Five Dangerous Healthcare Cybersecurity Myths
Healthcare organizations are staffed with physicians and other highly-trained employees whose education and experience give them great confidence in their decisions. That confidence, however, can be troublesome if it extends beyond medical decisions and into the world of cybersecurity. Hospitals, medical centers, and other healthcare entities are treading on thin ice if they subscribe to these five common but dangerous cybersecurity myths.
- Myth: Our Firewall and Anti-Virus Software Will Protect Us.
Fact: Not even the most up-to-date antivirus and cybersecurity software will be effective against new cybersecurity threats and hacking attacks that easily bypass software and technology firewalls. Technology can provide a first layer of defense around the perimeter of a healthcare organization, but that defensive layer is readily breached. Further, once installed, many healthcare perimeter technology defenses are not updated or maintained properly, making them even more vulnerable to a cyberattack.
- Myth: Ransomware is not a problem in the healthcare industry.
Fact: Ransomware attacks, in which a malicious piece of coding freezes access to data records, accounted for more than one fourth of all reported cyberattacks on health care organizations in 2016. Hospitals and medical entities may be underreporting these incidents out of concerns over loss of patient confidence and damage to the organization’s reputation. Given the mission critical nature of health care data, health care entities are more likely to be targeted by ransomware attackers. That’s because these malicious actors see a quick way to extort ransom funds from a targeted entity. Moreover, paying ransom to end an attack will not prevent further ransomware attacks. And hackers that learn of an entity’s willingness to pay ransom will be tempted to launch further attacks against the same target.
- Myth: A strong password policy will insulate us from cyberattacks.
Fact: Requiring employees of healthcare organizations to use strong passwords is a good start. But that policy alone will not insulate the organization from a cyberattack. That’s not all of course. Employees’ use of mobile devices opens new avenues of attack to hackers who prefer to target external devices that enter the workplace. In addition, if an employee uses the same strong password for multiple different logins, a hacker that gleans the password for one login will have access to all other login accounts. Password managers and dual-factor authentication for healthcare organization network logins will alleviate these threats. But they will not totally eliminate this problem.
- Myth: Our reputation will remain intact even if we experience a cyberattack.
Fact: A healthcare entity’s average actual losses and liabilities from a single cyberattack exceeded $800,000 in 2017. This does not account for loss of reputation and other business losses that the entity will experience as patients seek healthcare providers that offer more security for their personal medical records. Patients that are concerned over cybersecurity in healthcare will be drawn to healthcare organizations that are more known to take greater pains to protect their information and that maintain cybersecurity insurance that offers compensation for losses and liabilities.
- Myth: Internet-connected devices do not raise our exposure to a cyberattack.
Fact: Medical devices that are part of the ever-growing Internet of Things (IoT) environment can be an easy entry point for a cyber attacker. Especially if that hacker is intent on breaching a healthcare organization’s data networks. Why? IoT medical devices typically run on embedded legacy software that is not updated frequently, if it is updated or maintained at all. Those devices also open new pathways for hackers to launch distributed denial-of-service (DDoS) attacks on healthcare organizations. These attacks overwhelm a network and distract IT security personnel while hackers look for other entry points into the network. Cybersecurity in a healthcare environment is wholly incomplete if IoT medical devices are excluded from a greater cybersecurity strategic plan.
This is a lot of information for an organization to tackle at once. If you want to improve your defenses, it is probably best to develop a structured plan. Decide what to handle this quarter and what to handle next quarter. Little by little you can avoid dangerous healthcare cybersecurity threats.