Top Cybersecurity Threats for Healthcare Organizations (and How to Boost Protection)
Cyberattacks are becoming more prevalent and, for healthcare organizations, it can be a matter of life and death.
A whopping 74% of healthcare organizations experienced a significant data breach in the previous 12 months, according to a study by the Healthcare Information and Management Systems Society (HIMSS), and hackers are gathering steam in 2020.
The highly detailed patient information in electronic medical records is especially enticing to cybercriminals since the demand for this type of personal information on the dark web often earns them top dollar. And, given the importance of patient medical information, healthcare organizations make prime targets for ransomware attacks, too.
It’s easy to feel powerless, but there’s a lot you can do to mitigate your risks. Knowing how these criminals operate is the first step in protecting patient information and ensuring your healthcare organization remains worthy of your patients’ trust.
Your Organization’s Size Doesn’t Matter
Don’t assume that because your organization is small or rural, you aren’t as vulnerable to cyberattacks as larger urban medical centers. A 2018 study by the American Medical Association (AMA) found that 83% of physician practices have experienced some form of cyberattack.
Often, cybercriminals gain access to patient information through phishing attacks and employee negligence. And because attacks are usually automated, through email phishing, for example, they can quickly spread through an organization in seconds. In short, everyone is vulnerable to cyberattacks.
How Ransomware Threatens Physician Practices
Ransomware attacks occur when a cybercriminal uses malware to access information and then threatens to publish or block access to it until they’re paid a ransom. It’s one of the more tenacious threats to medical practices (since it involves attempting to infiltrate your network through multiple access points, including unknowing IT support companies who work with healthcare facilities). But they’re not uncommon. In fact, nearly 60% of the total number of cyberattacks last year were due to ransomware, according to data shared by MultiView.
These attacks are dangerous for any healthcare organization, but especially destructive for private practices. In addition to paying the ransom (the average ransom requested is around $30,000, according to data shared by Physicians Practice), rebuilding your system and restoring your data can take several weeks or months.
Furthermore, the extortion of healthcare organizations is only part of the destruction that results from ransomware. Stolen patient data is often sold or traded on the dark web, and recovery from this kind of attack can take decades.
Additionally, these attacks can disrupt your financials — since you can’t bill if your billing software has been compromised.
Employee Cybersecurity Threats
Employees can be the biggest threats to your organization’s security — even if they don’t mean to be. While a disgruntled former employee may exact revenge by threatening data breach, simple employee negligence is much more common.
In 2019 alone, nearly 4 million patient information records were stolen as a result of employee-related theft, according to the article from MultiView mentioned above.
Often, these careless mistakes result from under-training, which is why it’s essential your organization focuses on security best practices as part of the onboarding process. Additionally, it’s crucial you and your staff stay up to date on new threats and take all the appropriate measures to protect your patients’ data.
How to Protect Against Cybersecurity Threats
The best way to mitigate cybersecurity threats for physician practices is by identifying the most vulnerable access points via your yearly HIPAA risk and security assessment. By engaging security experts to conduct a risk analysis, you can learn your vulnerabilities, as well as how to protect your practice from financial penalties in the event of a security breach.
Here are a few additional steps you can take:
- Make sure your operating system’s protection and anti-virus software are current. Upgrade to the current release.
- Instruct staff against opening emails and attachments of unknown origin.
- Enforce the use of passcodes and use auto log-offs.
- Limit access to mobile medical devices, controls and patient records to authorized personnel only.
- Regularly back-up files to ensure your practice will not be interrupted in the event of a cyberattack.
Once you acknowledge those weak links in the cybersecurity chain, you can begin protecting your data. Staff training, limiting access to information, and focusing on prevention are the most important steps in safeguarding sensitive medical files from cyber threats. Be sure to develop a security protocol, and stay up to date on the ever-changing methods criminal use to gain access to your system.