How To Protect the Healthcare Industry From Cyberattacks

Cybercriminals characteristically prefer planning and orchestrating attacks that will cause the most disruption to the targets and associated parties. That’s why it‘s no surprise that the healthcare industry is consistently among the sectors most at risk for problems.

Here are some actionable strategies to improve healthcare cybersecurity. Even people who don’t work directly in the sector will find these tips useful, especially since better cyberdefense strengthens the medical system for everyone who may need to call on it, now or in the future.

Look at Data to Determine Cybersecurity Shortcomings

Data enthusiasts know that examining trends within information can be an excellent way to uncover insights that people may otherwise miss. That reality also applies to people who want to prevent cyberattacks in the medical sector.

For example, historical data might show that most of an organization‘s cybersecurity blunders over the past five years happened due to mistakes made by external service providers. If so, that suggests a need to vet vendors more thoroughly before working with them.

Alternatively, the data might reveal that it took an average of seven days for cybersecurity teams to uncover all issues spotted over the past two years. In that case, a valid strategy may be to explore technologies that can aid in quicker detection, such as artificial intelligence (AI).

Data analysis is also valuable to assess potential process improvements. Statistics might show that three-quarters of the computers in a given hospital wing need security updates. That finding could highlight the benefits of a change whereby all machines get automatic updates enabled, removing the need to manually download and install the new software.

It’s useful to examine the data after collecting staff feedback, too. For example, an IT team leader might ask facility employees to rank their five biggest cybersecurity challenges or concerns. Those responses could bring some surprises and pinpoint what aspects of cybersecurity make healthcare workers feel most overwhelmed, confused, or ill-equipped.

Strategically Allocate Investments in Cyber Defenses

A November 2020 study found that 73% of cybersecurity specialists at medical organizations lacked the infrastructure to adequately respond to a cyberattack. Moreover, 96% of those polled agreed that criminals were working faster than efforts to strengthen an organization’s defenses.

Although organizations are spending more on healthcare cybersecurity, these findings strongly suggest the need for decision-makers to think carefully about where their cybersecurity budgets go. A persistent cybersecurity talent shortage means hiring for unfilled positions may take longer than expected.

However, of the C-suite members who responded to the survey, 69% indicated they increased their cybersecurity consulting budgets for 2021. Doing that can fill existing gaps by getting quicker assessments by experts while candidate searches continue for permanent positions.

After investing in a new cybersecurity solution, the responsible parties working at healthcare organizations should track metrics to determine whether the technologies or procedures implemented most recently get the expected return on investment. If they don’t, that doesn’t necessarily mean they’ll never give beneficial payoffs. However, it may be necessary to tweak the new approaches to make them more effective.

Provide Staff With Relevant Training

Staff education is also a crucial part of making healthcare cybersecurity improvements. Employees don’t instinctively know how to respond to cybercriminals’ tactics, especially since hackers often try to mislead their targets.

A 2019 Kaspersky survey got insights from more than 1,750 people working in the healthcare sector. The results showed that 32% of respondents had never received cybersecurity training, but they should have. The same percentage of the pool reported that they’d read through their organization’s cybersecurity policy, although they’d only done it once.

It’s not enough to provide workers with one session of cybersecurity education or merely mention that an organization has a cybersecurity policy. Employees need knowledge they can apply to real-world situations relating to cybersecurity. Regular training gives them the skills they need to respond properly even if that only means reporting a suspicious email to a cybersecurity team leader.

Giving employees ongoing training will also make them better prepared to spot cybercriminals’ newest tactics. For example, phishing emails have become progressively more realistic and personalized, making it more likely for victims to fall for them.

healthcare professionals are used to receiving regular training to learn about industry updates. For example, federal health authorities recently announced changes to the physician fee schedule (PFS) related to Medicare billing. Although the updates cannot cause more than a $20 million increase or decrease in expenditures, the healthcare community believed these changes would increase payments for providers and office-based services. Ongoing education gives people the most current details they need to do their jobs well.

Encourage Good Password Hygiene

Enhancing healthcare cybersecurity does not solely require the most high-tech, expensive investments. Organizations can make progress by reminding all workers of safe measures to take when using portals that require passwords. Between their email services, organization-specific apps, and tools they use to perform specific duties, people may have dozens of passwords they use during a typical workday.

Some individuals may engage in poor password practices, such as using the same ones across multiple sites or choosing passwords that are both easy for them to remember and for others to guess. However, all of these things can give hackers more access. If a malicious party obtains a single password, it may ultimately be the key for getting into multiple sites rather than only one.

Cybersecurity professionals say the relatively simple step of using multifactor authentication can go a long way in curbing potential cybersecurity issues in medical settings and elsewhere. That’s because people need more than a password to get into an account. The second piece of required information is often a code sent by text message or email. That approach lessens the chances of cybercriminals breaking through all the defenses that prevent unauthorized account access.

It’s also crucial that healthcare professionals don’t share their passwords with colleagues. Doing that often happens innocently, such as if a coworker needs quick access to a portal and the help desk is not yet staffed to help that person reset their password or resolve issues.

Since the healthcare sector is so fast-paced, it may seem like the best action in the moment is to share a password and help another employee proceed with that work. However, such behaviors erode the protection that smart password habits provide.

Take an All-Encompassing Approach to healthcare Cybersecurity

Besides putting these tips into practice, people must remember that it’s everyone’s responsibility to prevent cyberattacks. Although the risks may go up for people who regularly work with patient records or other data, most people at healthcare facilities likely use email and computers, which both open opportunities for cybersecurity incidents.

Making improvements in cybersecurity requires understanding how every employee, process, and connected piece of equipment could become involved in or contribute to a cyberattack. Knowing about the risk factors and taking comprehensive action to reduce them will help safeguard the medical sector against adverse IT incidents.