With the progressive electronization of medical records hospitals and ambulatory surgical centers have become gold mines of patient information that when improperly secured can cost centers hundreds of thousands if not millions of dollars.
Cybercriminals are targeting healthcare organizations because of the wealth of knowledge that is stored and transmitted. Hospitals have names, addresses, Social Security Numbers, billing information and much more stored away at the click of a button and logically connected to every other technology sharing the network.
A small unaddressed hole in a network or a misconfigured link could become the dreaded point of intrusion and ultimately jeopardize patient information. These types of events can take a large chunk out of the center's bottom line, but a cybersecurity attack also erodes the patients' and the public's' trust which could have dooming, longer term effects.
COO/Managing Director of New Jersey-based iThreat Cyber Group, Inc., Jim Emerson shared some observations regarding cyber threats based upon common problems he sees among the clients they have helped and offered some fairly basic solutions to help mitigate a substantial amount of cyber risk exposure.
In many of the victim systems and networks which Mr. Emerson has investigated one common causative factor was apparent: cybersecurity was delegated by senior management and not managed with the same granular awareness, measurement, priority and constant urgency as the corporate business logic and operations demand. To establish meaningful advantage, organizations must understand their cyber risk and respond with continuous diligent cyber security just as they run the core business and not as a necessary but ancillary requirement.
When a company sets out to enhance their cybersecurity, they must begin with an honest and cyber threat informed risk assessment inclusive of information, technology and human stakeholders. What is real risk, what does it expose, does it map to a viable threat, and what alternatives exist to mitigate these risks. This includes consideration and testing to determine if there are active or latent treats already in place. This provides the continuously updated foundation for company-wide information and technology security policies, safeguards, continuous reevaluation and update; minimizing the risk of successful or serious attacks.
Information security is not just about data and technology, they must reduce and attempt to eliminate the human element at risk. A significant number of attacks are starting with low technology schemes via an interaction or communication with a human; some security reports have estimated more than 70% of attacks in recent years began with an email. Email attacks can contain malicious software as attachments, however just as likely infection or compromise of credentials occurs via a link in the email or interaction with a malicious website as a result of a link sent.
Mitigating unwitting human support for these type cyberattacks would result in a substantial gain in cybersecurity safeguarding effectiveness of the average organization with relatively simple and low cost measures; user training.
Hospital administrators, physicians and other health care personnel are so focused on patient care that cyber security is not the first thing on their mind.
Another measure for increased mitigation of cyber risks requires an increased understanding of how an organization's enterprise works, the measured risk derived from connecting various and disparate technologies and data together, and the ability to effectively segment high value data from high risk technology. Most organizations have relatively limited up to the minute understanding of how their networks function regarding cyber risk; where critical data is in use, in transit and even stored.
Mr. Emerson indicated this must be mapped for non-technologist decision makers just as medical administration regularly reviews patients’ medical information to visualize problems or improvement in key areas.
These are simple and relatively modest costing mitigation strategies that every organization can afford, master, and become diligent in practicing; training users, granular understanding of risk, and segmenting high value data from higher risk environments. Mr. Emerson said, "I think that executives can greatly enhance their cyber safeguarding posture for very little expense. Even if it's something as simple as putting a reminder to employees in every email."
Understanding the risk technology poses to your data is a crucial step needed to eliminate that risk. But you cannot just assess and relax, you must do it constantly; monitor, assess, and adjust continuously.
"What you cannot see or understand can hurt you," Gastroenterologist Rajiv Sharma, MD, says. "That's why it would be prudent to have security and cybersecurity education a part of employee orientation."
Addressing cybersecurity can be prioritized and done in descending risk based segments. By tackling the biggest risks a healthcare facility has in their network first, an organization's security situation can gradually improve over time, until it is eliminates most of the risk posed to an organization.
Although daunting at first glance, securing healthcare facilities is not an insurmountable or an extravagant task, and it's generally less expensive to tackle before an attack happens then after an attack happens.
This is a strong push at the Capitol Hill with regards to cybersecurity in the healthcare industry as evident by Social Security Number Removal Initiative, Mr. Emerson says.
MACRA requires insurers to remove Social Security Numbers from Medicare cards. By removing the SSN, providers can protect private healthcare and financial information and federal healthcare benefits and service payments.
"Cyber awareness is the key for us to protect ourselves in future," Mr. Emerson says.
For queries and guidance call Dr. Sharma at 812-250-6662.
More health news:
AmSurg creates training program to certify staff in scope reprocessing: 4 notes
Valeant Pharmaceuticals increases drug price by 2,700%+ in 1 year — 6 insights
Anthem & Cigna walk a different line to regulatory approval than Aetna & Humana; but will this make a difference in the end?