8 Ways to Help Protect Your Healthcare Organization from a Cybersecurity Attack

It’s cybersecurity awareness month. Is your home healthcare, hospice or assisted living organization ready for today’s cyberattack tactics?

In September 2011, Tricare, a healthcare program for active-duty troops, their dependents and veterans, suffered a major data breach after backup tapes of electronic health records were stolen out of an employee’s car. The information of 5 million patients was compromised, including social security numbers, names, addresses, phone numbers, personal health data, clinical notes, lab tests and prescription information.

In February 2015, Anthem, Inc. suffered a cyberattack that resulted in the biggest healthcare data breach ever reported. 78.8 million plan member records were compromised. A cybersecurity firm confirmed that the breach began when a system user opened a phishing email, after which the download of malware was triggered, allowing the cybercriminals to hack their system remotely.

Cybercrime is scary. According to Cybersecurity Ventures, it’s expected to cost the world $8 trillion in 2023 and $10.5 trillion annually by 2025. Healthcare organizations are especially vulnerable to cyberattacks because of the high-value information they store. That’s why planning and preparation are so critical. To read more about the importance of having a cybersecurity incident response plan for healthcare organizations, visit the HIPAA Journal. Further information about building an Incident Response Plan is included below.

Common types of cyberattacks used on healthcare organizations are:

• Phishing—the most prevalent type of cyberattack in healthcare, phishing, is when someone clicks on an unsuspecting email that includes malicious links
• Ransomware attacks—during these attacks, malware is forced into the network to infect and encrypt sensitive data until a ransom is paid
• Data breaches—the healthcare industry suffers a disproportionate amount of data breaches compared to other industries, during which sensitive electronic data is stolen
• Distributed-Denial-of-Service (DDoS) attacks—a flood of fake connection requests are directed at a targeted server, forcing it offline

So, what steps can you take to help best prepare your healthcare facility for these types of attacks?

1. Create a culture of cyber readiness – this requires a multilateral approach, much like the one needed to address physical dangers. According to the Cybersecurity & Infrastructure Security Agency’s (CISA), the six Essential Elements of a Culture of Cyber Readiness for healthcare organizational leaders are:
   • Yourself: You, The Leader, make cybersecurity a major part of your operational resilience strategy. Your investment drives action and activities that build a cybersecurity culture.
   • Your Staff: As the first line of defense, your staff’s skills must continue to grow in practice and training.
   • Your Systems: Protect your critical assets and applications, such as patient and financial information, by building security around them.
   • Your Surroundings: Make sure only those with permission have access to your digital workplace.
   • Your Data: Keep backups and avoid the loss of information that is critical to operations.
   • Your Crisis Response: To try to limit damage and quick restoration of normal operations in the event of an attack, conduct regular drills, making this an extension of your other business contingency plans. Check out the 8 Cyber Security Drills You Should Run in 2022 from CV3.
2. Train staff and volunteers on cybersecurity awareness, such as instructing them to:
   1. Create strong passwords (or passphrases) and not share them
   2. Recognize and report phishing attempts (this is how 80-95% of all cyberattacks begin) by showing them specific examples
   3. Lock their computer when stepping away
   4. Use multi-factor authentication to log in
   5. Be ready to participate in your cyber incident response plan—an invaluable plan for healthcare facilities, as mentioned above. The US Department of Commerce’s National Institute of Standards and Technology made a step-by-step Computer Security Incident Handling Guide you can easily reference to create an incident response plan. Check it out starting on page seven.
3. Try to keep your network and systems secure using:
   1. Antivirus software
   2. Firewalls
   3. Other security tools
4. Conduct a vulnerability assessment to identify the risks to your healthcare organization. You can conduct this assessment yourself. Just reference Intruder’s Step-by-Step Guide.
5. Develop a holistic cybersecurity plan (check out CISA’s Cybersecurity Resources Road Map, designed for small and midsize organizations, or their Cyber Essential Starter Kit)
6. Back up data regularly
7. Have staff update their passwords quarterly
8. Watch this training on Cybersecurity and Healthcare Facilities from the US Department of Health and Human Services

At Glatfelter, we want to help make sure your patients, staff and administrators are safe from these increasingly sophisticated cyberattacks. An entire section of the Glatfelter Healthcare website is devoted to risk management and cybersecurity. For example, check out our blog called 3 Ways to improve cybersecurity at healthcare organizations in times of crisis.

Finally, with today’s growing cybersecurity threats, it’s important to be insured by a cyber product that is designed to meet the modern threats your healthcare organization faces.

Glatfelter is proud to be introducing a more robust, standalone, non-admitted cyber product, available to new and renewal clients beginning January 1, 2024. Visit the link below for access to applications and more information.

You have the knowledge and power to help secure your healthcare agency’s sensitive data. Consider this the start of a new commitment to a culture of cybersecurity awareness.