By David Wagner, Zix Corporation
The healthcare field is currently in a precarious position. New technologies promise to improve care and increase the success of outcomes with far greater consistency. But those same technologies create vulnerabilities and invite cyberthreats that put every one of those agendas in jeopardy. U.S. Health and Human Services’ Office for Civil Rights believes the final number of cyberattacks in 2017 will far outpace 2016’s figure.
The growing size and scope of this threat is confirmed by McAfee Labs research. In second-quarter 2017, 26 percent of all observed cyberthreats were directed at healthcare organizations, making it the industry with the single highest volume of attacks.
With unprecedented uncertainty in the future of healthcare and the competing needs of cost versus efficacy, hospitals, clinics, and other stakeholders are faced with the daunting task of thwarting this record number of attacks as they embrace the transformative potential of technology.
Why Hackers Target Healthcare
Healthcare is an appealing target for several reasons.
First and foremost, the industry harbors a massive amount of electronic data — from protected health information to financial information — nearly all of which is sensitive and governed by regulations. Moreover, and given the nature of this data, hackers understand and manipulate the fact that healthcare providers have little means to negotiate without putting patient care at risk. Perhaps most consequential, however, is the healthcare industry’s reliance on technology. Hospitals and healthcare organizations are filled with overlapping systems, connected devices, digital touchpoints, and data in transit, all of which are easy and appealing attack vectors.
This scale of the IT infrastructure presents such a big problem because it creates so much opportunity for hackers. For instance, a recent ransomware campaign infected users with the Locky malware and then used that exploit to bypass other security protocols and deliver a second round of malware known as FakeGlobe.
The frustrating reality is that hackers are almost always one, two, or three steps ahead of their victims.
Building More Certainty Into Cybersecurity
Any industrywide cybersecurity strategy must be effective and comprehensive — i.e., affordable, powerful, convenient, and forward-focused. That’s a tall order, but these three strategies can help the healthcare industry achieve the right balance and implement the best measures possible.
- Implement multiple layers of security. An approach that’s focused on only a single threat or known vulnerability is shortsighted. Instead, by using many layers of security, organizations can protect themselves against a range of threats. A multilayered strategy includes good governance — such as systematically patching systems to account for both known and unknown vulnerabilities and frequently backing up systems — and getting rid of legacy systems that render greater vulnerabilities. Even if a threat does breach these protections, this approach also helps mitigate any damage.
- Provide rigorous employee training. Users — most of the time inadvertently — account for 71 percent of all industry breaches. Thus, properly trained employees are a potent source of protection. Focus on training all staff levels on the policies and practices being followed, any red flags to be aware of, and how to report suspicious activity. As the threat landscape evolves, be prepared to re-evaluate and reinvest in this initiative on a consistent basis.
- Focus on the weakest points. The email inbox is full of valuable and vulnerable data. Organizations need to ensure that messages are scanned to detect and defend against inbound threats and automatic encryption is used to protect outbound communication. Consider hosted solutions that are both updated to protect against the latest threats and easy to use so that communication doesn’t become a barrier between providers and staff, business associates, and, most importantly, patients.
The increasing sophistication of cyberattacks, competing goals focused on quality care, and limited budgets can easily make the challenge of data security daunting. However, a sound strategy that implements these best practices can overcome many vulnerabilities, protect sensitive data and systems, and assist in decreasing the target on healthcare.
About The Author
David Wagner has more than 25 years of experience in the IT security industry. He serves as the president and chief executive officer of Zix and previously held leadership roles at Entrust for 20 years. With his IT security and leadership background, David offers a business perspective that enables company leaders to better understand evolving cyberattacks and prepare for future threats.