Healthcare organizations collect sensitive patient information to provide exceptional care, but this data can be targeted by attackers. When this happens, it results in data breaches.
Healthcare Dive analyzed breaches reported to the federal government since 2009. There are several types of breaches involving unauthorized access or disclosure.
1. Software Updates
Healthcare organizations are a favorite target of cybercriminals because medical records are worth up to 40 times more on the dark web than stolen credit card information. Attackers can use stolen ePHI to monetize their hacks by selling it or holding the entity ransom and preventing access to essential services like surgery and radiology.
Medical practices should implement a vulnerability management program to discover and mitigate software vulnerabilities before hackers exploit them. This involves constant system monitoring, security patches, and updates to reduce the attack surface.
A healthcare practice should also limit employee access to sensitive data by implementing a password policy. This will limit the amount of ePHI exposure if employees lose or hack their work computers.
Finally, medical practices should limit how long they store ePHI by having an established data retention schedule. This will help protect against breaches caused by obsolete files that attackers could access if not deleted.
2. Third-Party Vendors
A third-party data breach can be just as disastrous for a healthcare company as one that takes place in-house. That’s because attackers are always searching for medical records, which they can sell, monetize, or use to commit fraud.
For example, a cyberattack on UPMC’s vendor MOVEit last year exposed 1.3 million patient records. That’s because the MOVEit software had a vulnerability that hackers exploited, and MOVEit hadn’t patched the vulnerability.
Cybersecurity isn’t a top priority for many hospitals, creating vulnerabilities hackers can exploit. This is especially true for third-party vendors, who may not have the resources to update their systems or have a robust cybersecurity program. It’s crucial for healthcare organizations to vet these third-party vendors and ensure they are following HIPAA regulations for security. They should also implement a records retention schedule so that ePHI is removed when it’s no longer needed, which will help limit the potential damage from a data breach.
3. Employee Training
Cyberattacks continue to be a top threat to healthcare. The most significant breaches in 2023 and through the first six months of 2023 impacted more than 30 million Americans—with more to come.
The root causes of these breaches range from data stored in multiple environments to phishing and compromised credentials to cloud misconfigurations. However, healthcare organizations still struggle to keep up with cybersecurity best practices.
Educating the workforce is vital, especially for remote workers or those who travel for work. Providing cybersecurity training and tools to protect sensitive information can help prevent data breaches in these instances.
As such, a plan should be implemented to train employees and third-party vendors. The goal should be to prevent attacks that can cause disruptions in operations and the potential for patient harm. This includes preventing an employee from wiping a system after noticing a breach, which could destroy forensic evidence that would have been used to identify the attack.
4. Incident Response
A strong incident response plan is critical to stopping information from being stolen, mitigating further damage, and restoring operations as quickly as possible. However, just having a plan isn’t enough – it must be practiced and tested regularly with tabletop run-throughs and simulation training.
Healthcare organizations continue to account for a significant share of reported data breaches overall, but luckily, there are steps that can be taken to prevent them from falling prey to cyberattacks.
The most important thing is to never comply with any ransomware demands, as this only encourages them to target you again. Instead, if you haven’t already done so, communicate with your patients and the media via a holding statement, press release, patient statement, and internal/employee statement. Additionally, you should implement and maintain a robust backup strategy and test it often to prepare your organization for a data breach.
In sum, regularly updating your hardware and software is essential to prevent cyber attacks on your business. If you need help with this, Yellah MSP is here for you. Just contact us and we will handle it for you..