Ransomware is growing in popularity because it works. A recently released study by Google estimates that ransomware victims have paid over $25million in ransom the past 2 years. When MedStar Health, a health system serving the Baltimore/Washington region, was hit by a cyberattack in 2016, they choose not to pay the Bitcoin ransom, instead choosing to shut every aspect of MedStar Health’s electronic medical record systems off.
Hospitals are a prime target because employees aren’t always trained on security awareness. While HIPAA aims to ensure that patient privacy is protected, in general, hospitals do not place a big enough emphasis on the importance of cybersecurity. Protecting data has always been a challenge, but an aware and invested workforce can become your company’s first line of defense.
Defeating the cybercriminals – what hospitals can do to stay secure
So, what can hospitals do to try and reduce the number of cyber-attacks, like the recent WannaCry virus which affected hospitals in England and Scotland?
The WannaCry ransomware attack was particularly effective against non-patched MS operating systems, and in particular, unsupported versions of Windows XP. To protect against attacks like these understand what software is in operation, where it is and what version is running. Begin by establishing an active patch management policy to ensure that software is being updated in a timely manner. And confirm that you can identify quickly whether or not this is happening, otherwise, hackers will find and exploit those vulnerabilities for you.
Hospitals also need to look at their vendors. Third parties can add significant risk to any organization, so ensure that any vendor who may have access to your network also operates securely. Track your vendors to ensure that you have the requisite security assurances (Business Associate Agreement or Covered Entities) within your vendor contract, and/or schedule regular security audits.
Most ransomware viruses get installed by human error. Employees clicking on phishing links, downloading infected attachments, or visiting malicious websites are the main causes of ransomware entering a system. Make sure that your employees are regularly trained on the dangers of ‘click bait’ emails and headlines. Run routine training and have employees sign off on phishing awareness policies and training.
Employees need to know where data is, when they should access it, how it should be used and how it’s being protected. Only then can they become your front line of cyber defense. The greatest cybersecurity tool of all is your employees. Engage them effectively and you will make your hospital more secure.
Ostendio discussed the latest healthcare cybersecurity threats and cybersecurity solutions on the Healthcare Cybersecurity: Challenges and Solutions panel at the Capital Health Tech Summit on June 15 2017. Hosted by the Northern Virginia Technology Council, the Summit will explored how tech is transforming and disrupting the business and delivery of health today and highlighted the unique intersection of commercial, government and academic assets that make Greater Washington the epicenter for innovation in the health technology sector.