How hospitals can combat online security threats

Hospitals deal with sensitive patient information and ageing hardware and software, along with tools like electronic-health-record (EHR) platforms potentially expose these healthcare providers to more risk. So what are the online security red flags that hospitals should be aware of and how should they be dealt with?

How hospitals are vulnerable to data breaches and cyber attacks
 
Patient data and medical records are highly sensitive forms of data with a large threat surface or many points of vulnerability. Small community hospitals could be particularly vulnerable as they might have limited IT health staff and a general lack of expertise.
Additionally, legacy hardware and software nearing obsolescence can also be a point of vulnerability for hospitals. Hospitals might not be running patches sufficiently.
 
Other vulnerabilities of hospitals include employees having physical access to servers and paper records. Paper and film, network servers, hospital unit computers, and lost devices are points of vulnerability hackers will use to their advantage. Around half of data breaches could be due to human error, and insider misuse is another possibility.
 
Even hospitals with sophisticated health IT systems in place could experience patient-data breaches. Experts suggest everyone's a target. Malicious attacks can result in serious breaches of privacy through unauthorised access to personal information. This information can include names, birthdays, social security numbers, Medicare numbers, and so on.
 
Observers warn that as healthcare providers like hospitals put more medical data online, healthcare is quickly becoming a target for malicious attacks. As for red flags, sometimes hospitals don't even realise they've been breached.
 
 This data can be valuable for hackers for a number of reasons.
 
Why hospitals are targets for hackers
 
The goal of malicious, deliberate attacks is usually money itself, but when the attacks can't get money, they will typically be aiming for things that can be converted into money.
 
Loss of control of EHR data can lead to unwanted outcomes like delayed surgery, blackmail, and identity theft. For instance the Hollywood Presbyterian Medical Centre in California was desperate enough to pay a ransom to an attacker who gained control over its systems. Similarly, stealing login credentials could be easier than hacking into a network and allow you to blackmail the healthcare provider.
 
The ability of malicious attackers to engage in blackmail or ransomware attacks reflects this fact: the healthcare system is critical infrastructure like our transport or energy systems. By disrupting access to the hospital's electronic systems (as hackers recently did to the National Health System in the UK), malicious attackers have strong leverage to demand ransoms because the system is critical to life-or-death outcomes.
 
Other motivations for attacking hospitals could be to gain prescription data and obtain medications, or to blackmail public figures with their health records. Data can be sold on the black market.
 
While financial motivations explain the majority of data breaches, attacks by insiders could be motivated by fun or curiosity; for example, when a staff member looks at the medical records of a celebrity.
 
6 ways hospitals can protect their data
 
So as for red flags, hospitals should probably assume they're already a target and have a comprehensive information security program in place.
 
1. Encourage a security culture so staff are on board with protecting the hospital's systems and data. Provide training and leadership to boost this security-aware culture. Training is vital for reinforcing desirable behaviour, the all-important human component of effective data-security practices. Making your data-security communications interesting with good content and even gamification could help you engage and motivate staff in this behaviour.
 
2. At the same time, have stringent policies on the appropriate use of mobile devices like phones and tablets, which can hold sensitive data. Control access to health information at all access points, whether it's hospital computer units, wireless networks, networked or IoT devices, remote workstations (like from home), or physical servers. Ensure you have clear guidelines on staff bringing in their own devices if they are allowed to have these.
 
3. Beyond your culture, enforce good IT practices like erasing data from discarded devices, set up firewalls, updating malware definitions, and scheduling data backups. Have staff use strong passwords, change them on a regular basis, and combine with multi-factor authentication.
 
4. Data usage should be monitored and controlled, and data should be encrypted. Bloatware can slow down your system and compromise security. Eliminate bloatware by having your IT team do clean installs and/or by buying directly from the manufacturer.
 
5. Update legacy hardware and software systems as the cost savings are not worth the risk. Invest in the most secure equipment you can obtain. Have your IT team conduct regular risk assessments, security analysis, and audits so you can identify vulnerabilities and address them. These tests and assessments should give you a clear picture of your existing network, current policies, and other factors affecting data security. You need a clear idea of your current system so you can make improvements as required.
 
6. Work with your partners and associates (those you share patient data with) to ensure they also follow best-practice guidelines. Finally, assume you'll be attacked at some point and have a recovery plan ready so you can limit the breach and get back online more quickly. Your recovery plan should be based on an assessment of what could result from a breach, so you can be as well prepared as possible to act in response. The recovery plan could include drills and tests involving staff.
 
Healthcare providers are facing the mounting challenge of working with sensitive patient data whilst being an attractive target for malicious attacks. Given this, Australian hospitals and other healthcare organisations need to have a comprehensive security policy. Such a policy, together with your IT hardware and software, could be an effective infrastructure for minimising the risk of data breach.
 
Bolster your cyber security with Kiandra IT
 
To learn more about security solutions for your organisation get in touch with the expert team at Kiandra IT. We can identify all the potential threats your business faces and secure your data against them. Get in touch today.