While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges.
Phishing emails try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network, according to a recent iHealthBeat article.
"Phishing emails often provide the entry point," Scott Koller, a lawyer at BakerHostetler, says in the article.
Ransomware allows cybercriminals to hold data hostage while they demand payment to unlock it. If they demand to be paid in Bitcoin, a digital currency, they can be difficult for law enforcement officials to track down.
Cybercriminals are growing more sophisticated in their ransomware attacks, according to an article at NPR. Increasingly, they use the anonymous online network Tor to conceal all communication between the attacker and victim, preventing even top executives from identifying and blaming a particular employee.
In the face of increasing threats, healthcare organizations are boosting their security efforts, according to the iHealthBeat article. Among their top priorities are:
- Encryption and mobile device security
- Two-factor authentication
- Security risk analysis
- Advanced email gateway software
- Incident response management
"Encryption very much needs to be on everybody's radar," Koller says. In September, Forrester Research reported that only about half of healthcare organizations secure data using full-disk encryption or file-level encryption.
Just last week, Experian's 2015 Data Breach Industry Forecast called healthcare "a vulnerable and attractive target for cybercriminals." While predicting more data breaches, it noted that many doctors' offices, clinics and hospitals may not have adequate resources to safeguard patients' personal health information.
The lesson from the Community Health Systems breach, which exposed 4.5 million patients' data in 29 states, is to use a risk-assessment system that anticipates areas of weakness and potential human error that can lead to a breach, Austin attorney Paula Knippa wrote at InformationWeek.