Cyberattacks are a growing concern for cybersecurity professionals, who believe the number of cyberattacks will only continue to increase in the future. Within the healthcare industry, Internet-connected devices (such as tablets and Fitbit) have become more common. These devices rely on secure networks to keep patients healthy and if a healthcare provider’s network or cloud is compromised due to a cyberattack, their business and patients are at risk. A lack of cybersecurity awareness and understanding leaves employees vulnerable to phishing schemes and other cyber threats.
Common cyber security breaches in healthcare organisations
Healthcare providers have been worried about these issues for a while, but the pandemic has only made them more urgent. As healthcare organisations recover from the recent attacks and other cybersecurity problems, they must focus on the following areas:
Data protection is essential because it enables individuals to feel confident that their data will be used as they would expect. It also allows them to control how others use the information they share with them, as well as enabling carers and professionals who hold sensitive data to understand what they can do with it and how they can store it.
If healthcare professionals do not protect the sensitive data in their care, they could be subject to fines, penalties, or even criminal charges. They may lose their jobs and earnings, and their reputations might also suffer.
Smart devices / IoT
The IoT, also known as the internet of things, is a global network of devices connected via the internet, allowing them to exchange data. This includes everything from smart cars, smart watches, and smart fridges to body sensors and digital pills. IoT devices are often used in healthcare, such as for monitors or equipment for patients or digital medications for patients. If hackers access one of these clouds or networks, they also access all IoT devices. Healthcare providers and patients can experience devastating impacts if these devices are compromised.
Information security is everyone’s responsibility. Healthcare providers should ensure that all employees, including executives and workers on the front lines, know a cyberattack’s fundamental practices and implications. A cybersecurity awareness program can help address this concern by engaging employees in the conversation about information security.
The NHS cyber attack
On May 12, 2017, a WannaCry ransomware attack affected over 230,000 computers in 150 countries. The United Kingdom National Health Service (NHS) experienced significant interruption, with WannaCry impacting at least 80 NHS Trusts, 595 general practices, five hospital emergency departments and 1,220 pieces of diagnostic equipment. 2 months before the attack, Microsoft released a patch that addressed a security vulnerability that was exploited in the Wannacry incident.
The attack targeted computers running Microsoft Windows and was successful in infecting systems running older versions that were no longer supported. Approximately 19,000 appointments were cancelled and the financial cost of the incident was estimated to be more than £92m.
Patching: Updating systems and software to protect healthcare information
Ensuring that all devices used for health care have up-to-date software and systems is one way to protect sensitive information from being accessed. Applying patches means fixing known security vulnerabilities in an operating system or software. Automating the process makes it easier for organisations to fix these vulnerabilities quickly.
The Health Information Security Alliance (H-ISAC), a non-profit organisation connects health-sector leaders with trusted communities and forums through workshops and campaign events to share and educate vital cybersecurity awareness and threat intelligence best practices.
In a series of monthly updates, the H-ISAC and Microsoft collaborated in discussions about the CVE-2022-21984, CVE-2022-22005, CVE-2022-22003, and other issues facing Microsoft products in your environment.
Also, in 2022 H-ISAC partnered with more than 30 well-known network organisations ( including Microsoft and Verizon) at the RSA conference to Encourage the development, evolution and implementation of risk-based approaches based on standards, frameworks and best practices. For example, you could look at ISO27001, which provides a framework for implementing information security management systems.
4 Ways to Improve Security Practices in Healthcare Organisations
By implementing the following 4 components of a cybersecurity program, healthcare organizsations can increase the security of their sensitive data:
A healthcare entity should implement MFA at a minimum for security purposes. It is one of the most straightforward security controls to implement, and in many cases, it can stop a cyberattack from succeeding. As many as 90% of cyber attacks could be prevented with multi-factor authentication enabled on endpoints and mobile devices.
Update your operating system and software
It’s important to apply system and software patches proactively. Updating with the latest security patches matters for more than just security reasons. It ensures you’re getting most from your IT, closes vulnerabilities before attackers can exploit them. The dynamic nature of the IT environment means relying on antivirus and anti-malware alone to defend against current and future threats is not sufficient. Remember, patches can limit attacks that exploit known vulnerabilities, but you need to apply them in context to your organisations IT environment.
Find out more about the important of software patches and an in-depth of patch tuesday by reading Overt Software Solutions Article, Patch Tuesday: 5 Reasons Why You Should Participate
Review and Enhance Third-Party Security
Researchers discovered. Third-party vendors are a significant source of security risks. Researchers have found that companies sometimes neglect to take measures to reduce the risk of a data breach via third parties, which can expose their networks to non-compliance and security concerns. If you have only focused on internal cyber threats, your incident response efforts have addressed less than half of the risks that facilitate breaches.
Review third-party vendors to check on updates to ensure they are still compliant with your organisation’s policies. Improving the security postures of all third-party vendors involves an orchestrated effort between risk assessments and Vendor Tiering.
Increase awareness in cyberthreats
To keep staff safe from phishing attacks and other social engineering, they should be educated about how to identify common cyber threats and previous malicious attack behaviors. Cyber awareness training can be facilitated through webinars or by referencing free cybersecurity resources.