Health IT, Hospitals

When it comes to healthcare cybersecurity, the best defense is also the most simple

The rise in cybercrime is a significant concern among healthcare stakeholders. But defending against these types of attacks is not as complicated as it is often made out to be and can be narrowed to two key steps: deploying multi-factor authentication and staff training.

Along with Covid-19, healthcare providers had to contend with another faceless enemy in 2020: cybercriminals.

Cybercrime in the healthcare industry has grown steadily over the years, but in 2020, it spiked significantly. There were nearly 600 healthcare data breaches last year, a 55% jump from 2019, according to a recent report from Bitglass. Hacking and IT incidents led to 67.3% of all healthcare breaches. Several health systems too became victims, including King of Prussia, Pennsylvania-based Universal Health Services and Pittsburgh-based UPMC.

As with diseases, prevention is better than cure for cybercrime too. According to cybersecurity experts, there are two simple steps providers can take to prevent cyberattacks — implementing multi-factor authentication for their systems and educating their staff.

But first, it might be helpful to know the cause for the increase in cybercrime.

The pandemic, and the concurrent shift to remote work, is one of the reasons for the heightened risk of healthcare cyberattacks, said Sharon Klein, partner at Troutman Pepper and member of the Department of Health and Human Services’ CSA 405(d) Task Group, in a phone interview. The task force was convened to develop cybersecurity practices. 

“We’re all working remotely, folks’ eyes were sort of off the ball for a little bit given the remote workforce, which allowed phishing attacks and therefore exposure to patient information at an unprecedented level,” she said.

As the workforce, in and outside of healthcare, migrated en masse to a virtual model, and so did care delivery. With the skyrocketing use of telehealth, the sheer number of device endpoints that come with people using telehealth further opened up the health industry to cybercrime activity, said Zarmeena Waseem, the National Cyber Security Alliance’s director of cybersecurity education, in a phone interview. More device use meant more ways for cybercriminals to hack and take over systems.

But if providers are concerned that protection from these actors will necessarily require complex processes, they may be in for a welcome surprise. Some of the most effective defenses in providers’ arsenal are also among the most basic. Multi-factor authentication, for example. Both Waseem and Klein said this simple step can save providers a great deal of trouble down the line.

Multi-factor, or two-factor, authentication requires users to present at least two pieces of evidence when logging in to an account.

“If providers don’t have two-factor authentication, they really need to,” Klein said. “That’s from a technical perspective.”

This authentication method should not be confined to internal systems alone, Waseem added. Providers need to implement multi-factor authentication for systems or devices used by patients as well.

But only technical protections are not enough. Waseem and Klein agreed that ongoing education and training for staff is a must. The weakest links in cybersecurity are often well-meaning individuals who share things they shouldn’t, Klein said. Providers should limit the number of people they share patient data with, and ensure those individuals are well-trained to keep the data safe.

More broadly, providers should educate staff on the basics of web-safe behavior, like recognizing verifiable websites online, always using HTTPS before typing in a URL and safe upload and download processes, Waseem said.

Though Covid-19 vaccines are being administered around the country, certain hallmarks of pandemic life, including remote work and increased use of telehealth, will likely continue through 2021.

This means providers must be wary of the persistence of cybercrime this year as well. But engaging providers in these efforts amid a demanding pandemic is a challenge.

“The healthcare industry is so overworked right now, it’s really hard to ask them to pay attention to cybersecurity,” Waseem said. “So, the best thing that I think anyone can do for healthcare right now is to give them a budget to allow them to hire people to manage and educate on these issues.”

Photo: Traitov, Getty Images

 

 

 

 

 

 

 

 

 

 

Shares0
Shares0