The following is a guest article by Jonathan Goldberger, Senior Vice President, Security Practices & Strategic Sales at TPx
Hospitals face the threat of cyberattacks daily and each attack threatens the hospital’s public brand and, worst of all, public health.
Because nearly every function at hospitals today is electronic, a cyberattack is crippling to the point where a provider can’t do anything. Even tasks such as sending a prescription to the pharmacy and ordering or reviewing X-rays are challenging amid a cyberattack.
It’s no secret that threat actors are targeting companies and organizations regardless of their size. However, hospitals are unique considering the reams of patient data entrusted to them.
As such, a hospital’s approach differs from that of a small or a mid-sized company.
Compounding the issue for most hospitals is that they operate on tight budgets and thin staff, and often, they don’t have everything they need. This causes key vulnerabilities in areas where the risk hasn’t been reduced.
Recognize that the Risk is Real
Before hospitals can act on the threat, they must accept that it is real and understand their organization’s shortcomings. An annual gap assessment is the best way to understand those areas where improvement is needed.
The pace of technology and regulations is changing rapidly, and a gap assessment can give an organization a frame of mind to mark where they are while also recognizing the needs they must bridge for everyone who connects to the network.
Consider the Federal Trade Commission’s (FTC) Safeguards Rule, which requires companies with significant financial transactions to protect customer information in specific ways. It states that organizations must write into vendor contracts that they will meet the requirements from a security program perspective. These requirements must be clearly defined to ensure both the organization and its vendors comply.
Prepare to Tackle Ransomware
Ransomware often happens through three well-established and known vectors: phishing, remote desktop protocols (RDP) or remote administration of routers, firewalls, and other network systems, and misconfigured web applications.
Hospitals are no exception, an overwhelming number of hospital ransomware attacks come through these vectors. They must be diligent and go beyond what other organizations must do to protect those vectors.
Hospitals have an increasing number of web applications that patients use to schedule visits or pay bills. While providing patients with convenience, these web applications are another point of risk to consider.
The good news is the solutions exist. And the means of reducing the risk from those threat actors is well established. But it’s about doing more than the minimum.
Deploy Inbox Detection and Multi-Factor Authentication
Relying on recipients to validate an email’s authenticity is challenging. When it comes to phishing, a recipient sees an authentic-looking email, so they click on it.
Inbox detection and response can be one of an organization’s most valuable investment returns. It is an inexpensive solution that companies can use all the time and helps significantly reduce the risk.
What is ideal about an inbox detection and response solution is that instead of clicking on the email, recipients click a button to submit the email for validation. Essentially, recipients can get a certification of authenticity for each email that comes in. That goes beyond just simply conducting training.
This type of tool is a better means to protect against phishing. But there is another that mitigates two of the three vectors: multi-factor authentication.
Multi-factor authentication helps like a safety net. It can save organizations from more serious phishing attacks because, in many cases, they capture credential pools from the network and relay the credentials to the key systems someone is trying to access.
MFA protects against bad actors gaining network access for administrators and users. Many organizations rely on MFA for administrators, but MFA for users is another key tool in protecting a network.
Conduct Regular Security Awareness Training
The best way for hospitals to combat threats like phishing is to bring their team members into the fight. Security awareness training will have the most significant impact on an organization, but it’s not about doing it once a year but every month.
Pushing phishing exercises to team members every month empowers them to apply what they’ve learned and ensure they don’t make mistakes. When mistakes happen in these exercises, they occur in a controlled environment where the risk is low, and the results can be used to inform future plans.
Mitigate the Greatest Risk: The Human Factor
The difficult part in cybersecurity is it only takes one person to click. An organization can have the best technologies, hardened servers, vigorous security training and policies, but if one user clicks on a phishing email, all those efforts are for naught.
They might download malware and log into a bogus authentication-capturing site, giving bad actors access to a company’s networks.
Measuring the return on investment is an age-old question. Cybersecurity tools don’t have to be expensive to be effective.
An organization should consider that an average ransomware attack could cost roughly $200,000 — and larger institutions might be on the hook for more. Additionally, offerings like cyber insurance can help offset some of the cost to companies in the event of an attack, but like any insurance, the best policy is the one an organization doesn’t need to fall back on.
If the dollar amount isn’t enough to convince the organization, focus on downtime costs for booking, billing, and other systems, a statistic every CIO knows. Based on those, the team can evaluate the cost of a solution against the potential cost of the threat it remediates.
Security teams have found that these solutions reduce the phishing rate alone by over 80%. That’s a tangible number and a significant return on investment.
With the multitude of threats facing hospitals, providers must critically assess their security posture and take action to bolster their efforts. It’s always easier to proactively prepare for a cyberattack than it is to retroactively respond to one.
About Jonathan Goldberger
Jonathan Goldberger is an accomplished Senior Executive at TPx with 26 years of success spanning cybersecurity and information technology roles. He has a diverse cybersecurity experience leading security consultancies at TPx, Cisco, Sourcefire, and Cybertrust. He led Sales Engineering at Venafi and was the General Manager of Security Solutions at Unisys. Jonathan’s expertise extends across all aspects of cyber security: professional services, managed services, sales, and go-to-market. As an entrepreneur himself, Jonathan is keenly aware of small business challenges and the need for cost-effective security solutions that protect against the most relevant risks.
