Image: Hack Capital on Unsplash

One could argue that healthcare is one of the industries where cybersecurity is crucial. After all, healthcare services have substantial records, and no one wants their personal information stolen. And yet, it’s clear that those in the healthcare industry, from hospitals to health apps, don’t take it seriously.

Apps and their issues aside, looking at the brick-and-mortar businesses, provides a horrifying peek into how cybersecurity is approached. More than 3054 healthcare data breaches have been reported in the US since 2009. Now keep in mind that many data breaches go unreported as well, so that number might be much higher.

Part of the problem is outdated systems and practices. Another part is chronic underinvestment in cybersecurity. It is leading to an increase in cyberattacks as well as the inability of healthcare services to identify and deal with these persistent threats.

There is a great need for reform within the healthcare system, whether it is large or small hospitals.

Why is Healthcare Hit so Hard by Cyber Attacks?

A few years ago, hospitals across the US were affected by the Samsam Ransomware. Attackers took advantage of the fact that they used servers with outdated JBoss server software and infected them. And who can forget that awful WannaCry cyberattack that shut down the NHS in the UK in 2017? It serves as a perfect example of why the healthcare industry is often referred to as the biggest target for cyberattacks.

Hospitals use outdated legacy systems, and many don’t invest enough resources into security. It can have a profound effect on patient care as well, putting lives in danger.

In 2019, researchers in Israel created a virus that could add fake tumors to MRI and CT scans, which could result in misdiagnosed patients. And since hospitals are relying more on connected devices – which is great for patient care – it’s disastrous if criminals get in.

Healthcare services face many challenges, similar to those of many organizations. These threats often come down to human error and a lack of information and control over security controls in the workplace.

About eighty-six percent of healthcare services don’t even use scanning tools on their email platforms. It is one of the most effective ways to prevent phishing attacks, to which healthcare employees seem to be particularly susceptible.

There is a definite lack in education among healthcare employees about the do’s and don’ts when it comes to cybersecurity.

What Can Be Done to Improve Security?

Medical device manufacturers try to keep pace with threat actors thanks to FDA regulations, but that level of consideration doesn’t extend to healthcare officials. Many hospitals tend to focus on patient privacy, so they think their security is sufficient. But safety shouldn’t end with devices that carry patient information.

Most hospitals don’t employ full-time cybersecurity employees. They even don’t delegate resources to identify and tackle security issues. This needs to change. There are many things to be done to ensure better data protection:

Educate employees: Educating takes time and resources, but it is essential to the safety of the employees and patients.

Invest in security software: Think of it as divided into three levels – devices, accounts, and network. All three need to be protected by applying security tools like firewalls, anti-virus software, VPN (https://nordvpn.com/what-is-a-vpn/), and password managers.

Maintain proper practices: Security practices have to be applied and used to keep systems protected. This means finding the right tool for the job and keeping it updated. Security tools have pitfalls, too, if not applied effectively.

Plan: A big part of risk management is planning for an emergency, whether it be a ransomware attack or leaked data due to employee negligence. Set up contingency plans in advance for different scenarios.

Control access to information: Follow the practice of least privilege. Employees should only be able to access the information necessary to do their jobs.

Apply network controls: Consider how employees use the internet and what is necessary for them to work. Restrict access to websites and disallow downloading new software without prior consent. Also, think of limiting the devices connected to the network, such as personal smartphones.

Conclusion

Many studies around cyberattacks have found that criminals prefer the easiest route to get what they want, and why wouldn’t they? Healthcare organizations need to step up their game if they are going to continue serving their patients safely without the threat of system-breaking cyberattacks.