For their constant care, sleepless nights, and incredibly difficult jobs, medical professionals should always be praised and held in high regard. In 2020, many of us gained a new appreciation for the hard work it takes to take care of others in the midst of a global phenomenon. Though we are all aware of the struggles they faced on the front lines of the pandemic, our healthcare workers across all areas of the medical industry were rocked with something else quite stressful over the last year that was not as widely reported on. The 2020 HIMSS Cybersecurity Survey showed that 70% of hospitals surveyed had experienced “a significant security incident” in the last twelve months. The survey results identify a significant security incident as any kind of major cyber threat including phishing, ransomware, or social engineering attacks. These attacks made already overwhelmed medical workers even more stressed when dealing with the Coronavirus. While fighting COVID-19 was a new feat for our brave front line workers, cyber attacks such as those outlined from the HIMSS Survey are nothing new to the medical field unfortunately, as 41 million patient records were breached and exposed in 2019 alone. Below, we’ll take a look at some of the common cybersecurity considerations for the medical industry including issues, risks, and tips for cyber success.
Budget availability is generally lacking for healthcare cybersecurity. Budgets for hospitals are incredibly important as this money goes toward the supplies, equipment, and paying the essential workers needed to care for the patients. As any other entity would, these locations have some of their budget dedicated to things like accounting, HR, and IT. The HIMSS Survey mentioned above also found that of the allotted IT budget at hospitals, only six percent or less is dedicated to cybersecurity. Though the most expensive approach to cyber defenses does not need to be taken by all businesses, investing in these protections is important so that the hospital has a base of strong cybersecurity. While increasing budgets would be the ideal solution, this is not always feasible for all businesses. The use of a network firewall and proper employee training are strong cybersecurity defenses that are also cost effective!
Phishing is #1 risk and main entry point. Phishing made up 57% of the medical community’s cyber attacks in 2020. The best way to protect against these threats is by educating employees on how to identify phishing emails. A malicious email such as these will be from a person trying to dupe the recipient into believing that they are a legitimate sender. The sender’s email address will typically be formatted similarly to the company they are trying to imitate so that a busy person who glances at it would not question it. These malicious emails will typically include an urgent demand (or else) and also often include a link which allows the cybercriminals to gain access to the computer which the email was on as well as the network to which it is attached. These are the main entry points malicious actors use to gain access to medical computer networks.
Financial information is main target. While personally identifiable information (or personal data that is specific to each individual such as their birthday or social security number) was one of the highest targets that cybercriminals are after when deploying a cyber attack, the primary target they are after is financial information. This is one of the considerations that any business or hospital must take into account when it comes to their decision to invest or not invest in cybersecurity. There are costs to take into account when making initial investments into cyber, however, the costs of a cyber attack are far greater not only to the hospital itself but its patients as well. The best way to protect the financial and other important information at a hospital is by implementing strong cybersecurity.
Brookings phrased a catch-all piece of advice for medical workers quite well when they stated, “Just as handwashing is a foundational element of modern medicine, cyber hygiene must be regarded as a basic and essential component of a functioning medical system.” Though it can take an upfront investment of time, patience, and some money, hospitals and other medical entities should prioritize cybersecurity in order to avoid the stresses of a cyber attack.