As computerized devices continue to play larger roles in medical practice, the health care industry urgently needs to prioritize cybersecurity and be more proactive in preventing attacks, according to cybersecurity expert Oliver Noble of NordLocker, a company that provides an end-to-end file encryption tool. A hospital bed has up to 20 medical devices connected to it on average, Noble said. All of those devices have a digital component that transmits patient data to a hospital’s computer network. It only takes a single vulnerable link for a hacker to enter the network. Weak password management and unsecure data storing and sharing top the list of security issues, he said.
“Many clinics share their patients’ information among themselves or with third-party providers via email,” Noble said. “However, email is one of the least safe methods to send information over. To make sure files are safe, they need to be encrypted first so that in case of interception, no outsider gains access to its contents.”
As a part of risk management, contingency plans for different scenarios should be set up in advance. Medical facilities have a duty to protect patients’ medical records and personal data. Unfortunately, health care industry employees use shockingly weak passwords and weak passwords are one of the top causes of data breaches,” Noble said.
It is vital for all employees to be trained on the type of information that is collected on various devices and how the information is stored. They also need to be aware of the various risks and threats.
All employees need to create complex and unique passwords, update them regularly, and store them safely in a password manager. “I believe that every health care specialist who has access to their employer’s computer systems has to be trained in cybersecurity basics, such as password management, email scams, and secure handling of patient data,” Noble said.
As cybersecurity is all about practice rather than theory, he does not propose certification programs. Training materials would not be able to keep up with the latest tactics cybercriminals employ. “Training in protection against cyber threats is essential and should be constant rather than attending a course once a year or even less frequently,” Noble said.
An important method of protection is the virtual private network (VPN). VPNs creates a secure encrypted tunnel between an employee’s device and the internet or the company’s server. “A VPN protects the connection from third-party access, including hackers ready to breach the system,” Noble said.
The health care industry has a history of underinvestment in cybersecurity. This is especially the case with smaller hospitals and medical practices. “While I personally advocate that everyone properly invest in cybersecurity, I know that is not always feasible,” said cybersecurity expert Randy Magiera, DSc, a professor of information technology and information security at Tulane University’s School of Professional Advancement in New Orleans, Louisiana.
There is a growing consensus that senior leadership needs to understand the risks to their organization and invest accordingly. If senior leadership does not take the time and effort to learn about these evolving and increasing digital threats, they could easily find they are the next victim, Magiera said. The number of successful ransomware attacks continues to increase at a steady rate.
Hackers can gain access to files and threaten to leak or destroy files unless a ransom is paid. Clinicians need to make sure safeguards are in place for personal devices (smartphones and laptops) used by the staff and patients. Storing data backups in an encrypted cloud is paramount, Noble said. Controlling access to information is another good strategy. Health care employees should only have access to the information necessary to do their jobs, he said.
The complexity of the health care industry makes it difficult to devise effective defensive mechanisms, cybersecurity policies, and procedures, but everything starts from breaking cybersecurity down into smaller parts, according to Noble. He advocates using a custodial provider that protects medical records by creating a centralized view of all devices connected to the network. This provides constant monitoring for unexpected behavior and sends out an alert if any of the activities deviates from the norm.