The onslaught of anti-money laundering campaigns in the US forced nefarious cybercriminals to target the healthcare industry. Since stolen personal data is harder to trace than laundered money, fraudsters are opting to steal your information and sell them on the dark web where the demand and value are higher than typical stolen goods. You might think that cybercriminals won’t target your healthcare facility because of its capacity to provide highly skilled doctors and state-of-the-art equipment and security measures, but even the best hospitals can fall behind in information security. In fact, the 2018 cybersecurity survey by the Healthcare Information and Management Security Systems (HIMSS) showed that in 150 healthcare institutions, only 80 percent allocate a meager 6 percent of their IT budget for data protection. It’s a stark contrast to the financial industry’s 12–15 percent data security budget, whereas both industries collect and keep the same personal information about their clients. Understanding how information technology can be leveraged in hospital management puts cybersecurity on the same level of importance as overall patient care.
Secure your mobile devicesIf you work in the healthcare industry, chances are, you leverage the conveniences of mobility with smartphones, tablets, and similar devices. A swipe on the screen gives you access to “filing cabinets,” desktops, and printers. You can share critical information among your medical team in the shortest time possible. With the rise of the Internet of Things (IoT) and bring your own device (BYOD), everyone can be connected to everything. However, information security is difficult enough to maintain within a monitored IT environment — what more if you connect your device within an unmonitored location? A study by the US National Institute of Standards and Technology (NIST) warns that BYOD exposes you to untrusted mobile devices, networks, tools, applications, and locations — not to mention the security risks that arise when your device is lost or stolen, or when your resigned employees take the device with them. Here are easy but adequate steps to secure your BYOD:
- Device accountability. Ensure that all devices of your organization are accounted for and are closely monitored by an IT staff.
- Disable remote access. Do not allow BYOD to access our network from a remote location. This makes accessibility a lot harder for unauthorized persons.
- Use encryption technology. Improve and multiply your data prevention practices by encrypting apps and endpoint tools.
- People. Make sure that each member of your organization is compliant with information security procedures and guidelines.
Deal with ransomwareRansomware is a type of malicious software or malware that usually attacks your computer via phishing email. It renders you incapable of accessing your data. Without a decryption key, it would be impossible for you to regain access. The cyberattacker will then contact you, demanding anywhere from thousands to billions of dollars in exchange for the decryption key. Payment is normally in the form of bitcoins. Don’t be too sure, though, that these menacing criminals will give you the decryption key after you pay them. To prevent ransomware attacks, keep your operating systems, firewalls, and security software up to date. This minimizes areas of vulnerabilities for attackers to exploit. Avoid installing or permitting access to unknown software unless you are certain it is safe to do so.
Train staff to observe security objectivesYou may have the best IT services, but all your efforts will be futile if your staff does not comply with the security objectives in place. Simple carelessness or honest mistakes are enough to jeopardize one’s medical records and mix it with another patient’s information. The US Department of Health and Human Services studied 1,138 health data breaches from 2009 to 2017. They found out that 472 incidents of data breaches were due to equipment stolen by unknown outsiders, current, and former employees. Another 25 percent of cases were due to erroneously sent emails by hospital staff. What’s more painful is that the staff sent the unencrypted emails despite their knowledge of encryption tools usage. NIST advises that all members of your organization must follow these security objectives to mitigate data loss in BYOD:
- Confidentiality. See to it that transmitted and stored data cannot be accessed or read by unauthorized parties.
- Integrity. Identify any intentional or unintentional changes to transmitted or stored data.
- Availability. Ensure that user references are accessible to mobile users.