Why Executives Should Take Preventative Action Now to Avoid Disasters in 2020

A CAPP Conference Survey asked C-Level healthcare professionals what they considered to be the most formidable cybersecurity challenges threatening their medical facilities. Although their answers weren’t surprising, their lack of taking an initiative with adopting preventative strategies was surprising:

  • Third-party risks concerned responders the most (40%)
  • When asked which emerging threat troubled them–Internet of Things (IoT), AI or 5G–over half said it was IoT
  • One-third of C-Level healthcare managers indicated that medical device security is a leading risk to healthcare information security. However, most of these managers said they had no “effective strategy” implemented to evaluate a medical device’s risk. In addition, 26 percent reported they did not have any type of risk assessment available to test medical devices
  • Nearly 50 percent of organizations responding to the survey had only conducted one incident response walk-through. Some had never held incident response exercises
  • Over half of the managers surveyed stated the primary hurdle to adequately addressing security challenges was the lack of people, funds, tools and other resources

Compounding prevalent threats to IoT is the vulnerability of Internet of Medical Things (IoMT), or medical devices that integrate software and components manufactured by suppliers with nominal regard to security. An example of how this vulnerability of IoMT can pose a threat to individual patients involves V.P Dick Cheney and his pacemaker. In 2013, Cheney’s physician disabled his pacemaker due to legitimate reports that hackers could breach the device and kill Cheney.

Server Vulnerabilities Causing Most Data Breaches in the Healthcare Industry

According to a HIPAAJournal article, May and June of 2019 have been the worst months for data breaches impacting the healthcare industry. In particular, phishing attacks are on the rise and email is the most common method cybercriminals use to breach sensitive health information. Additionally, servers are at the highest risk for a breach. Over 50 percent of all health industry data breaches involve vulnerable servers. As the primary repository for a medical center’s data and software programs, servers are constantly being targeted by hackers because once entrance is gained by a hacker, all data in that server can be copied, read, deleted or altered almost instantly. Even worse, healthcare organizations’ IT systems locked by ransomware could cost that organization millions of dollars to unlock and eliminate ransomware.

Securing Servers to Avoid Breaches

What should healthcare managers do to ensure servers aren’t hacked? Failing to monitor user accounts is the biggest reason servers are breached. Server cybersecurity involves deleting accounts of employees who have left the company by implementing software to automatically delete or at least disable dormant accounts. Having multiple dormant accounts on a server allows cybercriminals to access and use these accounts without attracting attention before it is too late. An alternative to this action is to simply conduct regular reviews of accounts and deleting unused accounts manually.

Protecting Patient Information Using Homomorphic Encryption

Since the digitization of paper records to create EHRs, patient information–especially their debit, credit and banking information–has been and continues to be the focus of hackers. Whether they post this information on the “dark web” for profit or use a patient’s financial information themselves to gain access to funds, cybercriminals represent a serious threat to both patients and the medical facilities from which they seek treatment.

Why Executives Should Take Preventative Action Now to Avoid Disasters in 2020

An effective solution to protecting patient information is for healthcare managers to employ homomorphic encryption, a remarkable technology that encrypts data-in-use while locking down sensitive medical data and personally identifiable information. Homomorphic encryption also permits computations to be performed on encrypted data without users needing to access a decryption key. This means the results of encrypted computations cannot be revealed to anyone who does not own the secret (encrypted) key.

Securing EHR System Devices

The federal government’s Office of the National Coordinator for Healthcare IT reports that the leading cause of compromised electronic health information is the loss of devices through theft or accident. Incidents reported to the Office for Civil Rights states that over 50 percent of data loss incidents can be traced to missing devices (flash/thumb drives, DVDs/CDs), handheld devices, laptops and hard drives removed from machines. In some cases whole servers have been stolen. Healthcare managers can significantly reduce or even eliminate the chance that a missing device is stolen or tampered with by establishing rigorous policies that limit physical access to such devices. Only a select number of employees should have access to locked areas containing mobile EHR system devices.

Cybercriminals in 2020 Will Be More Sophisticated, Smarter and Aggressive

The reputation of healthcare organizations and the managers operating them depends on fully comprehending the substantiality of threats coming from cybercriminals working worldwide to infiltrate your organization and steal your data. Taking the strongest preventative measures possible to secure your system is not a choice you have but a mandatory decision essential to the growth and success of any large healthcare facility.