Reducing Employee Negligence a Critical Goal
In the two years since this publication featured a story about cybersecurity, hackers have launched even greater cyber assaults on unsuspecting and unprotected healthcare systems.
The 2018 Cyber Claims Study compiled by NetDiligence found that from 2013-2017, healthcare system breaches accounted for 17 percent of all claims and 15 percent of total breach cost. In addition, the HIPAA Journal reported that since 2015 - a year in which more than 113 million healthcare records were breached and exceeding the combined number of breaches from 2009-2014 - cyberattacks have skyrocketed.
Furthermore, the HIPAA Journal's 2019 January Healthcare Data Breach Report revealed 33 healthcare data breaches were reported during the first month of 2019, with nearly a half-million records "exposed, stolen or impermissibly disclosed."
But despite the growing numbers of cyberattacks across the industry, finding the funds to implement and maintain robust protection plans remains a challenge for many healthcare systems. And aside from budgetary limitations, some facilities find it difficult to devote adequate time to training staff on how to reduce risk.
"It's all about managing risk and prioritizing expenses," said Dave Lewis, chief information security officer for Duo Security, which is not part of Cisco and has more than 800 healthcare clients across the country, including several in Memphis. "Many medical facilities already have these structures in place, but some need help performing an asset inventory of their systems and conducting due diligence to improve data security."
In the 2017 article about cybersecurity, the Memphis Medical News interviewed "Jack," an expert hacker who works for a company that investigates and tests the security systems of healthcare facilities. Then as now, Jack requested that this publication not identify either him or his company in order to maintain anonymity when he conducts his assessments,
"I wish I could say that a lot has changed for the better, but although there are definitely some healthcare systems getting on board, not enough of them are and not fast enough," said Jack, who infiltrates medical systems across the U.S. "I still manage to get into restricted areas without official credentials. I still manage to gain access to patient records. I still manage to find things that bad guys would have a field day with, but fortunately for the systems that hire me, I'm one of the good guys. I'm here to help."
And while allowing hackers to penetrate a healthcare system's database may seem counterintuitive to strengthening its operations, Jack emphasized that authorized breaches by "white hats" (ethical hackers) can offer solutions that will help prevent criminal attacks by "black hats" (criminal hackers) from stealing information.
To help mitigate increasingly aggressive ransomware attacks that result in an organization's information being stolen and its access denied to operating systems unless ransom is paid, Duo emphasizes the necessity of employee training. Making it harder for hackers, not employees, to access a system is key.
"The focus has to be on balancing security with usability. Medical personnel should be able to do what they do best, which is taking care of patients, without spending precious time worrying about systems access," said Amanda Rogerson, product marketing manager at Duo. "There are programs that provide multi-factor authentication and reduce the risk of cyberattack, but also make it easier for doctors and nurses and other medical workers to access patient records."
In addition, healthcare systems must analyze operating systems to get an accurate picture of network usage.
"We conducted a survey for one healthcare organization and discovered that there were more than 300,000 devices connected to the system than were accounted for," Rogerson said. "You have to know your system and who's authorized to access it in order to protect it."
Reducing employee negligence is another key component, Rogerson said. Keeping up with technology is vital, but the human component must never be overlooked.
"Robust security systems lose effectiveness if employees don't take them seriously or if they become lax in monitoring who's coming in and out of their area," Jack said. "You can have the most technologically advanced system in the world, but if your frontline employees don't scrutinize my credentials when I show up pretending to be an IT guy checking their computers, well your system is pretty much worthless. And if it turns out to be a bad guy instead of me accessing your information, it's game over."