- The more connected that covered entities and business associates become, such as through the use of IoT devices and BYOD strategies, they must ensure that potential healthcare cybersecurity risks remain a top consideration.
Failing to account for one endpoint device or having one employee click on a phishing scam email could lead to a large-scale data breach that causes headaches for both providers and patients.
In terms of healthcare cybersecurity measures, employee education and comprehensive data security plans are increasingly being touted as key approaches for organizations to take.
HIMSS, CHIME and AEHIS jointly organized a recent cybersecurity forum where Boston Children’s Hospital Senior Vice President and CIO Daniel Nigrin, M.D. discussed the cybersecurity attack that happened at the hospital in 2014.
In that incident, Anonymous hackers posted certain BCH external website details that were not extremely sensitive, such as its IP address and web server infrastructure information.
While the hospital’s patient data was ever accessed, Boston Children’s had to shut down some of its Web pages and some patients and medical personnel were unable to access online accounts.
At the forum, Nigrin noted the importance of healthcare organizations implementing the necessary countermeasures, knowing which systems depend on internet access, and have contingency plans in place.
Furthermore, he said that entities must recognize how important email is to the organization, and that alternate methods of communication should potentially be created.
Finally, security measures must be pushed through. There are no excuses, Nigrin stressed. For example, secure teleconferences could be beneficial and organizations should make sure they know which threats are real.
Intermountain Healthcare CISO and Assistant Vice President of Information Systems Karl West also spoke at the forum, explaining that the demand for data access whenever and wherever has “increased productivity, but, at the same time, has elevated risk.”
Employees, contractors, and customers all pose the largest cybersecurity threat, he added, but education will be the best defense.
In a 2016 interview with HealthITSecurity.com, Robert Anderson, former executive assistant director of the FBI, also stressed the importance of employee education and proactive planning. Cybersecurity measures must improve, he stated, especially when it comes to ransomware preparation.
Healthcare employees at all levels must be thoroughly educated on ransomware and how they need to react should an incident happen, Anderson explained. A proactive plan for what should happen after a ransomware attack must also be in place.
“The heads of the hospitals and the boards need to be educated on the different types of threats that face them in today’s IT and cyber environment,” Anderson stated. “Most hospitals concentrate on being a hospital and taking care of people. But I think that in today’s world, if you’re running one of those institutions, you need to be very educated into exactly what the threats could be and have a proactive plan of what’s going to happen if you do get attacked.”
Insurance companies are also taking note of the increase in cybersecurity risks across numerous industries.
Cybersecurity is one of the top board level priorities among insurers, according to a recent Moody's Investors Service report. Specifically, companies have greatly expanded their cybersecurity governance, oversight, and investments. There are also more frequent and formalized cybersecurity reporting to executive management and their boards.
“Among survey respondents, essentially all maintain incident response plans for multiple cyber intrusion scenarios, and most insurers test their vulnerability to these annually," Moody Senior Vice President Alan Murray said in a statement. “Cyber attacks can have serious tangible consequences for insurers, exposing them to legal actions, regulatory scrutiny, fines and other expenses. In addition, an insurer's reputation is at stake."
The survey also found that cybersecurity employment has increased nearly 30 percent over the past three years. Insurers have also widely upped their use of outsourcing for cost-effective, current tools and expertise in securing systems and data.