Researchers agree—health care is now one of the top three targets for cyber attackers. No matter what type of health care facility you work in—a large research hospital, clinic, regional medical center, health insurance company, or a company that provides business or clinical services for health care—the data you work with is worth millions of dollars on the dark web. And attackers can hold a hospital hostage, almost instantly halt operations, and disrupt critical medical processes.
Unlike financial data, with its built-in mechanisms for stopping suspicious payments and protecting accounts, personal medical data is immutable. Once it is stolen, the individuals to whom it rightfully belongs are at risk for identity theft, impersonation and financial fraud, without any way to protect themselves.
For health care organizations, data breach costs are high, averaging $355 per lost or stolen record, as compared to the costs for data theft from educational ($246), research ($112), and public sector entities ($80), according to Ponemon Institute’s “2016 Cost of Data Breach Study: Global Analysis.” Moreover, breached organizations often are subjected to lawsuits, which can run costs into millions of dollars. Breaches also can ruin an organization’s reputation and destroy client trust.
Health care organizations should consider cyber protection a top priority. For maximum efficacy, it is best to approach cyber protection holistically.
Fortunately, implementing security best practices immediately reduces the risk of cyber compromise throughout the organization. The five practices described here permit hospital CISOs, CIOs, security team, and IT teams to start protecting valuable data.
Technical, administrative, and clinical staff must understand the importance of practices such as never sharing passwords; avoiding the use of default passwords and system configurations; changing passwords regularly; patching systems to remain current; learning to spot suspicious emails, and not clicking on embedded email links or attachments. Regular follow-up training should make sure best practices are followed and adapted as the threat landscape changes.
Data should be encrypted, both in transit over the network or in email, and while stored, using Transport Layer Security (TLS) 1.2 or higher and AES 256 or higher. Data encryption protects against attackers who manage to breach other defenses and against man-in-the-middle attacks, in which a malicious actor intercepts communications to gain access to sensitive data.
Back up everything
Data backups are crucial, especially to combat aggressive ransomware attacks. The only way to return systems and devices to normal after a successful ransomware attack is to restore from a clean backup. Back up business, medical, device, email and other data on a regular schedule, and keep backups in multiple physical locations.
Perform regular scanning
Health care organizations must regularly scan their networks, workstations, mobile devices, and applications against known vulnerabilities. Cyber attacks can enter through an organization’s network, wireless network, applications, devices and the physical environment itself. Unlike an enterprise into which only badged personnel or approved visitors can enter, anyone can walk into a hospital. Visitors can easily hear a conversation while standing in line, look over materials sitting out in the open, and even plug a USB device into a wheeled nurse’s cart or other accessible device. High risk also is associated with any text, chat and email messages that the organization sends patients on their mobile devices.
Conduct regular threat modeling
Threat modeling and penetration testing exercises describe current threats and reveal how attackers can target your organization. They identify systems that can be leveraged to exploit vulnerabilities and potential entry points into networks, applications and devices. And they help an organization effectively address weaknesses. Threat modeling and penetration exercises should be repeated regularly.
Putting basics in place
The security best practices described here provide organizations with robust and proven protection against cyber theft of health care data. By implementing these practices, health care facilities and organizations will significantly improve their security postures without compromising services for patients and their families.