HIT Think

Why doctors and devices hold the keys to ransomware defenses

Register now

It’s no secret that ransomware attacks are on the rise, especially in the healthcare industry. This year alone, there have already been 14 attacks on hospitals, leaving facilities without access to patient data and forcing providers to turn away patients and revert back to manuals processes. Major hospitals in Los Angeles, Kentucky and the Maryland-Washington area have made headlines for recent ransomware attacks.

This begs the question: Why is the healthcare industry targeted so frequently by hackers, even when financial gains are minimal? It’s pretty simple, actually. Many healthcare organizations tend to lack sufficient cyber protection and run older applications requiring older operating systems, making their IT infrastructures easy to penetrate and hold for ransom.

Furthermore, cybercriminals have realized that hospitals are much more likely to pay a ransom, because a cyberattack can freeze hospital operations and prevent the delivery of critical care.

Because lives are on the line, it is crucial for healthcare IT infrastructures to be as secure as possible. Whether lack of knowledge, resources or a combination of both is to blame, many healthcare executives are unclear about the actions they should take to successfully thwart these attacks and keep their patients and their data safe.

Here are the two of the most common vulnerabilities for hackers to exploit and some strategies executives can implement to minimize their risk.

Physicians as the first line of defense
Now that most charts are stored electronically, physicians are the first line of entry to critical patient data. However, doctors often don’t realize how seemingly insignificant actions can seriously impact the security of their patients’ information.

For example, sometimes in order to spend more time with patients or to move on to the next appointment quickly, physicians might not log off their computers when they leave a room. They might also utilize weak passwords that they can easily remember and also keep track of, rather than varying them for different systems. These simple yet significant decisions prioritize convenience over fundamental security habits that would likely deter cybercriminals.

Incidents of ransomware have recently increased, particularly toward healthcare organizations. Rather than paying a ransom, it may be more cost effective to take preventative steps to prevent or reduce the possibility of an attack. Security expert Mark Dill, principal consultant of tw-Security and former CISO at Cleveland Clinic, offers steps organizations should consider taking, using a “People, Process, and Technology” approach.
February 22

Having realized this gap, hackers have inevitably targeted electronic healthcare records. Given this, it’s important to ensure all employees undergo proper security awareness training to reinforce fundamental cybersecurity practices, like not clicking on suspicious emails or visiting sites that might compromise the security of the network.

Executives should continue to remind employees to consistently follow up and execute on practices learned during these trainings. Implement Web and Mail filtration technologies to limit the noise one might see when monitoring the security infrastructure.

Ensuring connected devices are not an entry point
Connected devices, like digital X-ray machines or electrocardiograms, help healthcare facilities capture patients’ healthcare data. As helpful and important as they are, it can be tricky for hospitals to understand who exactly owns these connected devices.

In some hospitals, vendors claim responsibility, but that leaves healthcare providers susceptible to outside breaches not covered by internal standards. In other medical organizations, healthcare professionals are the responsible. With such discrepancies, what are the security standards?

To keep connected devices as safe as possible, hospital executives must continually monitor who has access to these machines, know the exact security standards set in place by the vendor, and identify the security practices that need to be implemented. Again, following these security best practices could potentially make the difference in a life-or-death situation.

Other key security steps
At the end of the day, there are some fairly fundamental procedures that can protect healthcare organizations that do not require senior-level security knowledge or multi-million dollar budgets.

  • Regular security awareness training is a great place to start. After all, employee error is the leading cause of data breaches.
  • Educate your employees on the dangers and implications of clicking on every email attachment or pop-up and teach them to think critically about a strange email or link.
  • Make sure your employees are consistently changing passwords and creating harder to hack passphrases with a combination of letters, numbers and symbols.
  • If you do find that your systems have been breached, don’t panic; think rationally and disconnect the infected systems from the network to prevent any further network infiltration.
  • Make sure that you are collecting and saving logs so you can detect patient zero when an incident does occur.
  • Confirm that you are monitoring all point of data contact outside of your organization.
For reprint and licensing requests for this article, click here.