Should Medical Facilities Be Concerned About Possible Cyberattacks?
We’re constantly reminded that we need to be careful with our passwords and always on the lookout for the signs of hacking or identity theft that often occur after a cyberattack. For us, it’s just part of our everyday lives, but there are some industries that don’t have the same concern about losing their information. The recent massive DDoS attack, powered by unsecured IoT (Internet of Things) devices, has brought into sharp relief how important it is to protect ourselves from cyberattacks.
With more and more medical facilities moving to digital records storage and IoT devices, the risk of a cyberattack keeps going up. Should these facilities be concerned about some sort of digital attack?
Ransomware and Information Theft
Ransomware, a new type of malware that encrypts information and will delete it if the owner of the afflicted system doesn’t pay a ransom to the hackers, is one of the biggest problems for even the most up-to-date hospital cybersecurity systems. In one extreme case, Hollywood Presbyterian Medical Center paid more than $17,000 to a hacker group after its network became infected. This extreme step was taken to ensure the integrity of their patients’ files.
Patient medical information theft is on the rise, because it has become more lucrative for hackers to steal insurance information than it is to steal credit card data. People monitor their credit reports and react quickly to any fraudulent charges or changes, but very few people monitor their medical history to make sure there are no fraudulent diagnoses or prescriptions being taken out in their name.
Preparation and Prevention
According to industry specialists, Arthur J. Gallagher & Co., “From a global risk-awareness perspective, areas every facility should have written processes and procedures for are: manage and control of electronic and paper health records, medical devices, mobile devices, limit physical access and network access married to a robust firewall and encryption system. We encourage our hospitals and physician practices to engage their staff to fully understand what Protected Health Information is, and to have a written policy that is continually communicated and updated.”
What does that mean in laymen’s terms?
It means hospitals, doctors’ offices and other medical facilities need to be proactive in the steps they take to protect their patients’ information and their own networks from theft, hacks and the introduction of malware or viruses.
What steps can these facilities take to protect themselves and their systems?
– Keep system backups and images on a non-networked storage device. Keeping a backup will ensure patient data is not lost in the event of a hack or malware attack. Cloud storage allows the backup to be kept off-site and as long as facilities don’t back up files while there’s a virus in the systems, files are secure. An image, on the other hand, is used to keep a system’s default settings and can be used to restore devices to the state that they were in before the virus assault.
– Don’t go it alone. There is an entire industry dedicated to cybersecurity, so it pays to hire a good cybersecurity firm to secure and protect vital systems. These firms can help protect the network, as well as help establish backup plans in the event of an attack.
– Facilities should change passwords. The recent DDoS attack was primarily powered by DVRs, smart refrigerators and other IoT devices that were vulnerable to attack. How? Their owners did not change the default name and password when they received the hardware. This enables a savvy hacker access to their system without any effort whatsoever.
– Educate device and network users. Generally, you can’t get a virus into your system unless someone clicks on an infected attachment or bad website. The computer isn’t going to do that on its own. If blocking the internet entirely isn’t an option, then educating anyone who is going to be accessing the system is the next best thing.
– Keep software up to date. If facilities are still running Windows XP, for example, they are at risk for a cyberattack because Microsoft ended support for that operating system in 2014, so any new holes or backdoors that are discovered in the program’s security will not be repaired. Make sure all software is up to date, and kept updated by secure means.
What Should Facilities Do If The Worst Happens?
In the event of a cyberattack or security breach, what steps should be taken?
1. Don’t panic. Even the most prepared system is not immune to a cyberattack. Just accept the fact that it’s happened and don’t panic.
2. Notify the facility response team. Many companies keep a cybersecurity response team on retainer in the event of a breach. This team will work to determine who is responsible for the breach, as well as find the best way to repair it and prevent such issues from occurring in the future.
3. Be transparent. Transparency is the key – let patients and associates know there is a problem and that the team are working to fix it. That allows patients or other individuals to take the necessary steps to protect themselves and their information.
4. Remain vigilant. It’s a never-ending battle to keep networks secure, so remaining vigilant will give facilities the best chance of protecting patient information.
Anytime we rely on networked hardware or software, there is always the risk of cyberattack. The best thing anyone can do in these situations is to remain vigilant and take all steps possible to secure their systems. It’s a constant battle, but by staying aware of current cybersecurity situations, it is possible to get an edge and stay ahead of the rising tide of cyberattacks.