If data has value, then electronic health records are a treasure trove. Today’s emboldened and ever-more-sophisticated cyber criminals know this. With many healthcare organizations again stretched thin to address raising COVID-19 case counts, there’s little doubt that we will see a steady drumbeat of new ransomware attacks, building on the record number so far this year.
Ransomware and phishing – most common attack vector for delivering it – are not new. The social engineering behind phishing attacks is both predictable and effective. Even today, when the dangers of phishing attacks are widely known and many organizations have phishing simulation and training programs in place, they remain incredibly dangerous simply because they work so well. That’s especially true in fast-paced, high-stress environments like healthcare. What then, can healthcare organizations do to mitigate risk and decrease their potential of being a victim of phishing attacks and the ransomware that so often accompanies it?
While risks will always remain and one can make a compelling argument that it’s not a question of whether an enterprise will suffer a data breach, but when, healthcare organizations can radically strengthen their security by keeping several of the following basic points in mind:
- Keeping a low profile is no longer an option. Cyber criminals have quickly come to realize that large hospital systems are not the only viable targets in healthcare. Any organization managing electronic health records (EHR) faces risk. Notably this includes clinics and health practices that in the past may have escaped attention due to their size. Every organization needs to take steps not only to prevent ransomware, but to ensure that they can quickly resume operations if an attack occurs.
- Make sure every employee understands what’s at stake. Just about all healthcare settings are connected today thanks to advancements in IoT. From medical devices to EHR, and increasingly, most employees – regardless of their role – have access to computers. Hospitals should give training to any individual who can access a connected device training on how to recognize and avoid phishing attacks. Employees should understand the full ramifications of a ransomware attack and malware. Health Insurance Portability and Accountability Act (HIPAA) investigations will follow and in healthcare settings, organizations be driven out of business or forced to cease operations, but physical harm can come to patients and there’s great potential for loss of life.
- Treat phishing simulation programs as more than an IT or even a security issue. The ramifications of a data breach extend far beyond the confines of the IT department or the office of the chief security officer. Given the obvious impact of ceasing operations and not being able to provide care, healthcare organizations should approach security with a united front. Champion IT security planning and training by a collaborative team that includes IT and representatives from administration and operations, clinical staff, legal, human resources, and facilities – including physical security.
- Customize phishing simulation programs. Not only should hospitals, clinics, and practices continually train and benchmark employee responses to simulated phishing attacks, but also make these tests realistic. Simulated attacks should mimic the kinds of messages that staff members might consider normal without close inspection – insurance claims and requests for records – but also appear to come from individuals in the organization and even local establishments. Think like a hacker who might mimic the CEO or a restaurant that staff members order from during busy shifts. If the organization uses =a third party to conduct phishing simulations, make sure they offer this level of customization.
- Consider preventing ransomware and phishing attacks as just one facet of a comprehensive security stance. HIPAA mandates many requirements for encryption and access to data and the networks on which it resides. Don’t stop there. Consider a zero-trust approach to network access and invest in tools and systems or find a HITRUST certified third-party hosting provider that can make the organization a tougher target. The idea that organizations can’t fight what they can’t see is valid. Invest in network monitoring technology that not only detects suspicious activity, but automatically alerts decision makers. In addition, deploy endpoint detection and response (EDR) and security information and event management (SIEM) solutions that alert IT of issues and quickly quarantine infected workstations, servers or other IT assets. And remember, there are third-party providers that can do some or all of these things to help ensure you are creating a secure IT environment.
- Make sure the organization has the systems in place needed to quickly resume operations. Even the smallest clinic or practice should have proven disaster recovery and backup systems in operation. Health care organizations should also embrace a HIPAA-compliant cloud offering. Today’s cloud solutions not only make it possible to take “snapshots” of the entire dataset with unprecedented frequency – but can help healthcare organizations quickly address the dramatic increases in data volume created by advancements in radiology and other innovations.
By keeping these points in mind, IT leaders can work to mitigate the risks associated with phishing attacks and the ransomware that so frequently victimize healthcare institutions. Most importantly, they help ensure that our hospitals, clinics and medical practices continue to focus on what’s most important: patient care.
Mona Abutaleb, chief executive officer, Med Tech Solutions
