Now, more than ever before, healthcare organizations are depending on technology to assist with providing patients with care. In an organization that employs over 60,000 employees that rely on internet connections to treat patients, provide a diagnosis on diseases, schedule appointments, or complete forms electronically that were previously distributed to patients on paper, cyber-attacks and cyber terrorism is often a constant threat for large health care organizations. Other common threats that occur in healthcare settings are theft on-premises, wrong privileges set, password or access token sharing, and unattended asset going missing (Deursen, Buchanan, & Duff, 2013).
In this blog, I will review future cyber-security risks and solutions that might apply to a health care organization. I will consider new technologies that a health care organization of such magnitude might adopt, changes in the information assets and vulnerabilities of the health care organization, and any new threats that might appear within the health care organization locally and globally.
In a healthcare environment, the staff is always proactively assessing the risk necessary to decrease the risk to patients, staff, and visitors. However, there lies human error, cutting corners, risky choices, limited knowledge, and a limited view of the cascading effects that impact the organization’s goal to prevent risk. To begin to assess any risk in a health care organization, one must first identify the issues and what is to be evaluated. Key players should be determined to consider who is doing or using technology every day to participate in determining the risk. Once the risk assessment is clear, health care organizations begin to mitigate the risk and develop strategies to decrease the risk. In healthcare, documentation of the risk can be found in a risk assessment form. The risk assessment form describes the issue, those involved in the discussion, arguments in support of the issue (why things should remain the same), arguments against the issue (why things should change), risk reports, and, finally, potential strategies to reduce risk. Cloud computing, for example, cannot use the current risk assessment and frameworks today because they do not work well (Akinrolabu, Nurse, Martin & New, 2019). Since security and trust are not working collaboratively in cloud computing environments, it is resulting in a lack of security controls and the inability of cloud customers to measure risks of their cloud services accurately (Akinrolabu, Nurse, Martin & New, 2019). Not being able to provide a comprehensive risk assessment is preventing large organizations from migrating data to the cloud. Without a proper risk assessment, cloud customers cannot identify security risks proactively and implement safeguards to reduce cloud risks (Akinrolabu, Nurse, Martin & New, 2019).
Health care organizations are often exposed to cyber-attacks, phishing attempts, and other security threats that are becoming more sophisticated every day. Albahar (2019) argues that cyber-attacks are growing globally and that most of the occurrences are related to malicious intrusions, data breaches, espionage activities, and temporary disruption of services. A simple user name and password no longer adequately protect a health care system and prevent unauthorized access. The health care organization must implement additional safeguards to protect the patient, employee, and business information. In the event, physicians or employees need to access applications remotely, a secure remote access solution that features two-factor authentication must be implemented. Two-factor authentication requires staff to confirm their identity with additional information beyond the network user name and password. After the staff has confirmed their identity, they will be periodically asked to reconfirm their identity through the two-factor authentication process. Similar to security processes already in place for online banking, two-factor authentication adds an extra layer of protection against the fraudulent cyber activity.
Health care organizations have seen reports of viruses affecting computer systems at hospitals. May of 2017, worm ransomware called WannaCry broke out exploiting vulnerabilities in Windows that eventually spread to a large number of corporate organizations and people across the nation and globally (Dong, Yuan, Ou, & Liu, 2018). The target for WannaCry was extortion of high-value assets and to encrypt important files. These sorts of attacks have raised questions and concerns about the potential for attacks. New viruses and harmful software hit the internet every day. These latest attacks include viruses that block computer access and encrypt files. One of the main ways employees in these healthcare organizations can be infected through phishing emails. This happens when an unsolicited email arrives from an unknown sender that incorporates an attachment or web link that, when opened, executes a virus program. Many healthcare organizations recently received targeted ransomware attacks that attempt to convince the users to open infected documents with an email subject line similar to “Deposit Batch Approved – Healthcare USA – QuickBooks.”
Solutions to these cyber-attack issues might include monitoring file storage locations with a custom technology to alert and have backups. Also, the Information Technology department can look into upgrading their anti-spam email solution, updating the website e-blocking capabilities, locking down user permissions to shared drives, and transitioning the anti-virus software. It would not hurt to also looking into installing a new intrusion-prevention system that only allows approved software, a virus-detonation server that will execute files to determine if they are malicious, intensifying authentication, and tightening administrator permissions.
Employees are the first level of defense and can help protect the information systems and their employee records. Employees should never click on unknown links in unsolicited email and website advertisements. Computer attackers often will use these email links to interact with the employee to gain more information that could compromise the data or computer systems. Employees should always use caution when opening email attachments. Any suspicious email attachments may contain viruses or other harmful software that activates once the enclosure has been opened. Employees should avoid opening macros in Word document attachments unless they are expecting them. Even if the email is coming from trusted sources, practicing good judgment in opening attachments or URL links in an email can prevent malicious attacks. It is best to validate with the source or sender if an attachment is expected. Following safe practices when browsing the web can also block malicious attacks. Employees should avoid clicking on suspicious links promising free downloads, merchandise, or services. Cyber attackers often use these kinds of links to gather information about the individual or the computer system. Finally, ensuring anti-virus software is running, and up-to-date on all devices accessed throughout the health care organization will prevent malicious attacks.
Tips for Employees to Prevent Cyber-Attacks
Health care organizations should consider cyber-security training for staff to educate individuals about cyber threats and what they can do to prevent them. Using tools called “cyber range” would allow trainees a testing environment that will enable them to increase their cyber-security awareness by playing with fake cyber-criminals to incite an attack or lookout for what to expect from an attack. Yamin, Katt, and Gkioulos (2020) offers a “cyber range” system that includes the following concepts: scenarios, monitoring, teaming, scoring, and management. The findings from Yamin, Katt, and Gkioulos (2020) study revealed that using “cyber range” systems play a significant role in cyber-security education.
Healthcare organizations should be aware of new threats that might appear within the health care organization, locally and globally. Those threats may include but are not limited to, cloud security breaches, unsecured mobile devices, ransomware, Internet of Things exploits, and not surprisingly, people.
Carelicha's Blog 