By Mackenna Moralez

Hospitals and other healthcare facilities are falling victim to cybercrimes at an alarming rate. In March 2022, more than 1 million data breaches occurred, potentially compromising the wellness and safety of patients, residents, staff and visitors. The attacks are happening so often that people are desensitized to news stories about these crimes. But not everyone is so lucky. When private information is exposed, it can be held for ransom or data can be permanently deleted, putting people that need care the most in harm’s way.  

Still, government officials regularly issue warnings about cyber groups, advising organizations to be aware of the way their assets are protected and steps they can take  to strengthen their security. The FBI has recommended that facilities keep their software up to date, have training programs that tackle phishing exercises, and require that all data is backed up and encrypted. In spite of these measures, cyber criminals still gain access to systems, leaving many healthcare systems scrambling to regain the trust of anyone who steps into their facility. 

“Healthcare data is especially desirable for ransomware attackers due to the volume of patient and payment information held by medical organizations,” says David Pignolet, CEO, SecZetta. “This risk is compounded by the sheer number of healthcare workers known as third parties or ‘non-employees.’ Providing third parties with access brings risk to hospitals and healthcare facilities because less information is known about non-employees than their employee counterparts but the same levels of access are provided, non-employees join and leave organizations with greater frequency than employees, making managing access much more challenging, sometimes organizations have more non-employees than employees creating an issue at scale, and non-employees are statistically known to be high risk.” 

Employee responsibility 

It’s not just third-party employees who put facilities at risk. A recent study by Endpoint Ecosystem found that while healthcare employees take security seriously and want to do more to protect patient data, there is still poor password hygiene, IT issues and inefficient processes for onboarding new workers.  

The study highlights the following findings specific to healthcare facilities:  

• Twenty-six percent of healthcare employees write their work passwords in a personal journal, and 24 percent admit to storing their passwords in notes on their phone. Seventy percent admit to choosing passwords that are easy to remember, while 20 percent reset their passwords every day.  
• More than 35 percent of employees say security policies restrict the way they work, and 29 percent admit to finding ways to work around security policies. Forty-eight percent of workers believe they are more efficient using non-work apps like Dropbox and Gmail.  
• Sixty-four percent of healthcare workers believe they will get fired for a data breach, while 57 percent believe their executives should be fired for a privacy breach. Twenty-eight percent know someone who exposed their employer to a data breach.  

“The most important strategy is to gain awareness of the specific vulnerabilities your company faces, which can be accomplished in a week or two with a cybersecurity risk assessment,” says Zach Capers, senior cybersecurity analyst with GetApp. “But you don’t necessarily need to know all the technical details to make your organization much less vulnerable to cyberattacks. Many common cyber threats depend on hospital employees overlooking the subtleties of a phishing email or failing to update a machine with the latest software patch.” 

Meanwhile, cybersecurity measures are consistently evolving. Keeping these skills relevant to new and emerging threats is critical, especially for facility managers. When managers consistently work to build skills across an organization, the effort helps maintain a level of trust among staff members, patients and residents. By effectively managing access to data, managers can mitigate risk. Access privileges need to be regularly audited and adjusted, and if necessary, terminated as soon as they are no longer needed.  

“From a technical standpoint, ensuring an effective software patching policy is in place is a great start for pre-emptive planning,” says Kev Breen, director of cyber threat research at Immersive Labs. “This helps close the doors before threat actors can launch attacks. Regular testing of incident response plans involving the whole organization is also something everyone should be doing. When practiced with cadence, this means organizations will have the right tools, processes, and mindset to react to cyber events.  In addition, ensuring compliance with the latest regulations is also critical.” 

Lack of training 

Many healthcare workers still feel they have not been adequately trained to protect company data despite 59 percent of Endpoint Ecosystem survey respondents saying they receive security awareness training monthly or quarterly.  

While there are several reasons that employees could feel unprepared – limited bandwidth, large number of electronics they work on and outdated equipment, among them — most agree  cybersecurity is important. Still, it is tertiary to the fact that these facilities are prioritizing providing healthcare to people who need it most. 

“To be in a better position to combat cybersecurity risk, healthcare organizations and the leadership teams must first acknowledge and prioritize cybersecurity risks, adopt a security mindset and build a culture around cyber hygiene,” Pignolet says. “With regard to identity in particular, organizations need to evolve thinking about onboarding and providing access as a point-in-time operational challenge and approach it as an organic operational security control that can protect their patients and workforce from cybercrime.  However, without the adoption of a robust third-party identity solution to manage the access levels and life cycles of third parties, the training can only go so far.” 

Human error is often to blame for security breaches. Most healthcare workers use personal devices on the job, but 51 percent only have them securely enabled. Meanwhile, 28 percent of healthcare workers allow their family members to access their work devices for personal use, according to the Endpoint Ecosystem report. Also, Software Advice’s Healthcare Data Security Survey, found that 23 percent of small practices have experienced a data breach, and nearly one-half (46 percent) could have been avoided by eliminating human error. The survey also found that only 42 percent of small medical practices and 25 percent of large practices spent no more than two hours on IT security and data privacy training in 2021.  

“Our survey showed that 52 percent of small practices allow employees to access more patient data than is necessary. Access to more data can greatly improve the risk to that data,” says Lisa Hedges, associate principal medical analyst with Software Advice. “Communicating the actual risks of a cybersecurity event is a great place to start with training. Set the stage for employees to fully understand how bad a security breach could be by talking through the potential costs and impacts on the business, then move into actual tools employees should be using like password security or two-factor authentication.” 

Breen also suggests managers train staff to understand what data they have, how they are supposed to handle it and what its value is to an attacker.  

“Once defenders understand where data is supposed to flow, it’s easier to pinpoint any compromise and whether it is malicious or accidental,” he says. “It’s also important that staff have a safe space to report suspicious activity or identify where accidental leaks have taken place, without judgement. Your workforce is your first line of defense.” 

Downfall of cyber attacks 

Regular cyber attacks on healthcare facilities are making it harder to distinguish between real and phishing attempts. Training employees to protect passwords and to not click on unauthorized links can only do so much to prevent a cyberattack. Every second counts when an initial threat is made, but many facilities still do not have a cybersecurity plan in place. Losing data in an attack is the greatest risk for patients and staff. According to the Software Advice survey, 11 percent of large medical practices permanently lost their data after either making no attempt to pay a ransom or paying but still not recovering their stolen data. Without a strong cybersecurity plan in place, healthcare facilities are risking potential harm to patients via compromises to their physical safety, privacy, health data and financial wellbeing, Pignolet says.  

“Without wanting to sound dramatic, there can be a threat to life if hospitals and healthcare facilities become compromised,” says Breen. “Limiting essential operations such as being able to take in new patients, or equipment and services not working effectively, can have a profound impact on patients' mental and physical health.” 

All too often these plans are put into place after becoming victim to a cyberattack. A lack of preparation can damage a facility’s reputation and patients will lose their trust in the organization’s abilities to care for them. While most organizations agree that it is good to disclose ransomware attacks, a study by ExtraHop found that only 39 percent of healthcare facilities were completely transparent about attacks. The longer a healthcare facility delays disclosure, the more negative impacts it has on their operations.   

“With more transparency now around cyber incidents, it’s important that security and incident response teams learn from attacks against other organizations so they can put themselves in the same position by running exercises and simulations,” Breen says. “This will help them ask themselves, how would we have responded? Could we have responded differently or better? These learnings should then be built into crisis response plans.” 

Healthcare facilities managers must ensure that patients’ personal information is safe. It is crucial that managers regularly communicate with residents and patients about the way their data is used, stored, shared and protected. Patients are putting even more trust in doctors to protect not only their health but also their personal data. Hedges encourages managers to take extra steps in protecting everyone within the operations so that no one gets let down. If anything, having an open dialogue helps build trust within a facility and can bring in more patient recommendations.  

“Now more than ever, leadership must step up and address the reality that employee engagement and corporate support for efforts, events and socialization are vital to reducing apathy and distraction in the workplace,” Pignolet says. “Additionally, creating a strong cybersecurity culture within a healthcare organization’s workforce, inclusive of both employees and non-employees, is critical in combating these threats and requires the application of different thinking than is being used today. Hospitals and healthcare facilities need to put a hyper-focus on cybersecurity fundamentals like identity programs and must provide the same diligence for all user types, especially third-party users who have the same access levels as internal users but often are less well-known by the organization.” 

Mackenna Moralez is the associate editor of Healthcare Facilities Today