October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness.
This is week 1 and the theme is Be Cyber Smart. We have engaged Fortified Health Security to share insights on this week’s theme.
By Dan L. Dodson, CEO, Fortified Health Security
Twitter: @FortifiedHITSec
A strong cybersecurity posture guards against the most prominent cyber threats in healthcare, but the framework used should also scale to meet new threats. As National Cybersecurity Awareness Month kicks-off, here’s a look at a few types of attacks many cyber criminals are deploying against our healthcare ecosystem along with four ways every healthcare organization can leverage to mitigate and respond to the latest threats targeting healthcare.
Newly emerging cyber threats
Cyber criminals are using increasingly sophisticated tactics to access healthcare data, and this is occurring on a global scale. In 2021 alone, several new types of cyber attacks on healthcare organizations have emerged, as malicious actors continue to target organizations from new angles:
- Cloud Vendor Attacks: Cloud computing and storage alternatives to local computing and data storage have numerous native security capabilities which can be configured and implemented to produce a secure solution. However, cloud vendors are not immune to cyber attacks. Recent reports highlight ransomware attacks against several cloud hosting services. In this type of attack, cyber criminals compromise healthcare records and demand a ransom in exchange for the data. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has linked breaches of hundreds of thousands of patient records to this group of attacks.
- Targeted Phishing: Phishing attacks have long been a threat to the healthcare industry, and cyber criminals continue to up the ante when using this tactic. Industry reports show a new type of phishing attack that targets unemployed professionals on LinkedIn. The emails contain links to available, yet fake, job postings. When the victim clicks the link, the script takes over the user’s computer.
- ePHI Exposure: Electronically protected health information (ePHI) is at the center of healthcare cybersecurity, and hackers are engineering new attacks to obtain this data. A group of recent cyber attacks involved a vendor whose employee uploaded ePHI to the website GitHub, potentially exposing information like patient names, addresses, social security numbers, healthcare data and dates of birth.
Mitigating threats with a robust cybersecurity framework
News of recent cyber attacks can be overwhelming, and it may feel impossible to stay on top of all the latest threats. While each healthcare organization is at a different point in its cybersecurity journey, with a flexible and comprehensive cybersecurity program, organizations can fight back against these malicious actors. Here’s how:
- Prioritize Cloud Security: Around 83% of healthcare organizations currently use cloud computing services, and this number is set to increase over the coming years – positioning the cloud as an ever-growing target for cyber criminals. Healthcare organizations need to be sure that its cloud security programs are up to par, while paying close attention to factions like IoT cloud security.
- Protect your Endpoints: Remote work environments have greatly increased the number of endpoints that need protecting. Scanning the network, flagging risks, identifying vulnerabilities, and mitigating threats is a process that healthcare organizations should repeat daily. The combination of security information and event management (SIEM), endpoint detection and response (EDR) / managed detection and response (MDR) and a mature vulnerability management program strengthens your organization’s threat response planning. However, before purchasing new technologies, consideration for how the organization will operationalize it to extract the most value and maximize protection should be examined.
- Run a Managed Phishing Simulation: An organization cannot control phishing attacks, but it can improve awareness and how employees respond to these threats. Healthcare organizations should work with cybersecurity firms to run managed phishing simulations while educating employees on recognizing phishing attempts.
- Third-Party Risk Management: Almost all healthcare organizations work with numerous third-party vendors to complete daily tasks. From IoT device manufacturers to email providers, all vendors’ security practices affect the overall security of the healthcare organization. A third-party risk assessment tool and resources to manage the outputs of the tool is a must-have for vetting and managing vendor partnerships.
- Review Your Incident Response Plan: When it comes to healthcare cybersecurity, prevention is more than half of the battle. However, security breaches do happen, and how an organization responds makes all the difference. Regularly reviewing the organizations response plan and teaming up with a cybersecurity consulting firm to review this plan and adjust protocol based on your organization’s needs is key.
Cyber attacks happen to organizations of all sizes, and prevention is vital when facing new and existing threats. Cybersecurity is not a one-size-fits-all approach, nor is it a one-time fix. Healthcare cybersecurity requires ongoing diligence to protect patient data, and it is imperative that healthcare organizations approach cybersecurity from all angles.