16 Jul 2020
The novel coronavirus has given cybercriminals a chance to restructure their attacks for vulnerable targets, and hospitals are at the top of the list. More specifically, they’re after patient data—and with an influx of new patients and healthcare organizations working at maximum capacity, the stakes are higher than ever. Across the nation, hospitals cope with attempted data theft and ransomware attacks daily, sometimes even hourly. Over 80% of existing medical practices have been affected by a cyberattack in some form, and of those, half report a potential risk to patient safety. In the last few months, attacks have escalated at a critical rate. Between March and April of this year, IBM X-Force reported a 6,000% increase in COVID-themed malware, malicious domains, and email phishing scams against IT security systems, most of which targeted healthcare facilities. The reason? Health data fetches a good price on the dark web. The FBI found in 2014 that while stolen credit cards and Social Security numbers were worth just $1, an electronic health record could be worth anywhere from $50 – $1,000. And it’s a low risk for high profits: health record theft tends to take nearly twice as long as identity theft to detect. The pandemic has stretched our hospitals thin financially and technologically, and while staff are devoted to saving lives and risking their own, they also find themselves on the front lines of increased cyber threats. So what can you do to protect your systems and, by extension, your patients from a new frontier of attack?
Cover Your BasesYour employees are who hackers frequently target, so your employees are also your front line of defense. Build awareness among your team so they don’t fall for social engineering, phishing, or other hacker attempts to manipulate their way past your people and into your systems. Malicious actors are favoring phishing tactics in recent months, with schemes that claim “free supplies” for overdrawn hospital resources or even guides to obtaining government-issued stimulus checks. These spam emails impersonate health authorities and distributors of protective gear, like masks. As of late, they have pivoted to offering information about a vaccine for COVID-19, which, at present, does not exist. Ransomware attacks, an especially dangerous scenario for hospitals to face, continue to climb in frequency with demands ranging from $10,000 to $25 million. Although it can be tempting to pay the ransom in exchange for data access, experts advise that the best line of defense is to not give in—ransomware attackers may leave behind the means to infiltrate your systems again. Strong security protocols and a dedicated IT security force can work to expel malicious actors for good. Constant vulnerability management assessments will do the work of identifying and patching weak points in your systems before hackers can exploit them. Multi-factor authentication often requires no more than for a system user to have their cell phone on them, and there are countless options for backing up and encrypting patient data. Last week, we addressed the cyber risks for small-to-midsize businesses, and how a smaller organization may overlook their potential risk because cybercrime against larger entities gets more press. But now more than ever, the research suggests that midsize medical practices have the most to worry about; they’re large enough to compile a sizable amount of health records, but small enough not to set aside time and resources for IT security, which is exactly what a hacker looks for in a target.
All For OneTaking on new cybersecurity practices amid a pandemic may not be a hospital’s first priority, but it belongs on the list nonetheless. When it comes to the safety of your systems, it’s important to have a strong baseline and a trusted ally. Our HIPAA Risk Assessment affirms your HIPAA compliance and the safety of your patients’ Protected Health Information (PHI). With a selection of award-winning tools and processes, and extraordinary support custom-tailored to your needs, we evaluate all levels of your organization, including:
- Network Security — We thoroughly evaluate your network to validate its security and proper monitoring
- Data Security — We audit your controls to ensure PHI is properly secured and protected
- Infrastructure Security — We assess your workstations, server, and network infrastructure devices to confirm they do not pose a risk to your security posture
- Risk Management — We integrate assessment findings to measure your risk against a negative security event and empower you with risk mitigation tools