How to Combat 5 Common Healthcare Cybersecurity Challenges

In the first few months of 2021, we’ve seen major reported data leaks from ransomware extortion attacks directly targeting at least seven major healthcare-related organizations. Hospitals and other healthcare facilities included in these incidents were New Mexico-based Rehoboth McKinley Christian Health Care Services, Capital Medical Center in Olympia, Wash., and New Jersey’s Bridgeway Senior Healthcare.

Healthcare-adjacent organizations that were targeted were document scanning and management company Standley Systems, Los Angeles practice management vendor AlohaABA, medical device company Cardiva Medical in California, and UK-based medical technology company Livanova. Ransomware groups REvil, Conti, Babuk, and Avaddon are behind this recent string of healthcare cyber attacks, and are publishing private data in stages in an attempt to elicit high ransom payments from the targeted companies.

These types of attacks are typically difficult to spot because today’s hackers are incredibly strategic in how they gain access, and will usually infiltrate a healthcare companies’ network and systems long before deploying the ransomware payload, giving them time to carefully plan the ultimate attack. Many of these attacks are also playing out long-term, with secondary infections extending well past the initial attack.

As a healthcare company, we know you don’t have expendable time, money, or energy to deal with the fallout of a major cybersecurity breach. Here are five cybersecurity threats to healthcare organizations that you should consistently monitor and aim to combat by improving your processes and policies.

Phishing Attacks

Phishing is any fraudulent, virtual attempt to capture personal information and often occurs via email. It poses a major threat to any organization because it was the top threat action in 2020 data breaches and 97% of users can’t recognize a sophisticated phishing email.

Phishing attacks on healthcare and related organizations have been increasing over the years because of the high importance of patient data and its privacy. Protected health information (PHI) and personally identifying information (PII) are profitable commodities because they can be used for false identities, free medical treatment, and more. Hackers can also demand significant ransoms after deploying ransomware since healthcare organizations want to avoid leaks to maintain public trust and need access to essential care details in order to treat patients.

Comprehensive and frequent employee training against phishing can help to reduce risk for your organization. Employees should never click a link from any mode of communication before carefully inspecting and verifying its source. Another method that can help protect healthcare organizations from phishing attacks is having web filters that don’t allow employees to visit fraudulent websites even if they accidentally click on a phishing link.

HIPAA Compliance

Now that patient data is often cloud stored, it may be more difficult to monitor who in your business has access. Too much widespread access to private information across your organization can violate HIPAA.

Do you know who has access to patient data? Do you know where and when they’re accessing private data? Are there people who are able to access patient data that don’t need to? Answering these questions is essential to ensuring HIPAA compliance of your online patient database.

The HIPAA Security Rule requires specific security measures be taken by every HIPAA covered entity in order to prevent successful malware or ransomware attacks, including risk analysis of your ePHI system, tools and processes that detect and protect against malicious software, consistent employee cybersecurity training, and granular user access controls. HIPAA also lays out specific procedures for reporting breaches once they happen, including necessary timelines and requirements for reporting to government entities and disclosing breaches to affected clients or patients.

Legacy Storage Systems

Legacy applications or software used to store patient information can create opportunities for hackers to gain access into your systems. The high complacency with outdated technology in healthcare organizations paired with the low IT literacy of many healthcare professionals is a dangerous duo that can expose your network to a myriad of cyber threats.

Legacy applications are often unsecure ways of storing historical data, as hackers can exploit ‘back doors’ to gain access to your systems. Although moving significant amounts of historical data to a new or updated database software may seem like an unproductive use of a hefty amount of employee time and energy, using an updated and highly secure application for storing private data is an essential element of protecting your practice from a potential breach.

Patient Communications

If patients don’t understand how to securely interact with their healthcare professionals (and many won’t), they are also at risk for exposing their own PII or PHI. Training patients on how to interact with your online patient portal securely is a part of best practices for making sure that no data from your organization is compromised.

Patients, particularly those who are older and may be less IT literate, may also be targeted by phishing communications that appear to be coming from their specific medical provider or your customer service team. Transparency and clarity with patients on how and when they’ll be contacted by you and your team, and how they should in turn contact your team, will help both parties avoid miscommunications and potential threats.

Managing Patient Data

Employees may also not understand how to securely interact with patient data. Extensive training should be required for all employees that have access to private information and, as discussed earlier, database access should be restricted only to professionals and employees that absolutely require it to complete their jobs.

Monitoring who is accessing your patient data — and when — consistently may not be a task your organization has the internal capacity for, but it is key to ensuring the protection of your data. Outsourcing this important security function can help you rest easy knowing your patient data is secure without overly straining your team.

Partner with Inversion6 for Robust Healthcare Cybersecurity

Inversion6 has deep experience in the healthcare industry, creating HIPAA compliant IT security solutions that keep private patient data safe. Contact us today and let Inversion6 help you focus on patient care and worry less about your IT security.