In 2016, the U.S. saw a record number of data breaches. As the methods that hackers use become more complicated and difficult to combat, organizations are being forced to rethink their approach to cyber security awareness. Healthcare has become one of the most highly targeted industries for hackers. The industry has seen a sharp rise in the number of data breaches over the last five years and is forecasted to continue growing in years ahead.
Healthcare represented an astounding 34.5% of all data breaches, meaning that 1 out of 3 data breaches that occur in the U.S. is targeted at the healthcare industry. Social Security numbers, health records, emails, and insurance information are just a few of the data points that healthcare providers collect for their patients. Cybercriminals see this as an opportunity for profit and launch frequent attacks on healthcare providers.
In 2016, victims of healthcare identity theft paid an average of $13,500 to resolve the crime. Well aware of this figure, hackers have started collaborating with each other and running their operations like a full-time business. As the value of the breached data become higher, the more creative cybercriminals become in their attacking methods. In the past, anti-virus software, firewalls, and anti-malware software were enough to protect an organization from a cyber-attack. Today, hackers are using alternative methods to breach an organization through phishing (also check out spearphishing here), malvertising, shadow IT, and digital footprint. Implementing proper security measures to ensure protection from hackers requires small healthcare organizations to goes well beyond the minimal HIPAA requirements.
As breaches in the healthcare industry become more frequent, providers must begin to take an offensive cyber security approach. Some measures that small healthcare providers can do to mitigate their cyber security risk are discussed below:
One of the easiest ways for hackers to infiltrate your organization is through a simple phishing campaign. Cyber-criminals send out emails to employees within an organization in efforts to get someone to click a malicious link or website within the email (also see malvertising). When clicked, these malicious links can give the hacker access to an individual's social media accounts, email, and sensitive company data. To prevent this, health care providers should train and educate employees to recognize these types of emails in a controlled phishing environment, often run by an IT Director or system administrator. This will teach employees to spot these malicious emails before they can click a malicious link.
Digital Footprint Scan
Believe it or not, your employee usernames, passwords, and emails are likely accessible online somewhere. (Don’t believe me? Check out this tool and see for yourself) This information often becomes available through data breaches independent of your company. Hackers often publish large databases of user information online and make it available to the public. Healthcare organizations should perform regular digital footprint analysis (Every 60 days is a good benchmark) to ensure that sensitive employee data such as emails, usernames, and passwords are not exposed.
Monitor Shadow IT
As cloud computing becomes more popular, It is important for companies to oversee which employees/vendors have access to each cloud application. Does a former employee still have access to a patient database? Did a vendor who has access to your financial data get breached, and more importantly, is your data safe? Shadow IT services allow administrators to detect all of the applications that are being used in an organization. This is especially important as more and more organizations use BYOD policies for company related work. Healthcare providers that implement Shadow IT services are taking proactive steps to minimize their cyber security risk.
HIPAA requires that all electronic personal health information (ePHI) must be encrypted. Regardless of the requirement, all files should be encrypted! Last year, 400,000 PHI files were compromised (read the full story here) from a laptop which was not encrypted at the time. Moral of the story: encrypt, encrypt, encrypt.
Required Password Changes
Employees often use the same password for all of their accounts. This means, if a hacker can get ahold of an employee’s LinkedIn credentials, they might be able to get access to your company data as well. Make sure to have employees use different passwords for different applications (Strong password examples can be found here). Keep in mind, that requiring password changes too often will result in employees creating weaker passwords to begin with. Encourage those within the organization to create a strong password and change it annually on a special date such as a birthday, anniversary, etc.
Securable can help you cultivate organizational awareness and stay vigilant against modern cyber threats.