Why People are Central to Healthcare Cybersecurity

JEFF LOMBARDI | October 31, 2019

Why People are Central to Healthcare Cybersecurity

by Jeff Lombardi | October 31, 2019

Working at a healthcare technology company, I’m constantly talking with medical practices about data security  – the top risks, how to protect against cyberattacks or – worst case – how to recover after a breach.  That means I spend a lot of time keeping up with the latest cybersecurity news, so I can provide the most current information to our customers.

Every October is National Cybersecurity Awareness Month (NCSAM), a time to raise awareness about the importance of cybersecurity and share information about how to be safer and more secure online. This year’s themes emphasized personal accountability, and the importance of taking proactive steps to enhance cybersecurity at home and in the workplace.

Reviewing the wide range of blogs, articles and studies about cybersecurity during NCSAM, a few things stood out:

  • Cyberattackers are moving faster and smarter than ever on new types of phishing attacks.
  • Having robust technology like the cloud is essential, but it isn’t enough. Healthcare practices must also focus on people, with ongoing training to recognize and avoid top threats and new techniques.

Valuable Health Data

Healthcare is the top breached industry, and health information is the second most at-risk type of data. In 2018 alone, over 15 million patient records were compromised in 503 breaches, which is triple the amount in 2017.  2019 quickly set a new record, with over 25 million patient records breached in the first six months.

Hackers go after healthcare data because it’s profitable. While Social Security numbers are worth about $1 and credit card information sells for up to $110, patient medical records can sell for up to $1,000 apiece online. They’re valuable because of the amount of information they contain, including date of birth, credit card, health insurance, Social Security number, and contact details.

Unprepared Staff

Internal attacks caused the majority of healthcare data breaches (59%) in 2018, according to the Verizon 2019 Data Breach Investigations Report.  Internal attacks generally happen two ways: (1) from a rogue employee or contractor who abuses their access to confidential data or (2) by human error – like an employee who unknowingly clicks on a phishing email. A recent report found that email fraud attacks in healthcare increased 473% since 2017.

People are the number one reason for healthcare security breaches simply because they often lack basic education and awareness about how to identify and avoid common threats. And oftentimes, they aren’t familiar with regulations and policies designed to reduce the risk of a data breach. In a recent survey of healthcare workers, 32% of respondents said they never received cybersecurity training at work. 18% didn’t know what HIPAA meant, and 21% weren’t aware of the cybersecurity policy at their workplace.

Clever Cybertricks

While initiatives like NCSAM are helping to raise cyberawareness, hackers use increasingly clever tricks to get people to do things they wouldn’t normally do, like click on a phishing email.  A recent study showed that the top five phishing emails that healthcare workers clicked on had normal-sounding subject lines: Requested Invoice, Manager Evaluation, Package Delivery, Halloween eCard Alert, and Beneficiary Change.

And a study released this week reported that 77% of email attacks on healthcare organizations used malicious URLs. These emails spoof the organization’s own domain, so employees are more likely to assume the email is legitimate. Then they click on a link that opens up access to the entire network and ePHI. The study also found that most phishing emails are sent on weekdays between 7am and 1pm in the recipient’s own time zone, increasing the likelihood that employees will open them.

Train Your Users

The best way to combat the phishing threat is by teaching users to spot a suspicious email before they click on it. An effective security awareness, education and training program is essential to establish this level of understanding. These programs, like the one offered by ITelagen, will simulate an email spam campaign to identify who is susceptible to clicking on a malicious email link. The susceptible individuals receive instant remedial online training to help them avoid falling prey to potential threats in the future.  Mandatory training is also provided to all staff on a regular basis and included as part of the new employee onboarding process.

Many practices are reluctant to invest in an extra hour or two of training for each employee. But the costs of recovering from a successful cyberattack are much higher, and the repercussions last longer than a few hours. By including both people and technology in your overall cybersecurity strategy, you can safeguard against as many threats as possible.

Interested in a free security assessment of your healthcare organization? Contact us today.