By Gary Salman / Special to Healthcare Facilities Today

In recent years, cybercriminals have become exponentially more sophisticated and have honed their efforts to target healthcare facility networks and exploit patient data for profit. No longer are they relying on methods such as stealing a company laptop to gain access to networks, but instead are launching ransomware/phishing attacks that can compromise millions of medical records and personal information instantaneously.

Hackers are eager to access the wealth of private patient and company information housed in healthcare networks that can be extorted for blackmail purposes and used in identity theft. According to Protenus, 31.6 million patient records were compromised during the first half of 2019 – more than twice the number reported in all of 2018. And Herjavec Group’s 2020 Healthcare Cybersecurity Report projects that the healthcare industry’s spending on cybersecurity services and products will rise to $65 billion between 2017 and 2021. 

Healthcare facilities in particular are among the entities that are experiencing a spike in cyberattacks directly or through the third-party/IT companies that they work with. When your IT vendor has access to your organization’s IP address, passwords and other login credentials, a breach of their system can also result in a breach of your network.

As cybercriminals become more adept and increasingly target healthcare facility networks, it is more crucial than ever before to ensure your cybersecurity defenses are up-to-date and tested regularly. Unfortunately, measures such as firewalls and anti-virus software programs are no longer enough to provide adequate protection to facilities’ networks.

Why healthcare facilities need stronger network protection

Healthcare facilities store countless records including patient names, addresses, dates of birth, Social Security numbers, health history forms and family member information; as well as scans of driver’s licenses and insurance cards, 2D and 3D images, lab reports and other private data. To hackers, each piece of information offers the opportunity for identity theft or the chance to sell patients’ information on the dark web. In turn, criminals who purchase this information can use it to create fake IDs and commit more crimes such as forging drug prescriptions or filing false insurance claims. 

Many facilities have been transitioning to collecting and storing patient data using digital forms for a more efficient and streamlined practice. However, with these new methods come more opportunities for cybercriminals to encrypt digital data or hold it hostage until demands are met. Some healthcare entities are quick to meet these demands when they don’t have backups. Additionally, in the case of a cyberattack, HIPAA’s Breach Notification Rule requires that organizations notify every affected patient of record and offer them identity theft monitoring services. Losing patient trust and experiencing significant company downtime can be extremely costly.

In addition to collecting ransom demands and selling private patient records on the dark web, healthcare facilities have also reported malicious cyberattacks during which patient records and other network data are tampered with. For example, hackers with access to facilities’ networks have canceled and rescheduled surgeries, changed patient records (including blood type and health history) and tampered with other records that directly impact patient care.

Who should manage a healthcare facility’s cybersecurity?

It is not just the role of the “IT guys” at a major healthcare facility to moderate and upgrade the network’s protocols and cyber defenses regularly. Everyone from board members –  which can dictate that appropriate mechanisms are in place – to c-level executives who oversee business operations, are responsible for shaping the organization’s cybersecurity culture by directing policy, addressing funding and ensuring continuity.

Developing a plan to defend against these types of malicious attacks requires a collaborative effort, governance and clearly defined policies. Another crucial element is employee training – if those who have access to the system know the warning signs to look for, cybersecurity threats such as phishing attacks will occur less frequently.

How to secure healthcare facility networks

There are several important steps that healthcare facilities should take to secure their networks, including any devices that have access to the network, to ensure patient record security. Working with a cybersecurity company allows a third party to assess the protocols currently in place and develop customized solutions for network vulnerabilities.

1. Conducting a cybersecurity audit

Cybersecurity professionals will conduct an initial audit to develop an understanding about how all of the organization’s and patient data is stored and accessed, as well as take a close look at the tools used to protect this information.

During the audit, how employees and contractors log into the network remotely will also be noted – including executives accessing the network and doctors reviewing patient information from home and IT contractors who have access to the organization’s information. Healthcare facilities in particular are among the entities that are experiencing a spike in cyberattacks directly or through the third-party/IT companies that they work with, so it is crucial for cybersecurity experts to understand the processes already in place.

2. Cybersecurity awareness training

HIPAA requires covered entities to participate in cybersecurity awareness training to minimize the possibility of employees falling victim to social engineering (also known as “hacking the human”). Many cyberattacks take the form of seemingly harmless emails that are specifically designed by hackers to appear as non-threatening and coming from a familiar name or address. Oftentimes, cybercriminals will change just a single character (such as an “I” to a “1 or “O” to a “0”) in an attempt to trick the recipient into downloading a virus or ransomware that can shut down the entire network.

With these spear phishing attacks being common throughout the healthcare industry, it’s apparent why installing firewalls and anti-virus software are not enough to deter hackers.

3. Vulnerability scanning

Networks with vulnerabilities including outdated equipment or weak passwords are more likely to be attacked by cybercriminals. Hackers have also developed methods for attacking healthcare organizations’ networks through any device with an IP address – including company-issued laptops, workstations, printers, security cameras, and even medical equipment, cell phones, USB drives, and other seemingly innocent devices.

Cybersecurity firms can deploy tools and technologies to scan the network for these types of vulnerabilities quarterly or when network devices are upgraded or added.

4. Penetration testing

Once an organization’s network is believed to be secured, cybersecurity professionals can use “ethical” hackers to attempt to safely penetrate the network using methods that a criminal would. This will flag any remaining weaknesses. This data can then be shared with the healthcare organization’s IT company to mitigate risks. 

Protecting healthcare facility networks in the future

Healthcare companies must be diligent about regularly assessing the security of their networks and making adjustments as necessary to ensure patient records are kept safe and hackers are deterred from attempting to access them. Working collaboratively as an organization and consulting with a cybersecurity company that specializes in healthcare industry protection can provide appropriate and effective safeguards for a healthcare organization.

Gary Salman is CEO of Black Talon Security, a Katonah, N.Y.,-based company specializing in cybersecurity solutions for businesses.