This past year, rural hospitals have been under near constant attack.
Cybercriminals are targeting rural healthcare because they know many of these networks have been neglected, lack proper controls and are easily accessible—particularly to medical record worth a lot of money on the Dark Web (that part of the web where criminals are actually selling medical records for over $1200 a piece!).
Within the past few months of 2018, several dozen rural health facilities have already been hit with ransom attacks. While those breaches over a thousand patient records must be reported to HHS, many health security experts reckon that many more facilities could have been breached in Q1 of 2018. It’s likely that these 24 major breaches are just the tip of the ice berg for 2018 ransom attacks at rural health facilities in the United States.
Ransomware attacks as of late have been getting more serious and the implications post-attack can be nearly impossible to surmount.
The problem many in rural healthcare have been facing is that they are completely unprepared for a cyberattack on their network. With the struggle to convert to entirely digital records along with insufficient infrastructure, protection and know withal, rural hospitals and clinics face serious barriers to recovery in the event they are found in the cross hairs of a cybercriminals cyberattack.
Networks that are left unpatched? Remember the easiest way into a network is through vulnerabilities left unpatched. More than half of rural hospitals fail to regularly patch their networks, leading to the influx in cyberattacks that are now specifically targeting them.
Firewalls that provide false senses of security? Older firewalls will not keep bad guys out—and in some cases are easily hacked to help them penetrate and ransom your entire network. The problem with relying on older firewalls is many hospitals have a false sense of security, putting them at even greater risks of overlooking a cyberattack.
Backed up ALL of your data regularly? While pretty much every hospital administrator when asked will say their hospital’s network is backed up, only a quarter have backups that are working. When ransomware strikes, backups may be the only thing between losing everything and being able to treat patients with complicated medical histories or drug interactions.
Little to no security monitoring? Most hospital IT Departments are so overworked dealing with calls into fix immediate issues that they overlook monitoring and maintaining the network routinely. In fact, many when asked will not be able to describe what a normal day’s traffic looks like. This is particularly concerning with increased ransomware activity targeting rural healthcare because in many cases, hospital IT Departments don’t learn about a ransom attack until it’s too late and the hospital network is already completely down.
But one of the biggest issues that persist—especially when hospitals have heeded security expert’s warnings, is that their staff don’t understand functional security.
Even though most rural hospitals have taken steps to be HIPAA compliant, many are actually NOT any better off than before shelling out tens of thousands of dollars to consultants.
One of the biggest reasons is that even though they have all the checks marked off on a piece of paper that compliance was met, they fail to understand where in their organizations security vulnerabilities lie. Without adequate security awareness training on what your hospital has done to keep patient and staff records safe from cybercrime, and with little contextual training as to how to ensure people are taking necessary precautions from letting bad guys onto your network, you might as well turn off your computers right now and never turn them back on!
Because sooner or later, your hospital will be in the cross hairs of an attack and more than likely, if your ducks aren’t in a row, you won’t be able to survive it!
Now hospital employees should not be to blame when an attack happens—because they weren’t hired for their security skills. As medical professionals, they have enough on their plates—providing life-saving care to patients needing critical support—that making sure they are following a security policy is probably very low on their To Do list.
And often times, cookie cutter security policies are hard to follow anyways. They conflict with demands on their productivity to do more with less and may even be at odds with patient care.
Instead of a hard hammered approach to security with policies, your hospital team should be inspired to act securely as part of their normal jobs (take a functional approach to security). Just like hand washing has become and continues to be a security asset when it comes to preventing complications from surgery, so too does good security hygiene from protecting patient identities and keeping your hospital secure and compliant with HIPAA and MACRA—only when ingrained in your hospital’s culture.
How can you start changing your culture to utilize good cybersecurity habits?
Identity a behavior-focused strategy. If you think a poster is enough to get your team to abide by security best practices, you’re being too optimistic. Before coming up with a laundry list of things staff members (who are all busy with their own jobs already) should change in their habits, ask a few questions to identify what’s most important:
What is worth targeting? Conduct a high-level risk assessment to identify major issues facing your hospital. Evaluate how staff can impact those risks. Consider risks, such as system outages, malfunction, data theft or manipulation as serious problems and identify how behavioral tactics could address these issues that could seriously impact patient care and hospital operations if you simply left poor security hygiene in place.
Who should you worry about? Likely, not all security priorities need to be given to your entire staff. Who of your staff would have the most impact on keeping your network safe if they were to modify their behaviors a bit? How will those behaviors help them complete their job a little easier? How likely are they to actually change their behavior? By understanding who in your organization needs a change, will help you device creative ways in which security can function for those roles.
What behaviors are you looking for? Document how current behaviors may risk your hospital’s network security and device ways in which behavior modifications may be easily adopted by your team. For instance, if you have had problems with staff clicking on questionable links in email on your network, consider restricting email to work email on the secure network and personal email only on personal devices that are restricted to the guest network (FYI- this is a standard practice for hospital security that often gets overlooked). By training your team to modify small behaviors, like connecting devices to the guest network, you may have nearly completely eliminated certain security risks.
Make Sure Training Is Actually Engaging. One of the biggest issues when it comes to security training is the content is so boring, nothing sticks.
Make sure your message is touching. Help employees understand that their security hygiene actually has implications for their patients, their families and coworkers. Explain how if they aren’t careful is divulging too much information through phishing emails, how they might jeopardize others close to them.
Teachable moments are all around us. Instead of simply sitting folks down for a once a year one hour seminar on security, make sure to incorporate teachable moments throughout your organization. By publicizing near misses—maybe a phishing attack that someone on the team identified as such—are actually big wins that should be celebrated across the team.
Big enterprises—including hospitals that have successfully averted cyberattacks—tend to put up posters and reminders on cybersecurity in places where the events are likely to take place. For example, on a shared computer, you might ask if they’ve logged off of the machine, or even pop up a window when someone tries to browse on a questionable website. Making sure your teachable moments are on-going will definitely make a difference getting everyone engaged in keeping the network secure.
First and foremost, healthcare providers need to focus on continuous nonstop patient care, service and satisfaction. But what you and your hospital administrators need to identify is how can you ensure that that care is safely and securely being handled—that your network is protecting them and your security policies are allowing them to securely do their critical jobs.
Are you certain your hospital is safe from the next big ransomware attack? Is your team trained to identify scams and cyberattacks? Contact us TODAY for a free 37 point hospital security assessment.
