After experiencing a massive ransomware attack that caused the near-shutdown of 400 sites, the Universal Health Services (UHS) has become the most recent example to highlight the issue of cybersecurity in health care organizations.
In a recent statement, UHS revealed that the attack affected acute care facilities and behavioral health hospitals, as well as corporate level systems, and caused UHS to suspend user access to various applications for several weeks.
It’s thought that the breach was triggered by ransomware delivered via phishing link through an email. Because healthcare organizations heavily rely on electronic records, email, and internal digital communications to share highly sensitive and high-priority data, they are a prime target for attackers.
A successful attack on a health care organization like UHS could leak confidential information, violate HIPAA policy, and interrupt patient care. There is absolutely the possibility it could lead to a life or death situation.
As more health care organizations are targeted, many institutions have started modernizing their security, but just as many lag behind completely.
Now is the time to start their transformation. Here are six tips that healthcare institutions can take to increase the effectiveness of their security.
- Layers, layers, layers: Don’t rely on just one defense to keep all threat attacks out. Instead, use a combination of antivirus, firewalls, and regular screening and maintenance.
- Back everything up, constantly: When it comes to hospitals, urgent care facilities, and other time sensitive health care facilities, having patient data on hand accurately, immediately, and constantly is the bare minimum. Backing personal data up monthly or weekly isn’t good enough; organizations need to transition to continuous backup solutions.
- Staff education: Given how most health care organizations rely heavily on email communication, staff and faculty should be provided with regular training to help them pick out phishing scams and other common pitfalls. Employees who are more adept at spotting dubious messages and links are less likely to fall for a scam that could then compromise the system.
- Institute Multifactor Authentication (MFA): Health care data and networks are jam packed full of sensitive material—to protect it, it’s absolutely worth having a second layer of identification security. It will not only deter hackers in the first place but it might also alert someone to a possible threat attempt before it happens.
- Strong passwords, for everyone: This goes without saying but in hospitals, credential sharing is a particularly common practice, that needs to stop for the sake of collective security. Often hackers will use brute force attacks to guess employee passwords, and be successful if the passwords people are using are weak, or potentially already compromised. This threat can be immediately reduced if the organization can integrate software, like Enzoic, that continuously monitors the system for exposed and weak credentials.
- Use VPNs: Especially since the COVID-19 pandemic, many health care appointments are taking place virtually. This means that more health care workers can work remotely, but this introduces many issues on the security front. Hospitals and health care facilities should require staff working from home to use a Virtual Private Network (VPN) to access their work files.
We are all on a journey to greater security, but health care has so many dangerous ramifications if the security is compromised it’s particularly crucial for organizations to get on board, quickly. If you are in the sector, or in related sectors, consider embracing the above steps to protect yourself and your organization.
Read more here for additional commentary.
By: Bronwen Hudson