The Office of the White House recently issued a Proclamation marking October as Cyber Security Awareness Month and shared this year’s theme: “Do Your Part. Be Cyber Smart.” Threats are indeed on the rise, posing a significant risk to private businesses, public infrastructure, and national security, especially as the nation has increasingly adapted to a remote environment in the continuing battle against COVID. As businesses look to “do their part” to combat cybersecurity threats, they will need to be strategic in how they allocate resources, as well as in the types of activities they undertake to protect valuable assets.
The budget spent on research and development by cyber-criminal organizations exceeds the cyber defense budgets for most countries. How in the world can a small private company protect itself against such an attack? Cyber-criminal groups can generate hundreds of millions of dollars every year through extortion and ransom payments – and with valuable patient data on the line, organizations overseeing the protection of health information technology certainly want to avoid being on the target list. Buying back access to your backup files, or paying ransom so they don’t leak patient data or financial information is not an attractive option.
But simply throwing money at healthcare cybersecurity through a shotgun approach is not only wasteful, it can also be dangerous in that it creates a false sense of security. Instead, there are two key elements of a smart approach to healthcare cybersecurity – focusing on these areas will improve a healthcare organization’s chance of success in minimizing risk and avoiding harmful cyber attacks that compromise business operations and patient data. These cost-effective, but often overlooked strategies are 1) user education and 2) active patch management.
1. User education should not be underestimated.
Cyber-criminals know all about the firewalls and anti-virus software solutions that are out there on the market. They test their attacks against these defenses and move quickly to revise their approaches. The greatest weapon a cyber-criminal has is to attack the weak point of an organization’s defenses, and that weak point is almost always its people.
The vast majority of cyberattacks are successful because cyber-criminals were able to manipulate someone in the company to do something that opens the door for the cyber-criminal to walk right in. For example, hackers might send email attacks through phishing messages, or place phone calls pretending to be someone else asking for information, or even send text messages with requests that look like they’re coming from someone else.
Healthcare staff and providers usually come from a patient care background rather than tech, and are motivated by a desire to help people and solve problems. They most likely have not been trained to identify IT risks and are not skeptical enough when dangerous messages come in, meaning they can fall victim to a scam when it’s crafted in a way that appeals to their desire to be helpful. This is also why throwing money at unsophisticated firewalls or antivirus software, without supplementing these investments with user education, can be insufficient in setting up a proper defense –it is often an employee who creates a wide-open front door for the criminal to walk through and bypass all the systems meant to protect you. Once they’re in, the hackers can slowly steal credentials, compromise data, and even infiltrate backup systems.
User education from top to bottom throughout a healthcare organization’s staff is essential. It only takes one employee to make a mistake and cause dramatic damage. Because cyberattacks continuously evolve and become more sophisticated, healthcare leaders must make it a priority to educate staff continuously on recognizing phishing emails, be skeptical of messages that seem slightly strange, or avoid clicking links or opening attachments from addresses they don’t recognize. To protect themselves, healthcare organizations must embed a certain degree of cynicism and paranoia for electronic communications into the work culture, so that staff can be vigilant in identifying potential traps and alerting the right organizational or vendor contact to look into it further.
2. Active patch management is essential for all systems.
On average, there are 16,000-18,000 patches per year across applications, operating systems, and hardware devices. These patches can include a range of updates, from fixing small problems with Windows or Mac systems, making firmware improvements, issuing app updates, etc. Cyber-criminals don’t normally waste time creating or looking for new bugs, instead, they track what patches have been released, and then reverse-engineer to find the problem that the patch was fixing. Knowing not everyone has installed the patches, by pursuing this method they now have a host of accessible targets and can easily exploit the systems among this pool that are not actively managed.
Most people in IT security know it’s not a question of if an organization with valuable and protected data will get hacked, but when. Cyber-criminals are running a multi-billion dollar industry with more time and money invested in targeted attacks than the healthcare industry could have ever imagined. For the healthcare industry, in particular, antiquated IT systems can make patient data especially vulnerable to cybersecurity attacks and for smaller healthcare settings, a cyber-attack can mean the financial ruin of an organization, a loss of trust among patients, and a public relations nightmare. By investing and focusing in on ongoing and timely user education and active patch management, health systems of all sizes can develop strategies to internally raise their defenses enough to be an unappetizing target for cyberattacks.
Malicious hackers are using human nature to their own benefit. Investing in proactive training can help healthcare employees become vigilant observers about indicators that can signal suspicious activity and quickly take steps to combat aginst a potential threat. And finally, health leaders should work with their internal IT team or a trusted vendor to ensure that all IT systems are updated on a regular basis, with the latest patches in place to keep information safe. By taking steps now to ensure that both IT and human infrastructure are at their peak, healthcare organizations can reap long-term benefits including the security of patient data and of the organization’s bottom line.
Richard Lang is Director of Data Center Services at HST Pathways, a leading provider of cloud-based end-to-end solutions for ambulatory surgery centers. Richard has over 20 years of IT experience specializing in Microsoft Technologies and IT security.