The healthcare industry has always been and will continue to be the target of ransomware and other cyberattacks. These breaches, like the string of attacks which have recently hit several major hospitals and health systems, have exposed the security vulnerabilities of several of our nation’s most trusted healthcare institutions.
More valuable on the black market than getting someone’s social security number, an electronic medical health record could be worth hundreds or even thousands of dollars to cybercriminals. In fact, after several years in which the value of medical records on the black market had decreased, a 2019 study suggests a data breach costs healthcare on average $6.5M, or $429 per patient record. According to the same study, this staggering number is 60% more than a breach impacting other industries.
Data breaches have become all too commonplace among healthcare organizations. According to a recent Ponemon study, 54% of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54% of responders, 41% experienced six or more data breaches over the past two years.
This is what the cybercrime landscape looked like before COVID-19 pushed the industry to the brink. Now, many healthcare organizations are running their business operations and performing their jobs under new circumstances – which means new security risks and threats. Then there’s the new surge of patient data leading to an increase in attacks. As the industry races to develop a COVID-19 vaccine along with new therapeutic treatments, hackers see increased value in going after these companies’ networks and systems to steal this intellectual property – leading to attacks on biopharma companies, which have skyrocketed since the early days of the pandemic.
Stressful times lead to poor cybersecurity judgment
Healthcare organizations have had to adjust so much of their operations to address work-from-home arrangements—policies, controls, assessments, tools, and technologies—many IT teams have had to shift their focus away from security, privacy, and regulatory compliance. Many employees of these organizations are working from home, often for the first time, while also dealing with the stress of the pandemic. Too much change, too quickly.
These disruptions in our professional and personal lives can leave us more distracted and vulnerable to poor decisions such as falling for phishing attacks. And they don’t always take place by way of email.
In one such case, the U.S. Department of Health and Human Services issued a warning during the onset of the pandemic that hospitals’ security and privacy officers were receiving postcards, supposedly from the “Secretary of HIPAA Compliance” which asked them to visit a URL for a risk assessment. There was one big problem: the position of Secretary of HIPAA Compliance does not exist. This new phishing attack was designed to take advantage of everyone’s confusion during COVID-19 – and many healthcare security professionals fell victim.
Protecting patient data remotely has its challenges
One of the bigger challenges facing the healthcare industry during the pandemic are budgetary constraints and limited resources — and right now, the priority for these organizations is protecting people’s health during COVID-19. In other words, many organizations are having to weigh competing objectives and de-emphasize everything other than the challenges of treating COVID patients and saving lives. Unfortunately, “everything” can also include cybersecurity and data-privacy initiatives.
However, there are several best practices healthcare IT teams with limited resources and budgets can implement to better protect their sensitive patient data during this once-in-a-lifetime level of distraction.
- Make sure automated solutions are in place. Review cybersecurity infrastructures across any newly distributed organization. Make sure all automated tools and processes are doing their jobs. This includes making sure all employees’ company-issued devices are encrypted, remote monitoring is in place for these devices, and fraud protection, malware detection, and intrusion detection have all been implemented.
- Cloud service providers must be prepared as well. Contact the third parties whose apps, platforms, and other cloud tools are in the hands of an organization’s employees. They should be asked what specific steps they’ve taken to protect their systems—and a company’s sensitive data—during this period of heightened risk from cybercriminals.
- Get a third-party risk assessment. The best way to make sure an organization is meeting all of its cybersecurity and regulatory standards is to have its infrastructure and processes audited and tested by a third-party expert. Now more than ever, internal IT security teams have too much on their plate to make sure they are addressing—or even seeing—all of the new potential threats to an organization’s data security.
As COVID-19 continues to disrupt the healthcare workforce, organizations must remain focused on maintaining and, if needed, enhancing security protocols. This is especially important at a time where employees are doing their jobs under new circumstances. In many cases, this includes working from a remote location. The potential damage to a healthcare organization’s finances, future revenues, and reputation are too steep to ignore, which is why every step should be taken to safeguard healthcare data.