With many competing priorities stemming from COVID-19, it’s crucial for healthcare to not neglect cybersecurity measures. The Department of Health and Human Services (HHS) noted a 50% increase in healthcare cybersecurity breaches during the first half of 2020, highlighting that cybercriminals exploited vulnerabilities within hospitals and healthcare providers exposed by the response to COVID-19.
The dramatic increase in attacks compromises both patient safety and weakens trust in the healthcare sector. Incidentally, patient data has been placed at significant risk, with 48% of patients being unwilling to use telehealth solutions again due to a breach. To curb these scenarios, the healthcare sector must implement a three-point action plan to change its current direction: secure telehealth solutions from outside interference; invest in the same cybersecurity measures as other forward-thinking industries like the financial sector, and recruit capable talent to educate current employees and manage cybersecurity measures.
Protecting the Delicate Balance Between Telehealth and Data Privacy
A considerable number - 54% to be precise - of Americans have opted to use telehealth during the COVID-19 crisis - given the push to increase social distancing and stay away from crowded areas like a hospital waiting room. Telehealth has become permanent within healthcare as 73% of Americans intend to use telehealth solutions even after COVID-19 passes.
Despite its benefits, telehealth has extended the attack surface for hospitals and health systems, if not done right. This is largely due to the HHS easing restrictions for consumer-facing communication platforms like FaceTime, Skype and Zoom. Though this has extended the scope of healthcare delivery, unsecure networks may allow hackers to steal sensitive data more easily or exploit a lack of encryption to launch cyberattacks. Additionally, the American Telemedicine Association and HIMSS have requested Congress to continue the easement of telehealth restrictions throughout 2021, which will only exacerbate the problem at hand.
Instead of leveraging consumer-facing communication tools, hospitals and healthcare providers should use private, enterprise-grade communication platforms to conduct appointments. Providing better encryption, hospitals and healthcare providers can implement privacy settings unique to them, ensuring two-way conversations between doctor and patient are just two-way. However, this is only one part of strengthening healthcare cybersecurity.
Taking a Page from the Financial Sector When It Comes to Cybersecurity
Healthcare should take cues and embrace the same strategic solutions being spearheaded by financial service organizations. Banks adopted digital tools - such as data analytics and machine learning - in anticipation of cybercriminals launching cyberattacks during the pandemic, echoed by an alert issued by the U.S. Securities and Exchange Commission (SEC).
Meanwhile, the recommended solutions for hospitals and healthcare providers are leaning into similar solutions like endpoint protection, multi-factor authentication and network segmentation. Each solution is critical as it protects electronic health records from adversarial manipulation. Such action has the potential to threaten patient safety and force hospitals or healthcare providers to redirect patients to other facilities, which has real-world consequences.
Recall the 2020 incident in Düsseldorf, Germany, where the first ransomware-related death as a cyberattack forced Düsseldorf University Hospital to divert a patient to another facility. This indicates the severe impact data breaches and ransomware attacks can have if security is not taken seriously.
Banks have allocated significant funding to invest in technologies that protect client assets. For example, JPMorgan Chase allocated $12 billion to its technology budget, which is slated for the company’s future next-generation platforms. Hospitals and healthcare providers, on the other hand, have dedicated less than 5% of their budget to cybersecurity. This requires immediate attention, making strategic investments the second action plan for the healthcare sector.
However, these solutions do not operate themselves, requiring talented professionals to ensure each function properly.
Cybersecurity Talent is Crucial to Healthcare Cybersecurity
Thwarting cybercriminals also depends on its employees. Any talent gaps can strain the hospital’s resources, resulting in significant costs. The lack of cybersecurity talent has cost the healthcare sector millions as hospitals and healthcare providers fall victim to cyberattacks. With a capable team, targeted healthcare providers could have detected and prevented these incidents.
Healthcare organizations should also use their own workforce to add another layer of defense: educating current employees on the new threat landscape as well as the latest cybersecurity solutions or techniques. This is especially crucial due to the remote workforce accessing healthcare records online. For example, a training session on highlighting how to establish a secure VPN can help build awareness of potentially suspicious activity. Another approach is establishing policies for all employees when it comes to accessing and managing healthcare records, which contributes to the safety and security of patient data.
360-Degree Security is the New Course
We have seen firsthand how damaging a cyberattack can be to the healthcare sector, with Universal Health Services (UHS) and the Department of Veteran Affairs (VA) being prime examples. On Sept. 27, 2020, UHS suffered a cyberattack compromising 250 facilities nationwide, whereas the VA encountered a data breach that compromised the sensitive information of about 46,000 veterans on Sept. 14.
Enlisting a multi-layered approach to cybersecurity will help protect hospitals and healthcare providers on the expanding threat landscape and keep them ahead of the curve. For too long, the healthcare sector has relied on the status quo. However, COVID-19 has highlighted the vulnerabilities faced if nothing is done on security as well as the importance to chart a new course, aiming to maintain resilience and business continuity in the new normal.
Just as face masks and social distancing are mandated, it is mandatory for hospitals and healthcare providers to implement the following measures to obtain complete cyber hygiene: protecting telehealth services from potential compromise, budgeting funds for proactive cybersecurity measures, and sourcing the applicant pool for the best talent to upscale employee knowledge and manage security parameters.
About the author: Caleb Barlow is the CEO and President of CynergisTek.
