By Joshua Skeens, Chief Operating Officer, Logically
Twitter: @LogicallyMSP
Electronic Health Records (EHR) have completely revolutionized the healthcare industry for the better. By removing human error from the equation, healthcare providers can better focus on the patient data needed to deliver speedy treatment and lifesaving results.
At the same time, the ability to access that wealth of incredibly valuable personal data online has made the healthcare industry particularly vulnerable to cyberattacks. In fact, amidst the COVID-19 pandemic, cyberattacks against healthcare entities in the United States rose by over 50 percent. This, of course, can not only disrupt healthcare entities’ day-to-day operations and reputation, but also pose a major risk to the patients they serve nationwide.
With such high stakes, now is the time for healthcare organizations to start doubling down on cybersecurity efforts.
Digitization Leads to Specific Risk Factors
In decades past, much of the patient data that cybercriminals sought after wasn’t stored on a computer; this information was kept in manilla folders and locked away in a physical filing cabinet. But as rapid digitization became the “bread and butter” of healthcare organizations and their operations, more and more patient data exists exclusively in an online healthcare system. And the digitization of these records only increased in frequency as COVID-19 hit, and telehealth options became the new normal.
As a result, healthcare organizations are at high risk for cyberattacks because they house a wealth of sensitive patient information and critical data, including PII, financial records, health data, and more. Bad actors can breach unsecured healthcare organizations, collect this data, and sell it on the dark web for various illegal uses, including identity theft.
Suggested Resources and Best Practices
With the advantages of digitalization, EHRs – and their associated security risks – aren’t going away any time soon. However, there are a few steps leaders can take to mitigate cyber risk for their organizations.
Industry experts estimate that around 60 percent of data breaches happen via third-party vendors. If your organization chooses to leverage third-party applications and vendors to digitize existing healthcare records and maintain new ones, consider putting regular audits in place that keep them up-to-date with strict security standards.
Remember that your employees are your first line of defense – and greatest weakness. To help them avoid falling victim to an email scam, ensure your organization has implemented email security atop your current email delivery system, as well as multi-factor identification (MFA). Phishing is one of the most prevalent threats against healthcare systems today, so ensuring these two security systems are in place to reduce the ability of cyber criminals to access sensitive information even if they do gain a foothold into your network is crucial.
In addition, employees should undergo regular security trainings to ensure they know how to recognize a scam, and understand what next steps to take (e.g. encourage employees to forward suspected phishing emails to your IT team to block future correspondences). Not only does this training ensure employees take ownership of protecting patient data, but it also greatly reduces their chances of being leveraged by a bad actor as an entry point into your organization.
Finally, ensure your organization runs comprehensive data backups early and often. In the event a ransomware attack does occur, your organization must be able to restore the ransomed data in a timely and accurate manner to restore normal business operations. Implementing the 3-2-1 method – three copies of data, two onsite and on different media, and 1 offsite – is the most foolproof backup method. As ransomware attacks continue to rise, some organizations have started keeping a fourth copy of data that’s not directly accessible online.
Healthcare organizations are likely going to remain a primary target for cybercriminals for years to come, and healthcare organizations must prepare by prioritizing cybersecurity. Taking the conversation around patient information security seriously and putting plenty of security measures like 3-2-1 data backups and MFA in place is necessary to ensure patient trust in your healthcare system. After all, it’s not just about keeping your organization safe; it’s about keeping your patients safe, too.