Nearly every week, another hospital falls to a cyberattack, data breach or ransom threat. Unfortunately, the cyber landscape nowadays errs on attacks and breaches.
What’s causing all the attacks on hospitals?
Hospital data is valuable—part of the incentive for cybercriminals to attack hospitals and healthcare is that protected health information is some of the most valuable info bought and sold on the Dark Web. In fact, with medical records going for over $1200 per record (!) it makes for real big pay days if a cybercriminal is to actually successfully attack a network like yours.
Just to put things in perspective, with that big Equifax attack last year, a lot of other personal info has saturated Dark Web markets. A social security number, for instance is worth pennies on the dollar now (once trading at about a hundred bucks a piece).
Hospitals have kept bad cybersecurity habits—the big reason hospitals have been a big target for cybercrime is that staff (including IT) have kept to some bad habits that can really leave your network vulnerable to attacks.
Today I want to focus on some really bad habits that might make the difference between opening your hospital to ransomware and cyberattacks and avoiding becoming a cyber target.
4 Bad Cybersecurity Bad Habits Plaguing Hospitals:
Creating awareness isn’t good enough—while HIPAA suggests your staff be trained annually on cybersecurity, simply telling folks best practices falls far behind getting them to make habits of security.
I’m sure you can all relate to the rules of handwashing. What would happen if your staff one day just decided, ‘we’re done with handwashing’. How many complications would arise? How many deaths on your watch? Now thanks to check lists and reminders throughout hospitals, risks related to handwashing have been nearly eliminated. This is the same thing with security measures. They cannot just be simple annual reminders. If you were reminded to be sure to keep your hands clean all day once a year (and no other reminders) how many team members would be able to keep up with strict handwashing policies?
Likely not that many! Handwashing routines and habits save lives. And so can making security habitual rather than suggested.
What do I mean by habitual security?
Force team members to become security habit makers. For instance, enforce multifactor authentication onto areas of your network with protected information. Deploy malware detection and penetration testing for security vulnerabilities. Make sure your end point computers are protected and network threat detection is installed and enforced across your network.
Passwords should be managed and monitored. Privileged accounts should be even more heavily scrutinized. This isn’t just a compliance issues, but can mean the difference to falling victims to breaches or attacks.
Lastly, vendors should be also held to the same security standards as your team. If they have access to your network, you better believe they need to abide by your rules.
Fear and over-confidence can lead to serious problems—both extremes, fear and confidence, can lead to future cyberattacks.
Some decision makers ascribe to the belief that cyberattacks will come and there is nothing they can do. No matter what they do, a cyberattack is unavoidable.
Other administrators are so confident in their IT security that we’ve seen some instances where a hospital was infected for over 12 months without detecting the breach! This particular hospital ended up paying a serious fine and lost data for nearly a thousand patients. The criminals were silently moving records off network and auctioning identities on the Dark Web.
Bottom line: being over-confident or feared senseless are both dangerous. Neither mentality prepares your hospital for recovery and growing from a cyber incident.
No room for future strategy—most of us are so used to having to face day to day issues that we forget or fall out of habits geared to prepare us for the future. Cyberattacks continue to persist even though most of us wish they didn’t. Even with more laser focused attention on attacks and recruitment of top talent across Silicon Valley and in Washington, it seems like nothing we do completely eliminates the threat of cyberattacks.
One of the major issues is that we don’t plan for future attacks, we simply accept our current landscape. Some simply think “won’t happen to us”, but even those terrified of cyberattacks, the majority of us have no way out.
Without a solid disaster recovery plan—a plan that includes fighting cyberattacks, your hospital likely won’t completely survive your attack. Nearly 85% of hospitals that get infected (especially those in rural areas) end up getting bought within 2 years of the attack. Are you willing to sell your hard work away to the highest bidder?
No organization-wide accountability—like I mentioned above, most organizations simply make staff aware of cybersecurity (typically through annual training). Once and done attitudes, unfortunately, have led many in healthcare fall victim to cyberattacks, even when ALL HIPAA requirements had been checked off.
No accountability or recognition of people following the rules or recognizing new risks typically get promoted throughout organizations. People are too quick to forget things that aren’t habituated and err towards their poor habits instead of getting held accountable (and positively reinforced) for adherence to better security measures.
How to identify bad security habits in your hospital? Consider a free ransomware assessment as your first stab at confronting bad habits.
