The healthcare industry has become a very attractive target for cyber attack over recent years. With the mandate for Electronic Medical Records (EMR), in addition to conversion efforts, many organizations are undertaking integration with new service providers, third party vendors and merger partners. All this churn in the industry is like chumming shark infested waters, attracting a variety of attacks. The sheer volume and relative value of medical data makes this a highly attractive sector for cyber attack.
EMR – Industry in transition
With many organizations either recently converted or still in the process of converting to electronic records, opportunities exist for cyber attack based on changing controls and roles. This is especially true when dealing with data custodianship changes through outsourcing or merger events since the old norms are in flux. Things like who is in charge of the records and how they are to be handled might change multiple times during transition. Emails and phone calls from people you are not familiar with are likely to increase, and the need to share detailed information about systems and data might seem more reasonable. If people fall prey to a Phishing or Phone scam at a time like this, a cyber criminal might get their virtual foot in the door by getting access to systems or having malware installed. And again compliments of changing controls and custodianship that often accompanies any transition, the theft of medical records may be able to continue for an extended period of time before being detected and eradicated.
People – An always present danger
People are key in this equation. From the records clerk at a doctor’s office trying to figure out the new system to the data analyst at an insurance company, everyone is a target for cyber attack. Taking advantage of the ongoing changes in the industry, cyber thieves are continuing attacks like Spear Phishing emails and other social engineering tactics via phone and web. According to Ponemon Institute in their Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data half of the data breaches in the healthcare industry were attributed to “mistakes” which include unintentional employee actions, mistakes by third-party organizations and lost or stolen computing devices. From this, we see that people, both employee and third-party vendor people, represent a significant gap in the security armor. Cyber security awareness training currently in use is not getting the job done in terms of eliminating threats like these which use people as the attack vector.
More is More, Better is Better
More training on cyber security would be good, but what is needed is better training. Traditional cyber security training at many companies consists of a one-time training session on safe computing and maybe followed up with an annual review. The problem is this approach only leads to short-term increases in awareness, and allows for up to a year before the next new attack technique can be included in the training. Modern cyber security training programs utilize advanced techniques with quantifiable results, and are designed to instill long-term changes in behavior, not just short-term increases in awareness. Your staff needs to be constantly on the defense against cyber attack, and your organization needs to be prepared to respond with a robust cyber security incident response plan. Equip your staff to recognize Phishing emails, phone scams, bogus web links and suspicious apps. Ensure they know how to respond appropriately, including reporting threats to your cyber security team. After all, one wrong click can trigger an attack. Invest in your employees to minimize the people portion of your attack surface.