In just a few short years, cybersecurity has become one of the primary concerns for healthcare executives, and for good reason. For the seventh year in a row, healthcare distinguished itself as the most expensive industry for data breaches. According to new research from NTT Security’s 2017 Global Threat Intelligence Report, these breaches cost healthcare organizations $380 per record. That’s more than 2.5 times the global average overall cost of $141 per record.

But as some healthcare organizations have learned, the cost of a significant cyber incident can also include a significant disruption in your day-to-day operations and massive harm to your hospital’s brand.

So what kind of attacks should healthcare organizations put on their radars?  And more importantly, what can you do to protect your hospital? Those are the questions we want to answer in this post.

The Top 5 Healthcare Cybersecurity Risks

Here are the top five cybersecurity risks for healthcare organizations:

  1. Malware

Malware is tricky because it can infiltrate your IT system through multiple pathways. It can come through software vulnerabilities or be downloaded through a phishing attack.

Because of this, it’s incredibly important for Hospital IT staff to be vigilant and monitor all the pathways malware can enter your system.  Anti-virus software is not 100% effective in stopping these types of attacks, but it is a critical first line of defense.  Make sure that anti-virus applications are universally deployed and kept up-to-date with the latest signatures.

  1. Ransomware

This year’s WannaCry attack was the first major ransomware on healthcare organizations to receive national attention.  One reason Ransomware is such a popular tactic against healthcare organizations is that hospitals rely on up-to-date information on their patients and will often pay up right away when they find themselves in a ransomware situation.

The best way to protect your hospital against a ransomware attack is to make sure you have strong network security and segmentation in place so that hackers can’t gain access to the records they are looking to lock up.  If your facility is hit, having a great backup strategy in place so that systems can be restored after the initial incident is dealt with will be key to a happy (or at least happier) ending.

  1. Phishing Attacks

Phishing attacks are becoming more commonplace as electronic healthcare records (EHRs) are becoming the primary way physicians share health information. Employee education is critical when it comes to protecting against phishing attacks. Doctors and nurses and administrative staff need to know how to identify a possible phishing attack and closely evaluate any requests that come in for file sharing.

  1. Cloud Threats

Cloud-based services have also become commonplace for many healthcare organizations. As a result, HIPAA laws and regulations have been established to ensure the proper measures are being taken to protect patient data. But HIPAA compliance doesn’t necessarily guarantee safety. To protect their cloud-based services, healthcare IT professionals to understand exactly what information is being stored in the cloud so that they can put processes in place to protect that information.   Having good, up-to-date inventories of your business associates should include those providing software as a service or SaaS products to your users.

  1. Encryption Blind Spots

Many healthcare organizations use encryption as a way to protect data, but hackers have found a way to use it against us by hiding protected data in encrypted traffic leaving your network. According to Gartner, it’s predicted that half of the network attacks that will occur this year will happen through encrypted traffic. To protect yourself, hospitals should have a layer of security that monitors encrypted traffic to ensure there are no blind spots within the network in which hackers can sit and wait to attack.  Understanding traffic patterns and monitoring Net

Flow data is key to identifying and shutting down these types of attacks. The trick is, someone’s got to be vigilantly watching those systems to take action when necessary.

The Simplest Way to Protect Your Hospital

One of the biggest reasons that cybersecurity can be challenging for healthcare organizations is because there is so much to manage. Between HIPAA compliance, software patches, employee training, it can seem like an endless cycle of cybersecurity-related tasks.

Unfortunately, many healthcare IT professionals try to manage all of these responsibilities on their own. According to a survey from Netwrix95% of healthcare organizations do not use any software for security governance or risk management.

BALLAST was created to solve this problem and provide healthcare IT professionals with real-time reports and action steps they need to ensure their information is protected. The software is specifically designed to help healthcare organizations, large and small, develop the processes and systems needed to take on the biggest cyber threats head-on. Connect with our team today to learn more about how BALLAST can help your organization.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.