Many hackers are well-aware of the data-hungry nature of the healthcare system and subsequently, the value of that data. Recent findings suggests the average cost of a stolen healthcare record at $380, which is more than twice the global average of $141. While the healthcare sector has attempted to address security concerns, a recent report from MediaPro shows that nearly eight in 10 healthcare employees are not adequately prepared to defend against the most common security and privacy threats they regularly face.
To discuss the issues and what healthcare bodies can do to better protect themselves, Digital Journal spoke with Colleen Huber, Director of Cyber Education Strategy with MediaPro.
Digital Journal: What are the major threats facing healthcare?
Colleen Huber: Put simply: cybercrime. Clinics and hospitals are prime targets for cybercrime because they’re filled with personal health information and personally identifiable information, both of which have tremendous value on the black market. Too often we hear about healthcare organizations dealing with data breaches, ransomware attacks, phishing scams and more.
Some of these organizations have invested in protecting the data in their servers but do the bare minimum when it comes to appropriately educating their employee population about proper security and privacy behaviors related to personal health information and personally identifiable information.
DJ: Where are these threats coming from?
Huber: It’s simple; cybercriminals know the value of healthcare data and are exploiting the weakest link: employees. They’re using the full gamut of technical exploits, the lack of basic security and privacy hygiene means low-tech exploits like phishing and impersonation are yielding high value data for threat actors.
DJ: What should healthcare organizations be doing to protect themselves?
Huber:Education and reinforcement are two good places to start, but a larger initiative should be building a culture of security and privacy protection in your organization – that often starts at the top. The healthcare field is constantly learning new and improved ways of providing care; that mindset must be extended to ensuring the cybersecurity hygiene of healthcare employees also improves.
DJ: How about healthcare employees, what training do they need?
Huber:We know, at a minimum, healthcare workers receive Health Insurance Portability and Accountability Act training on a yearly basis, but that training doesn’t usually educate employees on how to spot external, cybersecurity threats. Healthcare is one of the most targeted industries for cyberattacks, and employees in this industry must have both the education and awareness of a broad spectrum of cybersecurity threats. Education is not enough by itself; it must be folded into an intentional, robust privacy and security awareness program that creates a risk-aware culture and better protects the security of organization and patient data.
DJ: How do healthcare companies stay up to date?
Huber:Awareness really is the key. We work with a number of healthcare organizations that rely on our content libraries to react to emerging threats.
DJ: What are the main findings from your report?
Huber:78 percent of surveyed employees are ill-prepared to handle common privacy and security awareness scenarios they were presented with. When comparing healthcare and non-healthcare employee responses, the number of healthcare respondents who had trouble identifying common signs of malware were close to double the number of their non-healthcare counterparts.
Out of all healthcare employees, physicians are the least prepared for cybersecurity threats, with 24 percent lacking awareness toward phishing emails, compared to 8 percent of non-providers. Ultimately, the data in our report shows how much work still needs to be done to ensure healthcare institutions are protected from cybersecurity threats.
Updating protocols and procedures, improving employee training and developing a culture of awareness are the best ways to fight cybersecurity threats, in the healthcare industry and beyond.
