MedCity Influencers

Data Breaches Continue to Wreak Havoc on Healthcare – Here’s How to Make Security a Top Priority

Security threats are not going away any time soon. In fact, they are on the rise and likely will be for years to come. Here are three ways to solve the most pressing problems.

The healthcare industry suffered about 337 breaches in the first half of 2022 alone, and IBM reports that the average cost of a healthcare data breach is now $10.1 million per incident. What’s more, healthcare is one of the most attractive industries for cybercriminals for numerous reasons. The industry is plagued with legacy systems and outdated technology, and IT teams don’t have enough security resources and budget to make sweeping changes for better security. Sophisticated cyber-attacks can cripple patient care and lead to disasters.

The threats to security are only worsening, especially when it comes to ransomware attacks. Check Point’s Cyber Attack Trends: 2022 Mid-Year Report found that the healthcare sector was the most targeted industry in terms of ransomware in the third quarter of 2022, with one in 42 organizations impacted by ransomware, a 5% increase year over year. It’s critical for healthcare organizations to make security a top priority. Let’s dive a bit deeper into this issue and consider some practical steps that health systems can implement to improve their security posture.

Three ways to solve the most pressing problems

1. Update and replace legacy software

Healthcare has traditionally lagged behind other industries when it comes to updating technology. However, healthcare is one of the most important industries to transform, and innovative technologies are needed to provide the highest quality care. Furthermore, healthcare documents are among the most sensitive, and a data breach can put this sensitive patient information at risk.

Health system executives may also be concerned about the cost of investing in new technology. Health leaders have always faced pressures of limited resources and may feel that they cannot risk making an investment without a guaranteed reward. Last year has been especially challenging, and recent National Hospital and Physician Flash reports from Kaufman Hall show that health systems were likely going to finish out the year in the red. However, the return on investment in advanced technology is clearly visible. Investing in the technology needed to reduce the potential of a cybersecurity incident will actually prevent huge expenses that can be the result of a breach (as noted in the IBM report above).

Leadership teams must carve out a budget to develop a defense in depth security program and make sweeping changes to defend against attacks such as deprecating legacy and insecure systems. This can be done by moving to more secure operating systems, such as MacOS or Linux; deploying always-on, always-up-to-date anti-malware tools, anti-ransomware tools, firewalls and intrusion prevention systems; and encrypting all sensitive data and securing it in the cloud.

2. Offer employee education and build a “human firewall”

Another way for healthcare organizations to prioritize security is to educate employees on avoiding security threats such as phishing attacks. While an organization may have advanced technology in place to defend from malicious actors, your employees may need to learn what signs to look for when it comes to social engineering attacks. Attackers are using increasingly sophisticated methods to trick employees with legitimate looking emails and text messages, encouraging employees to give away confidential and privileged information. To help defend your employees and organizational data, an educational initiative should be implemented alongside your broader, in-depth security program.

It’s important to regularly train employees on how to not fall victim to such sophisticated attacks. Mandatory annual security trainings, which historically have lacked engagement, are not enough. Train all your employees to identify suspicious emails and other common attacks and teach them to flag any concerns to IT. Take this a step further by conducting regular phishing simulations to see how employees react and offer personalized training programs to those that fall victim to such attacks. Personalized employee training programs go a long way in mitigating risk from social engineering attacks and help build a strong “human firewall” within the organization.

IT teams can stay ahead of the game by monitoring discussions and intelligence from the dark web and proactively taking measures to mitigate attacks with aggressive technical and administrative controls in place, in a dynamic manner. Additionally, IT and security leaders must create a healthcare community that embraces new technology within their organizations to succeed. Without your employees on board, success will be limited.

3. Review & update your risk management policies and procedures

Cyberattacks have led headlines over the past few years as increased hacking incidents impacted all industries, from major companies to government organizations, and even the gasoline industry. Cybercriminals took advantage of hospitals and health systems while they focused on responding to the Covid-19 pandemic. Providers were forced to cancel appointments, surgeries and additional services while their systems were down.

It’s crucial that security leaders build resiliency within the organization and ensure that all teams are prepared for incident response. Conduct regular tabletop exercises for incident management, backup and recovery, business continuity and disaster recovery. When it comes to incidents, planning and preparedness are everything. As the old saying goes, security is a state of mind, not an end state.

In addition, it’s critical to stay on top of regulatory and compliance requirements and proactively implement technical and administrative safeguards to meet the ever-changing policies. Just as recently as early November, Virginia Democrat Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence, released a white paper detailing a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry. Leadership teams need to familiarize themselves with these types of pending regulations to ensure they are prepared when it becomes time to enact them. Some may even choose to implement them – whole or in part – ahead of time to ensure future compliance and a safer organization today.

Security threats are not going away any time soon. In fact, they are on the rise and likely will be for years to come. Healthcare organizations must take the necessary steps to prepare for attacks in order to keep the safety of their teams, and their patients, intact.

Photo: traffic_analyzer, Getty Images

Chandra Kalle has over a decade of experience in engineering and product management. He skillfully led the engineering team at LeanTaaS from its inception as a healthcare-focused analytics company through the creation of three disruptive products deployed at over 150 health systems across the country and put in place the necessary level of security and compliance protocols to serve health systems. Before LeanTaaS, Chandra was the VP of Product at Collegefeed, an Accel backed company that was acquired by AfterCollege. Prior to that, Chandra was a lead engineer on the firewall and intrusion prevention technology at Symantec for a decade, where he developed malware detection technology that protects more than 200 million users worldwide. Chandra also designed and architected several mobile apps, some of which have millions of users. He studied computer science at North Dakota State University and holds several patents in computer security and mobile design.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.