Businessman holding virtual protect health and cyber security sign.

4 top threats to healthcare cybersecurity

Summary

Learn about increasing threats to healthcare cybersecurity.

Time: 8 minute read
Hackers, data breaches, phishing — healthcare cybersecurity is under constant attack. In fact, the U.S. Department of Health and Human Services (HHS) reports that cyberattacks in healthcare have risen at an alarming rate since the decade began.[1]
 
Cyberattacks not only damage an organization’s reputation and relationships, they can also result in penalties as large as $1.5 million annually. Hackers aren’t just stealing information — they’re holding it for ransom. When critical medical records are no longer accessible because they’re held for ransom, patient health suffers. Healthcare’s focus on patient health is part of what encourages ransomware attacks — hackers bet that they will pay. In this article, we look at four more factors contributing to the rise in threats to healthcare cybersecurity. 
 
 

Staffing

There are fewer healthcare staff than before the pandemic — 78,000 fewer in July 2022 compared to Feb. 2020.[2] The U.S. Bureau of Labor Statistics reported “that more than 275,000 additional nurses are needed from 2020 to 2030. Employment opportunities for nurses are projected to grow at a faster rate (9%) than all other occupations from 2016 through 2026.”[3]

Those healthcare workers who struggled through the pandemic are experiencing fatigue and burnout, causing frustration and lack of vigilance — making organizations more susceptible to attack.
 
Healthcare organizations (HCOs) are turning to remote workers, telehealth, and other solutions to overcome staffing shortages and widen the hiring pool.. That can come at a cost. Remote devices that aren't connected properly or equipped with the right capabilities can leak sensitive PHI. Hackers can quickly gain access to your network through a remote connection and deploy ransomware or steal valuable patient data, resulting in a breach and loss of business operations — threatening patient care.
 
Healthcare data draws a high dollar on the black market because it is rich in personal data and valuable to identity thieves giving access to credit card information, email addresses, Social Security numbers, employment data and health history.
 
By outsourcing services to established IT organizations, HCOs can enable secure remote work necessitated by shifting employee needs.
 

Paperwork

Paperwork can be a security risk. PHI can be compromised when paper forms are scanned, copied, printed, or faxed. Three ways to improve security and reduce the risk of cyberattacks in healthcare:

 

  1. Implement electronic forms – Replace paper forms with electronic versions and sync them with electronic health records. Patients and staff will enjoy the availability and convenience of having the correct, secure form ready for a signature, even in a telehealth environment.

  2. Automate workflows – Automated routing moves encrypted information seamlessly to only the appropriate team or individual in a HIPAA-compliant, secured environment. For employees working from home, ensure settings allow for secured off-site exception handling.

  3. Employ patient and form barcodes – Guard PIP by employing barcodes for tracking, auditing, reporting and return mail handling. Barcode-driven workflows eliminate manual collation and the need for random compliance inspections.

 

PHI is constantly on the move and having an audit trail is critical for security and regulatory compliance. Solutions that handle PHI must work under HIPAA’s privacy and security rules, so it’s critical to ensure that service providers support HIPAA compliance to help support ongoing business transformation.

 

Interoperability

Healthcare leaders are seeking partners that can help streamline operations from the front to the back of the office while offering secure transmission of PHI as it passes through each point. Why?
 
Managing multiple vendors spreads staff thin and creates complexities with processes, security, finances, and more. And digital interfaces for connecting different vendors’ electronic health record systems are often prohibitively expensive.
 
Part of the challenge is the proliferation of medical devices — some with legacy software systems that can no longer be updated. And those medical devices can be used as weapons. Application programming interfaces (APIs), the tools needed to exchange records and data, can be exploited to gain access to a network. It’s necessary to test APIs extensively to ensure security to allow the applications to continue talking to each other without leaking sensitive PHI.
 
With so many third-party partners involved in providing the technology that shares PHI, it’s no surprise that marrying the security of those systems without risk of compromise is difficult. Limiting the number of third-party partners to those with a wide depth and breadth can help HCOs scale up or down as needed while ensuring the interoperability and security of systems.

 

Trust

Given the interconnected nature of the future with Internet of Medical Things devices, virtual care, robotics, and more, the current perimeter-based security model used by most healthcare organizations isn’t effective. To stay ahead of these trends, HCOs must make a fundamental shift to a Zero Trust model.[4]

 

The Zero Trust model recognizes that traditional perimeters at HCOs are a thing of the past. Zero Trust systems must validate access always for all resources to ensure only authorized, validated individuals are accessing data. It shifts defenses from traditional static, network-based perimeters to focus on:

  • Users – People using your system, including staff, vendors, and contractors
  • Assets – Where your information and data live
  • Resources – Tools used to protect your information

Zero Trust relies on a multi-layered approach — with the core principle that nothing can be trusted. With the traditional perimeter gone, the “trust but verify” paradigm is also gone, replaced by verify-verify-verify.

Technologies often deployed in Zero Trust systems include:

  • Multi-factor authentication
  • Advanced endpoint protection
  • Event isolation technologies
  • Data encryption
  • Identity management and protection
  • Secured messaging
  • Asset validation prior to connection

Zero Trust requires a cultural shift and company-wide commitment to security and clear communication to succeed. An experienced partner can assist in creating a culture of security and communicating with employees, partners, vendors, and more to assist HCOs in modernizing their systems to protect against the latest attacks.


Related content


Article: Principles of Zero Trust Security

 

 

The internal actor has figured prominently in cybersecurity breaches.

"Data breach investigations report: Executive summary", Verizon, 2022.


What you can do to improve cybersecurity

To effectively stay current on the latest vulnerabilities, HCOs should continually review and update cybersecurity protocols and response plans. Implementing a risk assessment can have a significant impact on healthcare cybersecurity. Thoroughly review all aspects of data collection, storage, and use to improve and support tighter security measures across your organization — from business operations to output management and interoperability.

 

Include these key business systems as part of an internal review of cyber security preparedness:

  • Business Process Optimization — Examine current processes and operations to identify security gaps while looking for ways to improve efficiency
  • Asset Management — Monitor vulnerabilities by constantly scanning and reporting enterprise technology assets regardless of location and how those assets work together to support the organization
  • Content Management — Evaluate how clinical and administrative data is captured and linked to internal systems to improve business and clinical processes in a way that can reduce exposure
  • Device Management — Confirm the secure organization and flow of internal and external information between internal and external devices
  • Forms Management — Review the capture, management, and flow of clinical and administrative information to guarantee that data is safely and securely handled, as well as to help reduce the chance of information mismanagement and human error
  • Interoperability — Look at ways patient data is typically shared, from an unstructured, analog method to a digital, electronic transfer method
  • Output Management — Monitor and audit enterprise printing to help address the need for confidentiality, misdirected or forgotten print jobs or unauthorized access
  • Point of Service Scanning — Assess how capturing and directly linking clinical and administrative data to internal systems at the point of service can help reduce potential exposure
  • Hardware — Gauge how well the organization uses hardware by examining steps such as user authentication at the printer, encryption to help safeguard documents, data, address books, passwords and more, automatically overwriting latent digital images and managing unstructured data
While a review of these systems may seem extensive, it's necessary to protect your network from the latest vulnerabilities. A trusted IT outsourcing company can identify vulnerabilities, help you establish safeguards, and free up time for you and your staff to focus on what matters most: patient care. Giving healthcare workers more time to focus on improving patient outcomes can deliver a meaningful morale boost and help retain talent — ever-important in this era of staffing shortages.
 
Outsourced IT services put expert industry knowledge on your side, improving security as well as ongoing system performance. This allows you to become more flexible, agile, and ultimately deliver greater patient experience and compete more successfully.
 
IT outsourcing also helps keep remote and hybrid workers productive and engaged. It not only gives them next-level tech support, but also secure 24/7 access to apps and data and the latest technology with current security standards.
 
Expert IT professionals can help arm you with a defined backup strategy with disaster recovery planning to keep downtime to a minimum and ensure patient health records don’t disappear forever.
 
“You have to know what is affected and how long it’ll take to restore — a process that begins, actually, well before disaster ever strikes,” said David Levine, Ricoh Chief Security Officer. “You need to perform a thorough assessment of what optimal performance looks like under normal circumstances, and only then can you judge the damage in an emergency and estimate what it’ll take to recover.”
 
Related Content:


Doctor examining x-rays in hospital

How to prepare staff to protect cybersecurity

The threat landscape evolves fast, making it difficult for understaffed organizations to keep up with the latest healthcare cybersecurity trends. Whaling, vishing, pharming — there are more than 20 types of phishing alone, which is one of the most prevalent causes of attacks on healthcare cybersecurity. Training staff to look out for all the ways people can gain unauthorized access to a HCO system is a significant task requiring educated partners.
 
The internal actor has figured prominently in breaches.[5] The federal government should support HCOs in training workers, according to John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.[1]
 
“Make no mistake: end-user security is a major challenge,” said Levine. “Human error being what it is, someone is likely to make a mistake, especially as attacks get more complex and deceptive. There’s a reason that phishing and social engineering are as prevalent as they are — they work.”
 
While you will never be able to fully eliminate human error, a strong end-user training and education program should be part of a larger plan to not only limit potential points of attack but to mitigate the damage when one occurs.


Mock hacks and phishing email attacks should be implemented to test employees and identify where additional staff training on cybersecurity best practices, policies, and protocols may be required on topics like:

  • Suspicious URLs or domain names
  • Emails requesting personal information, containing odd messaging or typos/grammatical issues
  • Opening email attachments from unknown sources
  • Using the same password for multiple sites
  • Benefits of a secure password manager
  • Risks of using public computers or unsecured wireless connections
Hiring security professionals and hackers to identify gaps in your system allows you to focus on patient care instead of the ever-changing cybersecurity landscape. Part of their responsibilities should include annual staff training that gives your team the information and tools to help protect PHI and adhere to the latest rules and regulations.
 
Cybersecurity risks are ever-present, and threats are growing more sophisticated. At the same time rapid change in industry competition, government regulations, economic conditions, and new and legacy technologies expose HCOs to risk.
 
The high cost of doing nothing, or not enough, underscores the need for reliable security.
 
Visit the Ricoh Cybersecurity Solutions page to discover leading-edge technologies and services to safeguard against threats.

 

Recommended for you

Healthcare pros-Are you protecting your patients' personal information Protecting patients' personal information through data security
Automating a Medical Center’s Patient Packet Workflow See how Ricoh automated the patient packet workflow for a world-renowned medical center—generating $250K a year in savings.
3 routes to greater collaboration and care coordination Health information management can be a big challenge for IDNs and other health systems, but is essential to improve collaboration and care coordination.
1https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
2https://altarum.org/sites/default/files/uploaded-publication-files/HSEI-Labor-Brief_Aug_2022 final.pdf
3https://www.ncbi.nlm.nih.gov/books/NBK493175/
4https://www.hhs.gov/sites/default/files/zero-trust.pdf
5http://www.verizon.com/business/resources/reports/dbir/
Close Chat
HelpChoose A Topic