Considerations for healthcare during National Cybersecurity Awareness Month
In recognition of National Cybersecurity Awareness Month, we’ve reached out to our resident cybersecurity experts, Imprivata CTO, Wes Wright, and Imprivata Director of Information Security and Corporate Compliance, Al Colon, to ask them about some of the burning cybersecurity issues in healthcare. Here’s what they had to say:
1. Why is healthcare such a prime target for cyber criminals?
Wes: Fundamentally, HIT is “behind” other industries in terms of cybersecurity so we’re an easier target. Plus, many of the applications we have run on older operating systems that often can’t be patched in a timely manner because they’re constantly being used in patient care. That’s from a practical point. However, on the other side of the coin, there is a lot more contained in a health record than there is in a financial record which makes health records more valuable than any other record. On top of that, having come from a pediatric hospital, one of my major concerns is that a child’s record could get hacked/compromised and that child would never know about it until they started applying for credit and such. That’s a long run in which fraud can be committed.
Al: Healthcare organizations have a vast amount of data. Data which, by nature, is very confidential. These organizations are generally under-funded and under-resourced from an information security perspective; they have very little view into what is on their network and very little security controls. Hospitals would not want this data exposed as it could be a disastrous situation for them to be in. In cases where ransomware may take over this data, hospitals pay whatever ransom is demanded out of necessity of keeping their data safe. These organizations also deal with an abundance of legacy and outdated software systems and devices. Some of which were made by companies that no longer exist, let alone get regular updates and security improvements to combat modern threats increasing vulnerability against cyber-attacks.
2. What do you think should be the top concern for hospitals right now?
Wes: It hasn’t changed, and I don’t think it ever will. The number one concern for hospitals from a cybersecurity perspective is user behavior. Most hacks these days are done using social engineering…it’s the “social” part that worries most folks.
Al: Security on IOT devices. Security controls are non-existent on most of them. For example, imagine an IOT device that controls insulin gets owned and now the patient is at risk of being over-dosed!
3. If you could encourage our customers to do one thing to advance their cybersecurity efforts what would it be?
Wes: Use multifactor authentication (MFA) everywhere. The phishing and other social engineering hacks that go on can’t be/aren’t successful if an application is behind MFA.
Al: Perform a gap analysis on your information security framework and go after the “low hanging fruit”.
For more about how Imprivata can help you with your cybersecurity concerns read our whitepaper: The C-Suite battle plan for cyber security attacks in healthcare.