As a healthcare institution, you likely have a lot on your plate. You deal with patients and their families, insurance claims and reimbursements. All while trying to keep your organisation running smoothly. It's not surprising that the last thing you want to worry about is cyber security threats. But if you don't pay attention to what's happening in the world of data breaches and network attacks, one wrong click could end up costing millions of dollars in fines or worse: patient lives lost as a result of negligence on your part.
The healthcare industry is highly targeted by cybercriminals
The healthcare industry is one of the most highly targeted industries for cybercriminals. Here are a few reasons why:
Healthcare companies have access to sensitive personal information, including names and addresses.
They often handle large sums of money.
They may store data on their computers that can be used to blackmail or extort individuals or organisations.
Cybercriminals can turn their targets into Ransomware.
Ransomware is a type of malware that encrypts files and demands a ransom to be paid in order to return access to the data. It can be delivered via email, or through other means such as USB sticks, or even by infecting websites.
Cybercriminals can turn their targets into Ransomware by tricking them into opening an infected file attachment with a virus called ‘Locky’ which encrypts all of your files until you pay up. One way hackers do this is by hiding malicious code inside images that are sent in mass email campaigns – for example:
Opening an attachment containing an image will launch the Locky ransomware onto your device (PC).
Visiting a webpage that contains hidden code will download the Locky ransomware onto your device (PC).
This type of attack is becoming increasingly common these days due to its effectiveness.
Healthcare institutions are increasingly handing over data to third parties.
With the increasing digitisation of healthcare, there has been an increase in third-party access to patient data. This may seem like a good thing at first, as it allows healthcare institutions to work with other companies to improve patient care or expand their services without taking on such tasks themselves. However, when it comes down to security and privacy concerns, there are many risks associated with giving your sensitive information out to third parties. Making cyber attacks on the healthcare industry more likely.
Third parties may not be as secure as the healthcare institution itself since they don’t have years of experience handling sensitive data. They also might not have similar security standards because they are not bound by HIPAA requirements like hospitals and medical centres must be (though many do anyway). And finally, these organisations could be more likely targets for cybercriminals because they often hold large amounts of personal information from millions upon millions of people at once.
Hackers have stolen detailed health information.
The number of healthcare organisations that have been hacked is astounding. According to the Department of Health and Human Services (HHS), there are over 100 million records exposed in data breaches every year, with a total of 4.5 billion records exposed since 2013.
What is most concerning about these hacks is the type of data that has been stolen: sensitive patient information including names, dates of birth, addresses and Social Security numbers—the same information used to apply for credit cards or file taxes—as well as medical diagnoses and conditions such as HIV status or pregnancy status.
The impact on individuals can be severe: identity theft as well as financial damage incurred through fraudulent charges made in your name; but even more worrisome is how this information could affect your health if it falls into dangerous hands like those who exploit vulnerable people by selling their insurance coverage under false pretences. It's not uncommon for criminals to use stolen health insurance credentials to obtain medication on others' behalf (i.e., opioids).
The weakest link in perimeter security is the employee.
A survey by the Ponemon Institute found that while healthcare organisations are working to improve their cyber security strategies, they're still lacking in employee training. For example, only 33 percent of respondents said they had a formalised training program for employees on identifying and avoiding phishing attacks, and just 16 percent said they had a formalised program for preventing ransomware infections.
These numbers are especially troubling given that employees are often the first line of defence against cyber security threats. Because they have access to sensitive data and systems, targeted phishing attacks can be used to trick them into giving away passwords or other information needed by hackers to gain unauthorised access. And since employees often handle sensitive patient data through clinical systems (whether it's at an individual level or across an entire hospital), ransomware attacks have been known to spread from one employee's computer screen onto another's screen via email attachments containing infected files.
