A recent report reveals that more than a third of healthcare organisations are unprepared for cyberattacks, despite an apparent rise in such incidents. Over the past three years, over 30% of these organisations have faced cyberattacks. The HHS Office for Civil Rights has reported a 256% increase in large data breaches involving hacking over the last five years, highlighting the sector's growing vulnerability.
Sensitive Data at High Risk
Healthcare organisations manage vast amounts of sensitive data, predominantly in digital form. This makes them prime targets for cybercriminals, especially since many operators have not sufficiently encrypted their data at rest or in transit. This lack of security is alarming, considering the high value of protected health information (PHI), which includes patient data, medical records, and insurance details. Such information is often sold on the dark web or used to ransom healthcare providers, forcing them to pay up to avoid losing critical patient data.
In response to the surge in cyberattacks, federal regulators and lawmakers have taken notice. The HHS recently released voluntary cybersecurity guidelines and is considering the introduction of enforceable standards to enhance the sector's defences. However, experts stress that healthcare systems must take proactive measures, such as conducting regular risk analyses, to better prepare for potential threats. Notably, the report found that 37% of healthcare organisations lack a contingency plan for cyberattacks, even though half have experienced such incidents.
To address these challenges, healthcare organisations need to implement several key strategies:
1. Assess Security Risks in IT Infrastructure
Regular cyber risk assessments and security evaluations are essential. These assessments should be conducted annually to identify new vulnerabilities, outdated policies, and security gaps that could jeopardise the organisation. Comprehensive cybersecurity audits, whether internal or by third parties, provide a thorough overview of the entire IT infrastructure, including network, email, and physical device security.
2. Implement Network Segmentation
Network segmentation is an effective practice that divides an organisation's network into smaller, isolated subnetworks. This approach limits data access and makes it difficult for hackers to move laterally within the network if they gain access. Each subnetwork has its own security rules and access privileges, enhancing overall security by preventing unauthorised access to the entire network through a single vulnerability.
3. Enforce Cybersecurity Training and Education
Human error is a growing factor in data breaches. To mitigate this, healthcare organisations must provide comprehensive cybersecurity training to their staff. This includes educating employees on secure password creation, safe internet browsing, recognizing phishing attacks, avoiding unsecured Wi-Fi networks, setting up multi-factor authentication, and protecting sensitive information such as social security numbers and credit card details. Regular updates to training programs are necessary to keep pace with the evolving nature of cyber threats.
By adopting these measures, healthcare organisations can significantly bolster their defences against cyberattacks, safeguarding sensitive patient information and maintaining compliance with HIPAA standards.
