Why Hospitals Need to Focus on Cybersecurity Training by Jori Hamilton

Image Source: Pexels

The medical industry has benefited greatly from technological advances. From widespread adoption of the cloud making access to patient records more efficient, to the use of artificial intelligence (AI) to make diagnoses. However, for all the advantages this provides to both staff and patients, the use of technology is not without significant challenges.

Cybercrime is a prevalent aspect of our world today. Unscrupulous actors are continually finding new and creative ways to take advantage of the weaknesses in our systems. The motives are varied, too — from pure financial gain to a simple desire to cause chaos. When it comes to healthcare environments, the actions of cybercriminals have the potential to result in dangerous consequences; threatening the privacy, and even the lives, of patients.

While it’s clear that cybersecurity must have a significant presence in the medical industry, there’s not always a focus on educating staff on the basics of safe behavior. We’ll take a look at a few areas that show why hospitals need to take a robust approach to cybersecurity training. What are the challenges, and how can measures be introduced in a practical manner?

Sensitive Patient Data

The more we embrace the digital age, the more obvious it becomes that data is a valuable resource. From businesses using data on customer behavior to make decisions to big data’s role in making AI a practical reality — information is the currency of the contemporary landscape. This is also true in medical fields, though the data handled is more often of an extremely sensitive nature.

When data is big business, so too does data theft become a thriving criminal enterprise. Just as in financial technology fields, there is a risk of stolen personal information being used to undertake identity theft. Private medical information is stored along with valuable identifying aspects such as social security numbers, transaction information, and even scans of personal identification, all tools that can be used to fraudulently access financial records and further forms of private information about the victim.

Cybersecurity experts are of the opinion that criminals looking to make money from patient data are unlikely to use the medical data itself; it’s far easier and more lucrative to use medical systems to access financial and identifying information. According to the 2018 Thales Data Threat Report, the majority of hospitals place cybersecurity emphasis on protecting network and endpoint technologies, when there actually needs to be a focus on educating staff on how their actions could create vulnerabilities in systems. Simple behavior adjustments such as limiting the use of mobile devices, revoking former employees’ log-in credentials, and utilizing BCC in emails rather than CC can all make a significant difference in limiting criminals’ access to patient data.

Threats to Treatment

In the above example of data theft, cybercrime is more akin to traditional theft — an asset being stolen and potentially sold or otherwise taken advantage of. However, as we continue to adopt connected technology into more aspects of medical diagnosis and treatment, the situation can be more complex — and far more dangerous.

The medical industry has become a primary target for ransomware attacks. Cybercriminals are exploiting a vulnerability in vital medical systems that are connected by networks — everything from workstations containing patient medical data, to IoT devices such as wearable heart monitors  — and threatening to prevent the continued function of these systems, or cause serious damage unless funds are transferred. In hospitals, the staff’s ability to treat patients effectively is often time-sensitive, and delays caused by ransomware could mean the difference between life and death.

Of course, there are system-wide protections that can be put into place by cybersecurity experts hired by hospitals. But there are also suggestions that including a few hours of cybersecurity education during medical school, or ongoing in-house training could further prevent the likelihood of such attacks occurring. Typically, ransomware attacks occur due to the activities of staff, such as clicking on malicious attachments in phishing emails, or following links and viewing advertisements infected with malware. Teaching staff to be vigilant about their online behavior, and even spotting the tell-tale signs of suspicious email addresses can be effective tools.

“Bring Your Own Device” Culture 

Many of us have access to some pretty advanced technology. This has led to some medical facilities encouraging a “bring your own device” (BYOD) policy among medical staff. A 2017 survey by clinical communications provider Spõk found that up to 71% of clinicians reported their hospital operated on a BYOD system. This means that staff are regularly using tablets and smartphones, which have not been subjected to stringent cybersecurity measures, to connect to medical networks. 

This is a problematic trend. The risks inherent in BYOD policies range from the potential physical theft of unencrypted devices holding sensitive patient data, to introducing viruses from personal use to a medical network. Even simple activities such as downloading patient data onto a flash drive and subsequently misplacing that device represents a significant breach of the Health Insurance Portability and Accountability Act (HIPPA).   

Ideally, medical facilities should cease BYOD policies. However, if this trend is to continue, it’s vital that hospital staff are sufficiently trained on the cybersecurity risks of personal devices. They should be kept up to date on current hacking methods — including how cybercriminals are able to access their tablets and smartphones — and which behaviors undertaken at home can introduce malware to systems at work. There is an element of trust implied when bringing a personal device into a sensitive environment, and any damage caused as a result of this could potentially be construed as an act of serious negligence. 

Conclusion

It’s clear that advanced technology has helped the medical industry to serve patients more effectively and efficiently. However, it’s also resulted in hospitals becoming prime targets for cybercriminals. While security experts can help put systems protections in place, there is still an element of risk in staff behavior. By providing sufficient, regular education on cybersecurity threats and the personal steps to prevent them, hospitals can lower the potential for serious damage caused by hackers.

About the Author:

Jori Hamilton is a freelance writer residing in the Northwestern U.S. She covers a wide range of subjects and with over 8 years of professional writing experience, she has taken a particular interest in topics related to Technology, Cybersecurity, Artificial Intelligence/Machine Learning, and Robotic Automation. You can follow Jori on her Twitter and LinkedIn.