Why is healthcare so heavily and successfully targeted by cybercrime? It’s a tough question, but after a record number of breaches last year – nearly 90% of all successful ransomware attacks were on hospitals – it’s one that needs to be asked.
Cybercriminals target healthcare data because hospitals need immediate access to up-to-date patient information in order to provide critical care. Malware enters the system, locks computers, prohibits access to the data, and in turn, prevents hospital staff from efficiently and effectively treating a patient. The cybercriminals then demand a ransom, usually in the form of Bitcoins. Ransomware is growing in popularity because it works. In 2014 alone, the FBI estimates that the minds behind the CryptoLocker strain of ransomware received nearly $27 million in six months out of data taken hostage.
Hospitals are also a prime target because employees aren’t trained on security awareness. While HIPAA aims to ensures that patient privacy is protected, in general, hospitals do not place a big enough emphasis on the importance of cybersecurity. Protecting data has always been a challenge, but an aware and invested workforce can become your company’s first line of defense.
Cloud technology, the expanding use of medical devices, and automation have been a huge boon to care providers. However, with the quick growth of technology use in healthcare, it has left the IoT (Internet-of-Things) fraught with unthought-of gaps in security. The adoption of Electronic Health Records means that increasingly large amounts of patient data is being stored in the cloud. With the digitalization of the healthcare industry outpacing the security adoption, the potential for exploitation increases, making it another reason why healthcare is such an attractive cybercrime target.
Four out of five hospitals have a basic EHR system
Ransomware can shut down a business for hours, days or even weeks in some cases. Ransomware causes an immediate halt to business, as systems and data cannot be accessed. The threat of ransomware has caused CIOs and IT consultants to have to think about the vast multitude of networks and healthcare data (aka ePHI) that their systems store. Healthcare attacks have also spurred additional IT budget allocations, though they are still woefully underfunded. Healthcare spending on security is up, but so are attacks, leading to demands from the C-suite to come up with new digital strategies.
But while we can all agree that having a strong privacy and cybersecurity strategy is essential to protecting digital healthcare data, surveys like KPMG’s still induce a wince. It states that “39 percent of [CIO] respondents were currently working on a digital business strategy” then go on to say, “only half of the [survey] respondents said they have a “clear digital business vision and strategy.”
So, what can be done to try and reduce the number of data breaches?
Look to your employees. Employees are an organization's greatest asset, and they need to be treated as such. It takes just one click on a malicious link to bring a whole system down. Make sure that each and every employee understands their role in a cybersecurity program. They need to know where data is, when they should access it, how it should be used and how it’s being protected. Only then can they can become your front line of cyber defense.
To learn more about building and maintaining an effective cybersecurity program, contact Ostendio today to speak with a security expert.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.