when teams have to locate and secure data dispersed across several environments.
One of the largest threats, however, is the false sense of security that often comes with a secure perimeter around the cloud. Organizations must treat the cloud as another physical extension of the business, so that it receives the same securities as a data center. Yet, some organizations believe that if their outside perimeter is secure, with the use of firewalls and other security defenses, then the networks inside are just as safe. Unfortunately, this is not the case. Phishing emails and other forms of threat vectors can grant adversaries access inside – and hackers are getting more sophisticated in their techniques, with some attacks able to bypass the more advanced email security systems. Alternatively, insider threats such as disgruntled employees can cause significant damage through leaked private credentials or other confidential information.
Healthcare institutions should also be aware of third-party risks. Just because your security may be up to the job, doesn’t necessarily mean your supply chain has applied the same precautions. And the impact can be just as devastating. For instance, earlier this year, San Diego Family Care experienced a data breach in which the sensitive data of 125,000 patients were compromised. The breach hadn’t occurred from their side of the business but instead through their cloud provider. Despite this, regulations meant that they were still held accountable and had to pay out insurance to cover the individuals whose data had been compromised.
Another pitfall that healthcare organizations must avoid is the assumption that compliance means security. Aligning with the requirements set out by regulations – such as GDPR and HIPAA – protects businesses from incurring fines should a data breach occur, but it does not necessarily ensure the appropriate defenses. It can very easily become a box-ticking exercise that is carried out at the appropriate times, but then not revisited.
Teams should take the opposite approach – a secure system will ensure compliance. The regulations are put in place to encourage businesses to deploy the necessary defenses against cyber attacks, not to settle for the minimum option.
So, what are those necessary defenses?
There are several practices that medical institutions should consider for their security, and none of them need to break the bank. Multi-factor authentication (MFA) will add an extra layer of protection around confidential data and anything outside the organization. Whether it’s the VPN, email accounts or web applications, MFA can help defend against the onslaught of attacks.
While vulnerability scans will only tell you which points of your system are vulnerable, penetration tests involve human workers taking this a step further and actually attempting to hack into your system to see how far they get. Understanding not only what type of vulnerability is present but also how far a vulnerability extends is what will help tighten defenses in the long run.
The most important takeaway for healthcare organizations is that every section of the network needs to be protected, not just the outside perimeter. The rate at which cyber-attacks are evolving means that it is impossible to foresee the threats around the corner. We can never truly predict how someone will try and access the network, so it’s important to apply an appropriate level of security across the entire system. When responsible for the security of thousands of confidential data files and maintaining patient trust, healthcare institutions need to be encircling their own cloud systems with sufficient security solutions, but also engaging in conversations with their third-party suppliers to ensure that all entry points to the network, including those from the supply chain, are covered.
Regardless of business size, the healthcare industry will remain one of the most lucrative targets for cybercriminals – and the industry needs to be prepared to meet the assailants head-on.