4 top threats to healthcare cybersecurity

Hackers, data breaches, phishing — healthcare cybersecurity is under constant attack. In fact, the U.S. Department of Health and Human Services (HHS) reports that cyberattacks in healthcare have risen at an alarming rate since the decade began.¹

Cyberattacks not only damage an organization’s reputation and relationships, they can also result in penalties as large as $1.5 million annually for HIPAA records. Hackers aren’t just stealing information — they’re holding it for ransom. When critical medical records are no longer accessible because they’re held for ransom, patient health suffers. Healthcare’s focus on patient health is part of what encourages ransomware attacks — hackers bet that they will pay. In this article, we look at four more factors contributing to the rise in threats to healthcare cybersecurity.

1. Staffing

There are fewer healthcare staff than before the pandemic — 78,000 fewer in July 2022 compared to Feb. 2020.² The U.S. Bureau of Labor Statistics reported “that more than 275,000 additional nurses are needed from 2020 to 2030. Employment opportunities for nurses are projected to grow at a faster rate (9%) than all other occupations from 2016 through 2026.”³

Those healthcare workers who struggled through the pandemic are experiencing fatigue and burnout, causing frustration and lack of vigilance — making organizations more susceptible to attack.

Healthcare organizations are turning to remote workers, telehealth, and other solutions to overcome staffing shortages and widen the hiring pool. That can come at a cost. Remote devices that aren't connected properly or equipped with the right capabilities can leak sensitive protected health information (PHI). Hackers can quickly gain access to your network through a remote connection and deploy ransomware or steal valuable patient data, resulting in a breach and loss of business operations — threatening patient care.

Healthcare data draws a high dollar on the black market because it is rich in personal data and valuable to identity thieves giving access to credit card information, email addresses, social security numbers, employment data and health history.

By outsourcing services to established IT organizations, healthcare entities can enable secure remote work necessitated by shifting employee needs.

2. Paperwork

Paperwork can be a security risk. PHI can be compromised when paper forms are scanned, copied, printed, or faxed. Three ways to improve security and reduce the risk of cyberattacks in healthcare:

Implement electronic forms

Replace paper forms with electronic versions and sync them with electronic health records. Patients and staff will enjoy the availability and convenience of having the correct, secure form ready for a signature, even in a telehealth environment.

Automate workflows

Automated routing moves encrypted information seamlessly to only the appropriate team or individual in a HIPAA-compliant, secured environment. For employees working from home, ensure settings allow for secured off-site exception handling.

Employ patient and form barcodes

Guard PHI by employing barcodes for tracking, auditing, reporting and return mail handling. Barcode-driven workflows eliminate manual collation and the need for random compliance inspections.

PHI is constantly on the move and having an audit trail is critical for security and regulatory compliance. Solutions that handle PHI must work under HIPAA’s privacy and security rules, so it’s critical to ensure that service providers support HIPAA compliance to help support ongoing business transformation.

3. Interoperability

Healthcare leaders are seeking partners that can help streamline operations from the front to the back of the office while offering secure transmission of PHI as it passes through each point. Why?

Managing multiple vendors spreads staff thin and creates complexities with processes, security, finances, and more. And digital interfaces for connecting different vendors’ electronic health record systems are often prohibitively expensive.

Part of the challenge is the proliferation of medical devices — some with legacy software systems that can no longer be updated. And those medical devices can be used as weapons. Application programming interfaces (APIs), the tools needed to exchange records and data, can be exploited to gain access to a network. It’s necessary to test APIs extensively to ensure security to allow the applications to continue talking to each other without leaking sensitive PHI.

With so many third-party partners involved in providing the technology that shares PHI, it’s no surprise that marrying the security of those systems without risk of compromise is difficult. Limiting the number of third-party partners to those with a wide depth and breadth can help healthcare organizations scale up or down as needed while ensuring the interoperability and security of systems.

4. Trust

Given the interconnected nature of the future with the Internet of Medical Things (IoMT), including software, applications, remote patient care devices, virtual care, robotics, and more, the current perimeter-based security model used by most healthcare organizations isn’t effective. To stay ahead of these trends, health organizations must make a fundamental shift to a Zero Trust model.⁴

The Zero Trust model recognizes that traditional security perimeters are a thing of the past. Zero Trust systems must always validate access for all resources to ensure only authorized, validated individuals are accessing data. It shifts defenses from traditional static, network-based perimeters to focus on:

• Users – people using your system, including staff, vendors, and contractors

• Assets – where your information and data live

• Resources – tools used to protect your information

Zero Trust relies on a multi-layered approach — with the core principle that nothing can be trusted. With the traditional perimeter gone, the “trust but verify” paradigm is also gone, replaced by verify-verify-verify.

Technologies often deployed in Zero Trust systems include:

• Multi-factor authentication

• Advanced endpoint protection

• Event isolation technologies

• Data encryption

• Identity management and protection

• Secured messaging

• Asset validation prior to connection

Zero Trust requires a cultural shift and company-wide commitment to security and clear communication to succeed. An experienced partner can assist in creating a culture of security and communicating with employees, partners, vendors, and more to assist healthcare organizations in modernizing their systems to protect against the latest attacks.

Related content

Article: Principles of Zero Trust Security

What you can do to improve cybersecurity

To effectively stay current on the latest vulnerabilities, health entities should continually review and update cybersecurity protocols and response plans. Implementing a risk assessment can have a significant impact on healthcare cybersecurity. Thoroughly review all aspects of data collection, storage, and use to improve and support tighter security measures across your organization — from business operations to output management and interoperability.

Include these key business systems as part of an internal review of cybersecurity preparedness:

• Business process optimization — Examine current processes and operations to identify security gaps while looking for ways to improve efficiency

• Asset management — Monitor vulnerabilities by constantly scanning and reporting enterprise technology assets regardless of location and how those assets work together to support the organization

• Content management — Evaluate how clinical and administrative data is captured and linked to internal systems to improve business and clinical processes in a way that can reduce exposure

• Device management — Confirm the secure organization and flow of internal and external information between internal and external devices

• Forms management — Review the capture, management, and flow of clinical and administrative information to guarantee that data is safely and securely handled, as well as to help reduce the chance of information mismanagement and human error

• Interoperability — Look at ways patient data is typically shared, from an unstructured, analog method to a digital, electronic transfer method

• Output management — Monitor and audit enterprise printing to help address the need for confidentiality, misdirected or forgotten print jobs or unauthorized access

• Point of service scanning — Assess how capturing and directly linking clinical and administrative data to internal systems at the point of service can help reduce potential exposure

• Hardware — Gauge how well the organization uses hardware by examining steps such as user authentication at the printer, encryption to help safeguard documents, data, address books, passwords and more, automatically overwriting latent digital images and managing unstructured data

While a review of these systems may seem extensive, it's necessary to protect your network from the latest vulnerabilities. A trusted IT outsourcing company can identify vulnerabilities, help you establish safeguards, and free up time for you and your staff to focus on what matters most: patient care. Giving healthcare workers more time to focus on improving patient outcomes can deliver a meaningful morale boost and help retain talent — ever-important in this era of staffing shortages.

Outsourced IT services put expert industry knowledge on your side, improving security as well as ongoing system performance. This allows you to become more flexible and agile, ultimately being able to deliver a better patient experience and compete more successfully.

IT outsourcing also helps keep remote and hybrid workers productive and engaged. It not only gives them next-level tech support, but also secure 24/7 access to apps and data and the latest technology with current security standards.

Expert IT professionals can help arm you with a defined backup strategy with disaster recovery planning to keep downtime to a minimum and ensure patient health records don’t disappear forever.

Related Content:

Webinar: Addressing the cost and risk of human error and driving security culture

Webinar: Protecting your business by planning for disaster recovery

Webinar: Containing ransomware outbreaks