Attacks on healthcare providers can expose the most sensitive and personal data: health records, financial details, contact information, and more. Health services around the world are under more pressure than ever before, making them a direct target for a few unscrupulous cybercriminals.
Anyone with cybersecurity knowledge knows that the immorality of cybercriminals cannot be overstated. It’s difficult to understand why someone would target the sick, the vulnerable, and the dying to make a quick buck.
Miami-based primary care center management organization, Cano, suffered a single security breach on three employee emails, which ultimately exposed the confidential data of more than 28,000 patients.
Blaming, Naming, and Shaming
We know that stretched and struggling healthcare services are viewed as an opportunity by cybercriminals. We also know that 75% of security breaches can be attributed to a lack of employee understanding. However, in healthcare services, the day-to-day work of many of those employees is incredibly specialized and difficult. Yet, they must be able to identify and mitigate cyber risk as part of their regular routine.
Creating a safe environment where cybersecurity is paramount is everyone’s responsibility. However, cybersecurity specialists with a more in-depth understanding of human behavior must specifically take into account the practicalities of a huge and varied workforce with internal network access. Taking a pragmatic approach is important because it only takes one mistake to cause a potentially disastrous breach.
The security within any healthcare organization’s network must allow for the many different scenarios that could unfold. For instance, the cybersecurity setup must be pragmatic enough to anticipate that someone who has just completed 12 hours of open-heart surgery without a break, might not be immediately vigilant when clicking links in their emails.
The cybersecurity team at a large organization must be able to protect the system from the errors and omissions of a huge workforce, some of whom may have no underlying knowledge or awareness of IT.
Medical records are now being accessed through hand-held devices like iPhones, which can be easily misplaced. Healthcare staff may be called to an emergency–or may simply be forgetful–and leave their devices for others to find, accessing inappropriate data under the guise of whoever has left themselves logged in.
Security in a diverse and vulnerable organization is an incredibly complex and precarious undertaking. It takes a combination of a hyper-vigilant cybersecurity team, a robust employee education program, and failsafe ‘circuit-breaks’ at every point. Security must be intuitive, and it must allow for normal, flawed human behavior.
A setup where one human error can allow a serious security breach is not a good setup. It is both unreasonable and unfair to place significant responsibility on the individual members of the non-IT workforce in any organization. The responsibilities of providing frontline medical attention in a pandemic are surely enough of a burden.
Heart-Stopping Vulnerability: The Hackable Medical Device
It’s not only the infrastructure of healthcare services that provide a target for criminals; networked medical devices are also vulnerable to attack.
Implantable medical devices are at the very cutting edge of medical technology and are increasingly linked to services and servers around the globe.
Devices like remotely controlled insulin pumps for diabetics; implantable cardiac defibrillators, which detect and treat life-threatening heart rhythm disturbances; and web-enabled medication administration devices are just some of the innovative yet vulnerable technologies in use by medical teams all over the world. When medical devices meet the IoT, they become hackable.
There are more than three million people with cardiac pacemakers worldwide— pacemakers that identify and treat heart rhythm disturbances. A hackable heart rhythm management device is literally a heart-stopping thought. Ethical hackers have identified vulnerabilities in the Internet of Medical Things that would have allowed cybercriminals to remotely hack a pre-programmed insulin pump and deliver a lethal dose.
Caring for the Carers
It cannot be denied, and it’s unlikely to be stopped; medicine is going digital. While a robust cybersecurity awareness training program inbuilt to a mandatory employee education package can help give a workforce some understanding of risk, relying on every member of a large workforce to stay cyber-alert is unfeasible.
The answer lies in employing dynamic, specialized individuals to anticipate and respond to threats at every possible touchpoint within an organization. Resources allocated to IT should be commensurate with the level of harm that could result from a security incident.
All throughout Cybersecurity Awareness Month, we are encouraging you to do your part when it comes to securing your data. In partnership with the National Cyber Security Alliance and the Cybersecurity & Infrastructure Security Agency, we’re sharing resources from CISA.gov so you can educate yourself and others on the importance of securing your personal information by exploring cybersecurity resources to combat cybercriminals. This is one of the many ways you can #BeCyberSmart.