Industry Voices—The latest tips to secure your organization against ransomware

Hospital cybersecurity
Healthcare records can fetch up to $7 per full record on the dark web versus pennies for credit cards. (Getty/PRImageFactory)

Data security is now one of the top aspects of healthcare technology. It can make or break patient satisfaction and institutional reputation. Healthcare providers have a professional obligation not only to care for their patients’ health but also to protect their patients’ data.

Cybercrime is on the rise against the sector because healthcare providers are often seen as easy targets with valuable information and insufficient security to protect it.

While several endpoint security tools can reduce data risk through detection and response methods, the most effective measures should be taken on the front line where staff members handle devices and sensitive information. Implementing a few simple best practices can significantly reduce risk.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Valuable and vulnerable data in an increasingly risky landscape

A recent report found that healthcare organizations experienced twice the number of attacks compared to other vertical market categories. Fortinet also noted that healthcare providers are primary targets because they are rich with data and typically lack sufficient cybersecurity, and because medical identity fraud typically takes longer to detect.

RELATED: Ransomware, phishing attacks top new HHS list of cyberthreats in healthcare

Healthcare records can fetch up to $7 per full record on the dark web versus pennies for credit cards. These records often offer a treasure trove of data, including birth dates and Social Security numbers. With this information, criminals can open new accounts and perpetrate financial fraud. In addition, sickly and terminally ill patients rarely pull their credit reports, which gives perpetrators more time to commit fraud before anyone notices.

Ransomware, in particular, is a growing threat. According to Cryptonite’s 2017 Healthcare Cyber Research Report, ransomware attacks against healthcare institutions grew by nearly 90% from 2016 to 2017. In these attacks, hackers encrypt the victim’s files and hold them for ransom. But because healthcare providers work in life-and-death matters and can’t afford to delay access, they most willingly pay the ransom. For example, last year, a ransomware attack at a 602-bed hospital took down 6,000 computers for more than six weeks. During that time, staff had to conduct patient registration manually, write prescriptions by hand and deliver labor results by messenger service. It ultimately cost the facility $10 million in losses and recovery IT resources.

As cyberattacks become more complex and sophisticated, it’s not easy to institute a foolproof impenetrable security plan. Robust security suites, password protection, encryption and backup can help reduce the risk, but they do little good if criminals can exploit vulnerabilities on the human end of the system.

Here are a few best practices that can help strengthen your data security and protect patient information:

Establish strong security policies and educate staff

As end users are typically the weakest link, they also have the potential to make the biggest difference in cybersecurity. Providers must establish strong computing and security policies that include guidelines for internet usage and procedures for downloading and opening files, and emphasize physical safety for devices.

Healthcare providers should also train and test staff on how to identify social engineering and phishing scams, as many are so cleverly designed they’re difficult to catch. The Media Pro 2017 State of Privacy and Security Awareness Report found that at least 24% of physicians couldn’t distinguish phishing emails from legitimate ones. Overall, nearly 80% of healthcare employees showed at least some lack of preparedness in regard to privacy and security threats.

RELATED: Allscripts hit with a ransomware attack affecting a 'limited number' of applications

Set automatic updates and don’t leave computers unprotected

Ensuring that all devices and browsers are set for automatic updates can go a long way in reducing the risk. Many breaches now happen because systems don’t have the latest patches installed. An alarming number of business machines run outdated software and lack even basic virus protection. A report by Bitsight found that 15% of computers in the healthcare sector were running outdated versions of Windows or MacOS operating systems. In addition, 16% were also running outdated internet browsers.

Don’t leave sensitive data lying around

While it’s bad practice to leave PHI or sensitive data lying around for prying eyes, it’s a common practice in many offices. In the age when nearly everyone has a smartphone and can quickly snap images, then store and send information to anyone else, a stack of files sitting on a desk can present a big risk.

In many cases, the biggest threats may not come from the public but from unscrupulous co-workers. In one incident in a New York City ER, a clerk was recently discovered to have captured PHI information from nearly 100 patients and sold it to an outsider for fraudulent purposes.

Lock devices when not in use

An unlocked device is no different than an unlocked safe door. Without basic password protection or a screen lock, anyone can use it and gain access to sensitive files. Many employees may believe they’re in a secure environment, and many have sloppy security practices in their own lives. A report by Pew Research Center found that 28% of smartphone owners have no lock on their phone. Nearly 40% of adults say they use the same or very similar passwords across sites, and 41% of adults have shared their passwords with someone.

RELATED: Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records

Healthcare providers can increase their security and reduce the risk of peering eyes from both their staff and outsiders, by ensuring that all phones, laptops, desktops, tablets and screen-based IoT devices are locked when not in use. Desktops, smartphones and nontethered devices should also be placed in locked drawers or lockers after hours.

Data in the secure environment

Providers should also ensure they select the best software providers that have rigid security procedures. This includes secure code development, ongoing reviews of application security, and continuous monitoring of risk to applications based on new threats. Your solutions providers should also secure data at rest and in motion, according to HIPAA regulations. Top providers also offer secure hosting with firewalls, intrusion detection systems, proactive vulnerability scanning and endpoint security.

While there’s always a chance of attack, effective security solutions combined with best practices on the front lines can go a long way.

Suggested Articles

Civica Rx, the non-profit drug company formed by a collection of hospitals to help control generic drug supplies and prices, is putting down roots.

Two senators introduced this week bipartisan legislation to establish a third-party oversight committee to help monitor the implementation of the new EHR…

ONC is moving another step closer to implementing a framework designed to improve data sharing between health information networks.