There’s a reason that cybercriminals and hackers are so intent on grabbing all the data they can from healthcare facilities of all sizes: It’s worth a heck of a lot more on the black market than a typical credit report or even a credit card statement, ValidDatum CEO Daryl Crockett told PYMNTS.
“Historically, healthcare has been a high-value target for cybercrime because the records that are stolen are worth 10 to 100 times a plain credit record or credit card or some other type of data,” she added, pointing to the value of using poached patient information to create alternative falsified health IDs.
“Today, a lot of healthcare systems are being attacked by ransomware,” Crockett said, before pointing out that “there’s a massive urgency to get those systems up and running as soon as possible, because patients could literally be dying without access to their information.”
At the same time, another area of oft-overlooked vulnerability is cyber-insurance policies, which Crockett said are becoming less valuable as insurers figure out new ways to avoid paying claims unless the holder proves it did everything possible to put itself in what lawyers would call a “defensible position.”
While larger healthcare providers are likely more at risk for ransomware attacks, that doesn’t mean small and medium-sized medical facilities are immune from such problems — especially since hackers and cybercriminals are using bots and artificial intelligence (AI) to target large swaths of names and information, “knowing they’ll only get some of them,” said Crockett, whose company is a global certified female-owned organization focused on data management, cybersecurity, data protection and privacy.
A New Kind of Terrorism
Crockett noted that state-sponsored terrorists are “even more disturbing,” and are becoming increasingly troublesome foes to healthcare data security — especially mercenary cybergroups that gather hackers for a specific mission or campaign, such as attacks on healthcare facilities and hospital networks. “We’re not dealing with the same scenario we were even a year ago,” she said.
As a result, responses such as phishing education — where workers are continually updated on the latest threats and challenged to have good “cyber-hygiene” through tests with fake messages — or banning the use of thumb drives on networked devices are two ways companies are looking to limit their exposure to cyberattacks in healthcare centers.
Phone codes and power adapters are manufactured today to be able to steal data, said Crockett, so users shouldn’t share those or borrow them from co-workers. Using a software package that protects users’ information and requiring VPN access to the network can also limit the damage.
“If you’re going to do anything with regard to IT system changes, you want to make cybersecurity part of those changes,” said Crockett. “They don’t have to be two separate things. If you don’t include cybersecurity, you’re going to have to pay twice.”
Steps to Limit Data Breaches
Healthcare providers should hire a virtual chief information security officer (VCISO) or find a fractional one who can be shared across the network or with other facilities, Crockett said. The VCISO will outline what precautions should be taken, what software should be used and what changes must be made to put the company in a defensible position for when it is hacked and must go to the insurance company.
A managed security service provider (MSSP) — typically an outside company that offers support — is another essential tool. The MSSP can be a platform rather than a group of people, said Crockett. “Cybercriminals don’t go home at 5 o’clock,” she noted. “This is something that needs to be in place 24/7.”
Telemedicine hasn’t added any additional risk of data breaches, Crockett said, because videoconferencing companies like Zoom have the proper security levels built into their platforms to limit the potential risk.
What’s Next for Healthcare Data Protection
Micro-tokenization and micro-encryption at the field level of databases is the next big step when it comes to protecting data, said Crockett. It could go a long way toward protecting against bots and artificial intelligence (AI) from cracking into healthcare provider networks.
“Knowing who is looking at the data and who has access to it will make it more difficult for something to get by you,” said Crockett, who believes that quantum computing is here to stay. “You need to look at locking individual fields in databases and understanding who should have access to it.”
The biggest takeaway is that healthcare providers aren’t experts in the field of data privacy, but there are people and companies who are. “To expect that Joe your IT guy — who’s been with you for six years and connected your systems — will be able to deal with the environment we’re facing today is a false hope,” said Crockett. “The best way to make the most effective budget is to combine it with some other IT initiative. You might as well use that foundational time to map all your databases and understand the safeguards we have on them.”