The healthcare industry is at risk. Organisations are becoming increasingly susceptible to online attacks - threatening day-to-day work and compromising confidential patient data.
Long, busy days mean healthcare staff don’t have the time and resources to educate themselves about online risks. The potential disruption caused by a complete overhaul in online security is just too big for a lot of organisations to even consider.
Healthcare leaders are ready to increase spending on cybersecurity. But with new threats uncovered every day, it’s difficult to know where an organisation would be better off investing their budget. High demand for patient information and often-outdated systems are among the nine reasons healthcare is now the biggest target for online attacks.
1. Private patient information is worth a lot of money to attackers
Hospitals store an incredible amount of patient data. Confidential data that’s worth a lot of money to hackers who can sell it on easily – making the industry a growing target.
These organisations have a duty to protect their patients’ personal records. With GDPR coming into play this year, it’s becoming increasingly important for hospitals to keep their information secure.
Financial penalties - whether they be fines for not cooperating with GDPR or paying to retrieve their data from ransomware - are a real and alarming thought for a healthcare industry that’s already struggling with financing daily work demands.
IT professionals are realising that the cost of securing their data with solutions like multi-factor authentication (MFA) is far less than the pay-out from ransomware or similar attacks. MFA is a solution that requires more than one piece of information to identify a user and then generates a one-time password on each login session. This makes it a lot harder for hackers to steal passwords and other information.
2. Medical devices are an easy entry point for attackers
There aren’t many downsides to innovations in healthcare technology these days. Medical devices like
x-rays, insulin pumps and defibrillators play a critical role in modern healthcare. But for those in charge of online security and patient data protection, these new devices open-up more entry points for attacks.
Medical devices are designed for one purpose – like monitoring heart rates or dispensing drugs. They’re not made with security in mind. Although the devices themselves may not store the patient data that attackers pursue, they can be used to launch an attack on a server that does hold valuable information. In a worst-case scenario, a medical device can be completely taken over by hackers, preventing healthcare organisations from providing vital life-saving treatment to patients.
Hackers know that medical devices don’t contain any patient data themselves. But they see them as an easy target, lacking the security found on other network devices like laptops and computers. Threats against medical devices can cause problems for healthcare organisations – giving hackers access to other network devices, or letting them install costly ransomware. Keeping network devices secure wherever possible, helps to limit the damage that could be caused by an attack on medical devices.
3. Staff need to access data remotely, opening-up more opportunities for attack
Collaborative working is key in the healthcare industry, with units working together to provide the best solution for every patient. Those who need to access information aren’t always sat at their desk – often working remotely from different devices.
Connecting to a network remotely from new devices is risky, as not all devices will be secure. Additionally, healthcare staff aren’t often educated in cybersecurity best practises. It’s crucial that compromised devices don’t get access to the network, as just one hacked device can leave a whole organisation wide open.
One option for organisations that have staff working across devices is risk-based authentication (RBA). This solution makes risk analysis simpler by letting IT staff set up policies that determine the risk of a given device based on factors like the user, their location and more. Any unusual activity is then flagged to make sure that sensitive patient data is never exposed to unsafe devices.
4. Workers don’t want to disrupt convenient working practises with the introduction of new technology
Healthcare staff are some of the busiest and most in-demand in the country. They work long hours and to tight deadlines – which means they simply don’t have the time or resources to add online security processes to their workload. Medical professionals need slick working practises with minimal distractions.
Any cybersecurity measures placed on healthcare organisations need to consider the impact they may have on current working practises. IT staff should try to align security measures with existing software. There are plenty of authentication solutions available that work seamlessly with software like Office 365, meaning medical staff can perform their daily tasks without distraction.
Using Single Sign-On (SSO) solutions means authorised users can access multiple applications using just one single set of login information – keeping their working routines quick and simple, without compromising security. Frictionless solutions like SSO and RBA offer effective protection against online threats without disrupting the way people work.
5. Healthcare staff aren’t educated in online risks
Medical professionals are trained to deal with a lot – but education in online threats is not in their schedule. Budget, resources and time constraints mean it’s simply not possible for all healthcare staff to be fluent in cybersecurity best practice.
Cybersecurity solutions are complex, but their interface needs to be simple. Medical staff require a secure network that is quick and easy to access. And they need the peace of mind of knowing patient data is protected, so they can focus on their jobs. Solutions like MFA and SSO are becoming more popular as they simply use a secure one-time code – adding extra layers of security that don’t require the user to know anything more than their own login credentials.
6. The number of devices used in hospitals makes it hard to stay on top of security
Modern healthcare organisations are responsible for massive amounts of patient data, plus an extensive network of connected medical devices. Larger organisations can deal with thousands of medical devices - all connected to their network, and each one acting as a potential threat for attackers.
Healthcare staff are often too busy to stay educated on the latest threats to devices, leaving IT specialists with the task of protecting an entire hardware network against attacks. If just one device becomes compromised, it opens the whole network up to data breaches and medical device hacks.
There is a need for healthcare professionals to be able to manage their own devices to an extent - freeing up IT specialists to deal with wider IT and security issues within the network. Some MFA solutions offer a self-service portal, which allows users to reset security PINs and more by themselves, helping to lighten the workload on the support desk.
7. Healthcare information needs to be open and shareable
Confidential patient data needs to be accessible to staff, both on-site and remotely, and on multiple devices. The typically urgent nature of the medical industry means staff need to be able to share information immediately - there’s no time to pause and consider the security implications of the devices they’re using.
The worry for IT staff is that the devices used to share information are not always protected. They can’t always be there to assess the credentials of every device, especially in a time-critical environment. Users accessing data remotely will only need privileges for the tasks they’ll need to perform. So, if they’re just checking their emails, they won’t need to have full admin account privileges. Precautions like this limit the chance of admin accounts becoming compromised.
Any solution that can save time and money by automatically regulating user permissions, without putting patient data at risk, is a must-have for healthcare companies. MFA solutions prevent attacks from compromised credentials or unauthorised users to ensure only the right people can access sensitive data.
8. Smaller healthcare organisations are also at risk
All healthcare organisations are at risk from online threats. Large enterprises hold the most amount of data – representing the biggest bounty for attackers and placing them as common targets. But smaller enterprises have smaller security budgets. And less complex and up-to-date cybersecurity solutions mean smaller enterprises are often seen as an easy target, and as a backdoor-access opportunity to target larger enterprises.
Effective cybersecurity solutions have become a must for all sizes of healthcare organisation, as they’re all in charge of sensitive patient data. Healthcare leaders are becoming more aware of the need to increase spending on cybersecurity – and there are plenty of solutions out there that are scalable to different business sizes. MFA solutions provide extra layers of security to your devices, using a combination of user passwords and one-time information that work for your company, and prevent attackers from stealing login information.
9. Outdated technology means the healthcare industry is unprepared for attacks
For all the incredible advances in medical technology in recent years, not every aspect of the healthcare industry has kept pace. Limited budgets and a hesitancy to learn new systems often mean that a lot of medical technology is becoming outdated. Hospitals using systems that still release system updates should keep all software equipped with the most recent version. These usually contain bug fixes to keep systems fairly secure.
But eventually, software will become end-of-life, and vendors will stop providing updates. Where it's not possible to upgrade to different, more secure software – or where medical staff simply don't want the hassle – it's possible to minimise the risk of cyberattacks by adding extra layers of security. If one system is compromised then an MFA solution can limit the lateral movement of an attacker through the network, as they won’t be able to log-in to other protected systems.
Healthcare organisations have a responsibility to react to the latest online threats to keep their patient data secure. It’s important to allocate a budget and invest in the right solution for your enterprise. Consider how your staff like to work and keep on top of new threats as they emerge - before your systems become outdated and you struggle to protect all your devices.
Adrian Jones, CEO, Swivel Secure
Image source: Shutterstock/Wichy