Understanding the threats faced by the healthcare industry in the light of a pandemic.
The global healthcare faces its own set of challenges when it comes to cybersecurity. These challenges can either be malware attack threatening to compromises the integrity of systems and privacy of patients or distributed denial of service (DDoS) attacks that can disrupt facilities’ ability to provide patient care. This is because healthcare organizations amass vast amounts of confidential and sensitive personal information about their patients. According to Becker’s Hospital Review, healthcare data breaches cost the health care industry, approximately US$5.6 billion every year. And since COVID-19, the cybersecurity issues have worsened tremendously. IBM Security reports a 600 percent increase in spear-phishing cyber-attacks in 2020, with the U.S. health care industry being the most common target. While mitigating these hurdles can be a complex challenge, and healthcare stakeholders have always been content with such threats, it is high time things change.
The Problems Areas
On May 5th, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cyber Security Centre (NCSC) issued a joint alert to warn that “advanced persistent threat (APT) groups are exploiting the COVID-19 pandemic” to specifically target “healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments,” presumably to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities. Apart from this healthcare industry still runs risks of being prone to cloud threats, ransomware, phishing attacks, browsing attacks, and encryption blind spots — all constituting as Achilles” heel of healthcare cybersecurity. Moreover, the failure of healthcare bodies to invest in robust cybersecurity protocols and tools allow hackers to exploit security vulnerabilities to steal healthcare data, disrupt operations, and generate profits. “Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19,” said Jürgen Stock, INTERPOL Secretary-General, in a statement.
The Prescriptive Solutions
However, there are some practices that healthcare officials can enforce to protect themselves from such attacks in the future. For instance, by implementing a zero-trust security model, healthcare bodies can introduce granular controls on network traffic. This takes away the opportunity for modern attackers and internal rogue users to leverage attacks and gain access to sensitive personal health information (PHI) while remaining under the radar. They can adopt Software-defined networking (SD-WAN) to secure the process of information relay among stakeholders like patients, caregivers, insurance agencies, and others.
Further, they can ensure all healthcare employees, including the C-Suite, consistently promote and support practicing effective cybersecurity policies, processes, and procedures via a comprehensive cybersecurity awareness, education, and training program that includes spear-phishing campaigns and cyber healthcare data breach table-top exercises. Measures to increase the security of Electronic Health Record (EHR) systems via encryption and adding multi-factor authentication (MFA) should be encouraged. A rapid incident response plan must be devised for preparedness in case of an emergency situation. This should include periodic cyber diagnostics like inspection of cyber intrusion detecting systems, audits, implementation of an enterprise-wide business continuity plan (BCP) and disaster recovery plan (DRP), including an off-line and fully redundant healthcare data back-up system.