Cybersecurity is our shared responsibility in healthcare. I wish I could say that it could all be fixed by your security officer, a cybersecurity expert, or your Hospital IT team. But the problem most hospitals don’t realize is that the rapidly evolving threat landscape is directing the majority of its attacks on the most vulnerable parts of your network, some of these are the staff members you never would have thought could leave your hospital shut down from a ransomware attack.
Even in hospitals that have fortified their defenses—have patched machines, regular backups of all of their data, and network infrastructure to detect and block malicious traffic—large security threats remain. Note: if you aren’t sure whether your hospital is taking effective steps at securing its network, consider a FREE ransomware vulnerability assessment to determine and clean up your cyber risks.
You just need to make one little mistake to open the door enough for a cybercriminal to inject an attack.
Today I want to outline some of the misconceptions I’ve seen in hospital IT security, all of which have led to serious attacks on their networks—crippling patient care in the process:
Newer is not always better—as systems get more complex (and believe me, if you work in a hospital, your network is likely not going to be one of the easiest for many IT Support—especially in areas where it may be hard to find sufficient help. As your demand on better security methods grows—either to address HIPAA compliance or simply protect patient data, your network is probably getting layered with more complexity.
Many rural and critical access hospitals that don’t have adequate support turn to the latest security vendors to guide them with solutions to protect their networks. But the problem with relying on a vendor that might not have experience protecting rural hospitals is that they won’t know the ins and outs of your data security needs.
They probably aren’t familiar with your particular EHR vendor or make assumptions as to how your network was configured. They may not realize how critical your PACs is to keeping patients treated or may not understand key people—including medical records and billing—that critically depend on their scanners to do their jobs (and for you to get paid).
They might not even realize how to maximize your IT spending through Medicare reimbursements.
But nonetheless, many hospitals we’ve assessed have opted to brand new systems—all of which were layered on top of their old network equipment—which did little to nothing to keep them safe from cyberattacks.
Passing HIPAA audits mean we’re safe—another huge misconception amongst hospitals is that if you passed your HIPAA audit for the year, you’re safe. We’ve engaged with handfuls of hospitals that have completely passed their HIPAA audits with flying colors and STILL get ransomware infections on their networks.
The problem with HIPAA audits is they are very focused on checking boxes. If you meet certain criteria, you’ve passed your audit. You can kind of think of this as your routine driving test. If you demonstrate to the DMV that you can use your turn signals, stop at red lights, drive within the dotted lines and maintain a safe speed, you’re safe to drive. But it doesn’t mean something might not happen when driving another day (one that might not be so sunny and nice).
HIPAA audits fail to take into account your specific environment, your staff and their needs, your operations and your patients. Your HIPAA audit will only tell you whether or not you’re checking a very specific criterion—most of which might not even consider the nature of how people work in your hospital or what specific systems you use.
Our IT guy says our backups are working—most hospitals do have backups of their data. But those backups are often corrupted. The IT department assures hospital administrators that yes the backups are working, but never go a step farther to ensure that their backups are actually being tested.
Like HIPAA audits, many health IT professionals resort to simply looking at a computer-generated report that tells them that a backup occurred. But until someone actually tries to restore data from backup, no one knows whether it was successful. If your IT department is not testing backups, they might as well not be backing up your computers because it’s giving you a false sense of security.
Physically securing data is high priority—I’m not saying that keeping your data secure by locking it or preventing unauthorized access to records is bad in the slightest. But one problem I see—especially in rural hospital systems—is that too much effort and too many of scarce resources are devoted to physically security spaces on site.
The problem with overinvesting in physical security?
The real big threats are still lingering behind the scenes out of sight on your network. You can think of physical security and physical penetration tests kind of like standing in line at the TSA in an airport. While it does some good to make sure guns or other nefarious things are not brought onto planes, it is mostly there to give us all some sense of security—to prevent us from worrying.
The real problem with this is we get false senses of security that everything is ‘ok’ when actually attackers may be coming in from other angles. With hospital networks, cybercriminals are likely not exposing themselves onsite at your hospital. Rather, they are searching out—hunting for—vulnerabilities on your network or scamming users into giving up passwords or other critical information to attack your network from the inside.
Nothing could ever happen to us—another misconception in rural health is “why in the heck would anyone want to attack us”? Cybercriminals attack the low hanging fruit. And many have identified rural and critical access hospitals as that fruit. They know the data you store is critically invaluable and that many hospitals have actually forked over money for this data back.
They also know that many rural healthcare systems are not ascribing to even basic cybersecurity practices, making it easy to penetrate and overtake or shut down entire networks. These cybercriminals are not putting your patient’s faces on their attacks—they simply see your organization as a gold mine of opportunity to exploit your network for a possible big return.
Is your network secure? Are you low hanging fruit for a cyberattack? Contact us today for a FREE ransomware vulnerability assessment.
