Page 20 - Cyber Warnings
P. 20
Top 10 Ways Healthcare Can Strengthen Security Policy and
Better Prevent Cyberattacks
2016 is heading towards setting new records for healthcare cyberattacks and data breaches.
North American hospitals hit by cyberattacks so far include Hollywood Presbyterian Medical
Center in Hollywood, California; Methodist Hospital in Henderson, Kentucky; Ottawa Hospital in
Ottawa, Canada; Mercy Hospital in Iowa City, Iowa; and several hospitals operated by Medstar
in Baltimore, Maryland, and Washington, D.C. And this is only the tip of the iceberg.
The nature of these attacks is quite broad. Traditionally, attackers first penetrated hospital
networks and then worked silently to exfiltrate valuable patient data. More recently,
cyberattackers have used tools such as ransomware, which is designed to produce a quicker
profit by directly threatening hospital operations. Until the ransom is paid, these attacks
incapacitate hospitals’ information technology systems and slow access to critical patient
records.
Hospitals are increasingly under attack because of the high value of patient data and the
vulnerability of their cyber defenses. Medical records have between 10 to 20 times the value of
credit-card data because they generally include complete data on the patient’s identity,
insurance and credit cards – data that makes it easy to create a false identity. To make matters
worse, cyber-defense budgets in hospitals are inadequate; they do not support the talent and
technology acquisition necessary to meet the threat head-on.
Hospitals are also plagued by the extreme vulnerability of the medical devices within their
networks. Medical devices are closed to endpoint security software or other cyber-defense tools
because they are FDA certified. And because these devices often run older operating systems
with known vulnerabilities, they create safe harbors where attackers can create “back doors”
that standard cyber defenses cannot easily detect. The serious weaknesses that medical
devices bring into the security architecture must be dealt with by operations-center personnel.
With cyberattacks on the rise, it is increasingly imperative that the healthcare industry
strengthen security policies to better prevent them. New best practices have emerged to help
healthcare institutions meet and overcome these threats. The following list outlines the top ten
ways hospitals can strengthen security and the best practices that support them.
1. Enhance employee training to help forestall attacks. Attackers commonly enter hospital
systems by leveraging the expected behavior of hospital personnel. Two common entry
points for attackers are personal email addresses and browsing on the Internet. A large
percentage of email contains malware in the form of a URL that either contains malicious
attachments or that redirects users to a malware-laden website. Attackers also enter
hospital networks by embedding URLs in the text of an email that appears to be from
20 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
