Protecting a vulnerable industry against cyber attacks: How healthcare organizations should detect & prevent

Written by Megan Wood | December 12, 2016 | Print  |

Cyber attacks are heating up in all industries, but the healthcare space offers an especially appealing target. Almost 90 percent of healthcare organizations experienced a cyber breach in the past two years, according to the Ponemon Institute.

"Healthcare information, including patient records and payment information, is more valuable than even credit card data," explains Dave Gormley, product specialist, cyber security at BAE Systems, a global security and defense company.

 

Not only is the industry's information valuable, but it's easy to hack. Healthcare has long been behind the times in terms of technology, encompassing a complex network of older systems and vastly different devices. As the industry continues to shift online to EMRs, more sensitive information is at stake.

 

Although hackers mainly target medical records, more hospitals are becoming victims of ransomware. This type of attack involves encryption of an organization's data, forcing an organization to pay the attacker to access their own information. While an attack on EMRs impacts the whole chain of healthcare providers, from hospitals to physicians to patients to payers, ransomware tends to hit the providers more, as it directly impacts their daily operations.

 

To proactively defend against cyber attacks, successful healthcare organizations need a security strategy that incorporates a proper mix of prevention, detection and response capabilities.

 

"You need to prevent what you can, but be able to quickly detect and respond to threats that do get into your network," explains Mr. Gormley.

 

End-user awareness is also important, by training employees to avoid phishing emails, for example. An organization will also stand to benefit from connecting with its medical device vendors, as devices and software are likely vulnerable to attack, as well. Organizations may find it helpful to employ outside help to achieve the necessary skill and time cyber attack prevention and detection demand.

 

"Healthcare to date has underinvested in security. In the last four years, the number of threats has gone up and healthcare needs to catch up," says Mr. Gormley. "Unfortunately, it's a combination of lack of awareness on the end user, lack of diligence of the vendor side and it's a lack of investment." The healthcare industry focused its efforts and resources on fulfilling compliance measures, which is reflective of a more reactive role.  

 

But an organization can't prevent every type of cyber attack, so organizations should conduct rapid investigation in light of a breach.

 

"The longer you allow a cyber criminal to dwell within your environment, the more damage they can do," warns Mr. Gormley. An immediate response to the attack is crucial, but complete remediation is just as critical to ensure the virus has not spread to other systems.   

 

Mr. Gormley doesn't predict cyber attacks will explosively grow within the next few years, but he doesn't see the threats slowing down, either.

 

"It will continue to grow until healthcare comes up to speed. It will stay at a high rate and cause alarm," says Mr. Gormley. "The expectation is that people in the healthcare industry will be forced to accelerate their activity in this space."

 

More articles on practice management:
Ortho Sport and Spine Physicians earn MRI accreditation: 3 things to know
5 things to know about Capital One's new unitranche loans for middle-market healthcare companies
2 St. Louis orthopedic practices to merge — 4 quick facts

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies here.

Top 40 Articles from the Past 6 Months