How Healthcare Organizations Should Strengthen Their Cybersecurity Framework

A strong cybersecurity framework guards against the most prominent cyber threats in healthcare.  This framework should also be scalable to meet new threats. 

By staying aware of the latest cyber attacks in healthcare and prepping your security team, your organization can keep a step ahead of today’s cyber criminals. Here is what every healthcare organization should know about the latest healthcare threats and measures to respond. 

Types of cyber threats impacting healthcare

Cyber criminals are using increasingly sophisticated tactics to access healthcare data, and this is occurring on a global scale. This year has already seen several new types of healthcare cyber attacks, as malicious actors target organizations from new angles. Here are a few attacks that have made headlines in the past few months. 

Cloud Vendor Attacks

Cloud computing is a secure alternative to local data storage. However, cloud vendors are not immune to cyber attacks. Recent reports highlight ransomware attacks against several cloud hosting services. 

In this attack, the cyber criminal compromises healthcare records and demands a ransom in exchange for the data.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has linked breaches of hundreds of thousands of patient records to this group of attacks.

Targeted Phishing

Phishing attacks have long been a threat to the healthcare industry and cyber criminals continue to polish this tactic.

Industry reports show a new type of phishing attack that targets unemployed professionals on LinkedIn. The emails contain links to available, yet fake, job postings. When the victim clicks the link, the script takes over the user’s computer. 

This particular attack uses the “more eggs” script, which initially surfaced in 2019. However, there are plenty of phishing attacks that act in a similar fashion. As the pandemic makes workers more vulnerable to these types of scams, healthcare organizations need to be aware of the risk of phishing. One stray click could compromise an entire system.

ePHI Exposure

Electronically protected health information (ePHI) is at the center of healthcare cybersecurity, and hackers are engineering new attacks to obtain this data.

A group of recent cyber attacks involved a vendor whose employee uploaded ePHI to the website GitHub, potentially exposing information like patient names, addresses, social security numbers, healthcare data, and dates of birth.

Several attacks of this nature have happened in the past several years, emphasizing the importance of healthcare vendor security and empowered third-party relationships.  

How healthcare organizations can guard against cyber threats

News of recent cyber attacks can be overwhelming, and it can feel impossible to stay on top of all the latest threats. However, organizations can protect themselves against present and future threats with a comprehensive approach to cybersecurity. 

Your organization’s cybersecurity program needs to be comprehensive and flexible enough to handle the latest cyber threats. Revisiting security protocols can help ensure that your solutions are up-to-date.

Here are a few steps you can take today to fortify your security program against these malicious actors.

Prioritize Cloud Security

Around 83% of healthcare organizations currently use cloud computing services, and this number is set to increase over the coming years. That means that the cloud is an ever-growing target for cyber criminals.

Healthcare organizations need to be sure that their cloud security programs are up to par, while paying close attention to factions like IoT cloud security. Safeguarding your cloud services and vetting third-party cloud providers strengthens the barriers around ePHI.

Run a Managed Phishing Attack

Your organization cannot control phishing attacks, but you can improve how your employees respond to these threats. Healthcare organizations should work with cybersecurity firms to run managed phishing attacks, and educate employees on recognizing phishing attempts.

Posting notices about recent phishing attacks, like the one mentioned above, can provide even more details about what employees should look for in their email inboxes.

Focus on Third-Party Risk Management

Most healthcare organizations work with third-party vendors to complete daily tasks. From IoT device manufacturers to email providers, all of your vendors’ security practices affect the overall security of your organization.

A third-party risk assessment program is a must-have tool for vetting and managing vendor partnerships. So, consider adding this program into your cybersecurity framework if you have not already.

Review Your Incident Response Plan

When it comes to healthcare cybersecurity, prevention is most of the battle. However, security breaches do happen, and how your organization responds makes all the difference.

Take the time to review your IT team’s incident response plan regularly. It is also worth working with a cybersecurity consulting firm to review this plan and adjust your protocol based on your organization’s needs. Following best practices and documenting the incident based on federal regulations is part of mitigating the damage from cyber incidents. 

To learn more about how to protect your healthcare organization, visit our webinars page.