Cybercriminals are constantly searching for their next big exploitation opportunity, and medical practices are usually the target. In recent years alone, we’ve seen an avalanche of awful breach news that shook many medical organizations. But why are medical records such a popular target for cybercriminals, and what can be done about it?
If you’re a managed service provider (MSP) servicing the healthcare industry, your clients need to know exactly why they are a prime target for cybercriminals and how you can help bolster their defenses. If you’re looking to break into the healthcare vertical, the following ten reasons serve as your perfect argument to persuade medical practices to invest in your services.
1. They Are Not Overly Concerned with Cyber Threats, and Hackers Are All Too Aware of This
Most small business, especially healthcare organizations, are under the impression that they are too small to be targeted by hackers. Unfortunately, medical data is actually the ultimate trophy for hackers, and they will specifically target small medical practices or community hospitals expecting to find little to no cybersecurity in place. Hackers also know that because doctors have very little concern for cybersecurity (because they are solely focused on their patients), they will not be conscientious about their security behavior.
For example, if a doctor is logged into their computer reviewing electronic medical files, it is very important they close the medical file and log out of the computer when they are done viewing. Why? Hackers are very sophisticated and have developed bots to scan the internet looking for “open windows.” If a doctor does not log out properly, the hacker will find the window they need to hack into the medical practice and—at that point—will have hit the lottery.
2. Doctors Are Not Security Experts
Doctors are experts on many things; however, cyber security is not one of them. Although threats to medical practices are strong, there are an array of security tools in the market that can tremendously reduce the risk of cyber-attacks. Such products include managed detection and response software, security profiling, endpoint protection, DNS protection, and security awareness training. These products exist and can be very helpful in preventing and remediating cyber threats. Yet doctors are not experts on these things, so they should rely on a medically focused MSP to make sure they have these tools in place to create a strong security infrastructure.
3. Careless Disposal and Misplacement of Hardware
All hospitals and medical practices have computers where they store sensitive patient data. When it is time for these computers to be replaced, they need to be destroyed and disposed of properly.
Additionally, many doctors have laptops where they can log into their hospital’s network remotely to review patient files. When doing this, they need to be very conscientious of not logging into insecure Wi-Fi networks and—most of all—not accidentally leaving their laptop in a public place. Medical records could be worth up to $1,000 for hackers, and a hard drive full of patient records could be worth hundreds of thousands. Therefore, medical practices must treat their hardware like gold.
4. Not Having Strong Passwords in Place
Small- to medium-sized medical practices and hospitals typically love to use universal passwords for every login that are short and easy to remember. It might be convenient and enable doctors to spend less time trying to figure out their password and more time reviewing patient files; however, it is wrought with problems for many reasons.
First of all, if everyone is using the same password, it is very likely that doctors may ask each other for this password in front of patients or visitors who could overhear and then know how to get into the hospital’s network. In most cases, this will be harmless, but you really never know who could be a cyber-criminal.
Secondly, when universal and short passwords are used, it makes it very easy for hackers to guess the password (remember: cyber criminals are actually extremely intelligent). Also, when an employee leaves the organization, they can still access nearly every system and computer as universal passwords are rarely changed.
5. Lack of Cyber Security Expertise Available
It’s a known fact that cybersecurity expertise is extremely rare. This actually makes it difficult for a hospital or medical practice to hire the proper security expertise to mitigate their security concerns. Hackers are well aware of this and will use it to their advantage. Medical establishments should strongly consider engaging with an MSP who can provide them with the cyber security expertise they need to secure their environments.
6. Doctors Are Still Convinced Cybercrime Cannot Happen to Them, so They Ignore It
The “out of sight, out of mind” mentality does not work when it comes to cybersecurity. It does not matter if a doctor is truly convinced cybercrime cannot happen to them, it matters what the HIPAA authorities think—and they have very strict security rules in place. HIPAA is the law, and doctors need to take this seriously because they have a lot to lose otherwise—their patient’s data, their money (HIPAA non-compliance is a finable offense), and most of all their reputation (HIPAA non-compliance can be a criminal offense).
7. They Think Cybersecurity Costs Millions
It may be the case in a huge, internationally recognized hospital that the enormous amount of security needs could cost millions; in a small medical practice or community hospital, however, this is not typically the case.
For small healthcare organizations, cybersecurity is much more affordable and much cheaper than experiencing a data breach because cyber criminals can demand millions in ransom and HIPAA can implement up to $50,000 per security incident. Additionally, reputational damage will be unavoidable following a security breach—in fact, 54 percent of patients say they would switch providers after a data breach. So, when doctors are concerned about the cost of cybersecurity, they should also ask themselves, “can I afford to lose half of my patients?”
8. Lack of Employee Policies to Safeguard Data
One of the biggest issues that small medical practices face is not having any employee policies regarding security. Simple initiatives such as password protecting every workstation and mobile device that has access to PHI (Protected Health Information) is vital. Even if there are security policies in place, most medical practices do not enforce them, which makes having the policies useful.
9. Failure to Perform Regular Security Risk Assessments
HIPAA requires medical organizations to undergo periodic (usually annually) security assessments that are meant to analyze the security infrastructure, understand what gaps exist, make suggestions on areas that need to be improved, and prove to HIPAA authorities that the compliance-required tools are in place. HIPAA also requires that medical organizations have a plan detailing how they are improving PHI security over time; therefore, it is very important to document everything.
10. Not Securing Wi-Fi
Medical organizations require Wi-Fi for doctors to use when exchanging PHI electronically and possibly for research purposes. It is very important that they do not disclose this Wi-Fi password to patients or visitors. Instead, hide the networks that employees use and make sure it is password protected. Create a separate network for patients to use and make sure doctors know not to use this one. This also ensures that patient internet usage does not slow down the medical team’s productivity.
Although this information may sound a bit harsh, it’s meant with the best possible intentions. We do not expect doctors to be security experts, because we understand the reality is that they spent half their life studying medicine. Therefore, it is important that doctors also recognize they lack security expertise. The answer to solving this problem may be to engage with an MSP who can educate them on cybersecurity best practices and implement the proper security tools needed to prevent cyber-attacks and enable HIPAA compliance.