Health Care Security Starts With People
Security has become a top priority in health care, but there’s still work to be done. The 2016 Annual Healthcare Industry Cybersecurity Report from SecurityScorecard found that the medical field ranks 15 out of 18 in terms of preparedness to address social engineering vulnerabilities. This statistic suggests that the health industry is particularly vulnerable to this kind of attack and that employees in the sector need a greater awareness of cybersecurity best practices.
Health Care Security
SecurityScorecard’s report looks at data from 700 health care organizations, including medical treatment facilities, health insurance companies and health care manufacturing companies. These diverse organizations all have one regulatory code that directly affects the personally identifiable information in their stewardship: the Health Insurance Portability and Accountability Act (HIPAA). This legislation specifies what protections should be in place for information that could directly identify or impact a patient, hoping to make attackers’ jobs that much more difficult.
However, SecurityScorecard also noted that health care has the fifth-highest infection rate of ransomware among all industries. This fact, combined with the field’s susceptibility to social engineering techniques, suggests one of the major security weak points in health care is, unfortunately, the people that work in it. Human error is cause for concern among most organizations, but the sheer number of daily interactions involved in the routine work of the medical field makes it even more vulnerable to exploitation.
For example, a phishing attack will fail if the victim doesn’t perform some action that the attackers want to happen. But through social engineering, the attacker nudges the victim toward performing that action. According to Naked Security, last February, a Hollywood hospital had some of its data held hostage by cyberattackers, who demanded 9,000 bitcoin — approximately $3.4 million — to return it. In response, Hollywood Presbyterian Medical Center diverted ambulances to nearby hospitals and essentially shut down their nonessential devices, meaning staff members had to write down patient information on pen and paper.
Obviously, requiring an entire hospital to temporarily go without computers isn’t the most efficient procedure. To truly protect the industry, systemic changes need to be made so that organizations can predict attacks and efficiently address them if they occur. When a hospital employee opens an unsafe email, the link or document carrying malicious code could be disguised to look just like an item the employee would routinely encounter. A health care employee’s correspondence can involve many types of documents from a variety of different people, so the red flags to identify a malicious file aren’t always very clear.
That’s why it’s not enough to train employees not to open unknown macros in a document. A worker might think they’re looking at a normal business document, not a malicious attachment. The organization can try to keep the employee exposed only to normal documents, but an attacker may use some side-channel method to bypass enterprise policies.
A complete security strategy has to include increasing employees’ understanding of best practices against social engineering attacks. Staff members shouldn’t need to be on edge when they open every file, but they should know how to evaluate the trustworthiness of emails and attachments. Employees should be able to verify a sender’s return address, for example, before they perform any action the message might propose. Human error may be the root of many security breaches in the health care industry, but in the end, a person — not a machine — is the first line of defense against malware attacks.