Blog

The HR Manager's Guide to Mitigating Cyber Attacks in Healthcare

Nov 02, 2020

by Anastasios Arampatzis

Cyberattacks in the Healthcare Industry are Increasing

HCISPP-HiringManagers The use of technology in the healthcare sector can be both life-saving and life-threatening. Advancements in technology, like 3D printing, virtual reality, robotics, and Internet of Medical Things (IoMT), improve the ability of healthcare organizations to provide better care for their patients.

At the same time, criminals leverage this new technology to execute their malevolent causes by either stealing protected health information (PHI) and other sensitive data or disrupting the operation of healthcare providers. The recent COVID-19 pandemic serves as a good example of the attack vectors criminals are using. Taking advantage of the people’s increased need for timely and accurate information about the pandemic, cybercriminals launched an unprecedented campaign of ransomware and phishing attacks against hospitals and other healthcare organizations aiming at the disruption of the public health system.

However, this phenomenon is not something new. Reports show that the healthcare sector is one of the most targeted industries because of the exposed attack surface and the lucrative personal and medical data. The latest Verizon DBIR report indicates that financially motivated criminals are using ransomware and email phishing as their preferred attack vectors to infiltrate the online medical systems and steal personal and medical data. This data is then sold very expensively in the dark web.

Balancing Security and Healthcare Operations

However, while a security incident or data breach can result in lawsuits, loss of revenue and a damaged reputation in other industries, in the healthcare can result in the death of patients. This is exactly the big difference in cybersecurity in healthcare and other sectors. Failing to mitigate security vulnerabilities and risks can have a devastating effect on human lives.

On the other hand, the implementation of security controls must balance the nature of healthcare workers’ jobs, where the goal of saving human lives has the highest priority. These controls must provide enough security without disrupting how the healthcare workers operate.

Because of the importance and the complexities involved with real life and death implications, healthcare is a heavily regulated industry. Not only to ensure that drugs are safe and effective, but also to protect the confidentiality, integrity, and availability of the patients’ personal and medical data. Regulations like HIPAA in the U.S., PIPEDA in Canada, GDPR and NIS in the EU mandate the physical and cybersecurity and privacy of health records, whether they are in paper or electronic. Along with security requirements, these government regulations dictate heavy fines for data breaches.

Despite the regulatory framework, healthcare organizations often fail to do their homework. According to the U.S. Department of Health and Human Services , which is responsible for the enforcement of the HIPAA, the majority of the fines imposed on healthcare entities involve impermissible uses and disclosure of patient information and lack of safeguards to protect this information.

The vast majority of security incidents, no matter their scale, could have been avoided if applicable security and privacy controls and professionals were in place. Knowledgeable and skilled security professionals with the use of proper technology and processes can minimize the security risks of any organization and can ensure a robust security posture.

Lack of Cybersecurity Knowledge

However, despite the importance of personal and medical data to the delivery of life-saving services, the healthcare sector suffers from a lack of skilled personnel.

According to a recent survey , one in four U.S. healthcare workers have never received cybersecurity training from their employer. The U.S. Health Care Industry Cybersecurity Task Force revealed that three in four hospitals have no dedicated cybersecurity professional, while another report showed that 49% of hospitals have no CISO.

These reports unveil a significant lack of cybersecurity training among healthcare workers, leaving healthcare information technology systems and electronic protected health information (ePHI) vulnerable. The cybersecurity skills shortage makes healthcare organizations more desirable hacking targets causing direct and measurable damage to these organizations.

HR as a Healthcare Security and Privacy Partner

The skills gap identified by these reports might not be such a hard problem to solve, and the HR departments can help in this direction.

The HR department can stress the importance of information security and privacy from the initial recruiting process and continue throughout an employee’s tenure. HR can be the conduit between the IT security department and the hospital staff—clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security and privacy issues that arise in every healthcare organization.

For information security and privacy to be effective, it must be emphasized as a standard business practice, integrated into the hospital’s care-giving procedures and functions and reinforced in an ongoing security and privacy awareness program that is kept relevant, engaging and fresh. Raising staff awareness of data security and privacy will make every healthcare worker understand that they can protect human lives by protecting the patients’ data.

Raising Staff Awareness

All healthcare workers should have some type of security and privacy training to make them aware of data protection rules and procedures, plus any threats they may encounter. While cybersecurity training should be part of the in-processing, all staff need to receive regular awareness updates to be able to stay current with the latest developments. Just like doctors need to be educated continuously to provide the highest level of healthcare services, all hospital staff need to be updated regularly on security and privacy issues to protect their patients’ data and lives.

In addition, regulators have made clear that health records security and privacy is also a board-level issue and hospital directors are to be held liable for any data breaches. Hospital executives have the legal responsibility to protect their employees’ and patients’ data. The U.K.’s National Cyber Security Centre says cybersecurity should be part of a manager’s skill set and its guidance states that “executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status”.

The benefits of team training

Besides employing certified security and privacy practitioners, a healthcare organization security posture can be upgraded by training the in-place security team. At a time when cybersecurity professionals are scarce, organizations that make certification and training a priority are most likely to attract and retain critical staff.

Skilled professionals with foundational and robust knowledge in healthcare security and privacy can become the organization’s most valuable asset. Having a broader understanding of security incidents, the security practitioner can make accurate impact assessments based on the changing threat and technology environment, assisting the executive board in allocating the resources required to implement proportionate mitigation measures, ensuring a cyber resilient healthcare organization. Implementing security controls aligned with the overall healthcare goals of treating patients and saving human lives, the security and privacy professional can help by minimizing the security risks, benefiting the organization in many ways and helping establish trust with patients and partners.

Team training can be very beneficial to your organization since it can be tailored to your budget and unique cybersecurity requirements. Hence, team training can help keep your team’s cybersecurity skills sharp, prove credibility to partners and clients and maximize your training investment.

What is more, in-house security training is an investment with great ROI. Instead of hiring more personnel and increase your monthly expenditure, it is smart to hire a security professional to do the in-house training. The money you will spend will be invested wisely in enhancing your personnel’s foundational and versatile skillset on security and privacy which will help them build self-confidence in addressing complex security problems. Highly knowledgeable security and privacy professionals can help you mitigate threats, lowering the chances of being breached and having to face huge penalties, liabilities and loss of revenue due to damaged reputation. The cost of a single data breach surmounts by far the cost of an in-house team training.

Your security and privacy professionals can too become lifesavers, even if they don’t wear white coats.

How (ISC)² Can Help You

As the field of information security continues to grow and advance, more qualified workers are required to fill many open positions in the marketplace. Investing in training your staff is a strategic decision that will enhance your overall cybersecurity posture and make your organization cyber resilient.

(ISC)² is the leader in security certifications and is acknowledged by companies worldwide. (ISC)² can help you discover the right path and create your plan, to ensure standards throughout your security team now and as they develop into new roles. And the best way to start building a security focused team is by enrolling for the (ISC)² HealthCare Information Security and Privacy Practitioner (HCISPP) certification.

HCISPP covers everything a professional needs to know about privacy and security in the healthcare industry. The certification shows that they have the advanced technical skills and knowledge required to implement, monitor, and administer the healthcare infrastructure using privacy and security best practices, policies and procedures. (ISC)² provides in-house training for the HCISPP certification, covering everything a security practitioner needs to know about keeping his business safe.

To learn how your business can benefit, check out our Enterprise Training Solutions , or download our whitepaper, Guide to Defending Against Cyberattacks in Healthcare .