Today’s hospital is a more plugged-in and connected place than ever. Amazing new technologies have improved health outcomes in ways we never could have imagined a few decades ago. Unfortunately, the dark side of those technological improvements is that they can also create vulnerabilities that didn’t exist before.
Cybercriminals are nothing if not resourceful, and thanks to the many new technologies in the healthcare field, they have a whole new set of tools available and the motivation to use them. Purloined medical records often fetch high prices on the black market, and many medical institutions are still unwilling to make the necessary investments in cybersecurity because they simply don’t understand the nature and gravity of the threats.
These threats to the medical data can take numerous forms, but the following six are some of the most common—and some of the most dangerous. Failing to address them can lead to HIPAA violations, a loss of patient trust, vulnerability of life-critical devices and much more.
Table of Contents
1. Phishing and Malware
Phishing and malware attacks are among the hardest-to-counter forms of attack against healthcare IT systems. That’s because they’re “one and done”—it can take only a single employee clicking a single link or attachment to introduce malicious code into your system.
Most widely-used email clients now automatically flag some suspicious messages, but a determined and sophisticated attacker can often defeat these. Train your employees on how to recognize common types of phishing and on techniques for avoiding them, including:
- Turning on two-factor authentication (2FA) for sensitive accounts
- Using Google Drive to open dubious documents (if they must be opened at all)
- Using an auto-fill password manager app that can detect fake websites
- Not accessing personal email on work devices with network access
2. IoT Security Breaches
If you follow tech security news, you might remember the 2017 incident in which hackers stole a Vegas casino’s guest information database. The beachhead of their attack? An unsecured WiFi-enabled thermostat in the casino’s fish tank. That incident is a great example of how hackers can easily exploit the new generation of digital devices to penetrate a network and access information. To make matters worse, hackers who can compromise a hospital’s network may be able to gain access to life-critical medical devices, potentially endangering patients’ lives.
That means that IoT security must become a critical priority for medical providers. A 2017 report painted a bleak picture: 53 percent of medical organizations weren’t regularly testing their devices for security. There is one simple first step for healthcare IoT device security that hospitals should look at implementing immediately: a rotating schedule of device audits to make sure you’re not using default or easy-to-guess passwords. From there, make a plan with your IT department to ensure that your IoT devices don’t become entry points for cybercriminals. It’s also good to make sure that new IoT devices you purchase are in secure, durable electronics enclosures that can’t be easily physically accessed by unauthorized individuals.
3. Mobile Device Security
A lost or stolen mobile device can quickly turn into a security nightmare when that device has access to private networks with sensitive information. Hackers can also access a mobile device through an app with a security vulnerability and use their access to worm their way into your system.
It’s important to establish strict rules on employees’ use of personal and work mobile devices. BYOD (Bring Your Own Device) policies are popular in many workplaces, but they can create big vulnerabilities when employees aren’t aware of the dangers. Make sure your employees are protecting their devices through security measures such as two-factor authentication, fingerprint scanners and keeping apps updated.
4. Hardware Disposal
There comes a time when IT equipment has to be replaced—so what happens to your old hard drives and other technology at the end of their lives? Too many hospitals don’t know or don’t take the right steps to prevent their old data storage devices from falling into the wrong hands.
When you get rid of old computers, server equipment or any other device that stores data, you need to find a way to ensure that the data actually gets erased. Simply reformatting or erasing it sometimes isn’t good enough. Studies have shown that much of this data can be recovered by someone with the right skills. There are many choices, ranging from taking the drive out of its instrument enclosure and physically destroying it to employing the services of a dedicated data destruction company. The important thing is to ensure that it doesn’t make its way back into public with any chance that data is still intact on the drive.
5. Outdated Software
Keeping software updated and patched is essential for IT security. When software manufacturers or IT infrastructure professionals discover vulnerabilities in their systems, they issue software patches to correct the problem—but too often, these go uninstalled. That can leave your system open to attack through known vulnerabilities, especially if you’re using commercially available software.
Yes, those pop-ups telling you that you need to update your software are annoying, but they’re annoying because they’re important. You might need to use some techniques to encourage your team to be diligent about software updates, including:
- Make it as quick and easy as possible to install the update
- Use software clients that impede use of outdated versions
- Automatically push updates to employees’ accounts
6. Vendor Security
Vendors can present a problem for health IT security. Even if your organization’s internal security practices are tight, your vendors’ may not be. Any IT vendor with access to your data infrastructure, particularly to sensitive medical records and medical devices, needs to be thoroughly vetted. Some of the key elements to look for include:
- Robust data encryption
- A guaranteed response time to questions or emergencies
- No offshore outsourcing of support services
- Experience with the unique challenges of healthcare clients
- Secure physical data access and device disposal practices
Last but not least, don’t forget about non-IT vendors who may still have access to your system. Janitorial services, food and beverage services and others are often overlooked, but can still present a significant threat if not properly vetted.
Medical technology is pushing forward every day and creating exciting new worlds of care and wellness. But medical providers owe it to their patients and their employees to slow down, exercise caution and follow best practices in securing private medical information. Once you’re used to it, it’s often not that hard to follow. Simple practices like remembering to change default passwords go a long way. The most important thing is to develop a plan, stick to it consistently and maintain communication with all relevant stakeholders.