Joe Kim, CTO of SolarWinds, explores the potential learning opportunities from business for cybersecurity in healthcare organizations
The cybersecurity market is currently valued at $122.45bn, with an expectation that this will rise to $202.36bn by 2021. Cybersecurity is becoming a huge concern for businesses, with so many enterprises coming under attack recently. However, over the next few years, the threat landscape will develop and the aim of a cyber attack won’t be solely financial.
Though cybercriminals are usually incentivized by financial gain, the reality is that a cyberattack can create far more damage than just hitting an organization fiscally – this is especially the case when it comes to healthcare organizations. Health data is far more valuable to a cybercriminal, going for roughly 10 or 20 times more than a generic credit card number. Therefore, we can expect to see a surge in healthcare breaches. However, the impact of this won’t just cripple trust financially. It’s possible a cybercriminal could take over a hospital, manipulate important hospital data, or even compromise medical devices.
It’s already started
These sorts of breaches are already happening. At the start of 2016, three UK hospitals in Lincolnshire managed by the North Lincolnshire and Goole NHS Foundation Trust were infected by a computer virus. The breach was so severe it resulted in hundreds of planned operations and outpatient appointments being canceled.
The event, which officials were forced to deem as a “major incident”, also made it difficult to access test results and identify blood for transfusions, and some hospitals struggled to process blood tests. This is one of the first examples of a healthcare cybersecurity breach directly impacting patients in the UK, but it won’t be the last.
Follow in the footsteps of enterprises
Breaches like these have put a great deal of pressure on healthcare IT professionals. Though there has been a shift in mentality in the enterprise, with security becoming a priority, the same can’t be said for the healthcare sector.
Before healthcare IT professionals can even start to fully protect against these potentially life-threatening attacks, the mentality of healthcare organizations needs to change. Currently, it’s very common for most healthcare organizations to lack basic cyber essentials, with some still running on outdated operating systems, and many devices not having basic anti-virus software. It’s already a challenge for healthcare IT professionals to keep the network safe and secure. From a community nurse using her iPad to input important patient data to hospital clinics trying to record everything, the entry points are enormous.
This creates a huge disadvantage for healthcare IT professionals from the get-go. The situation is worsened with most healthcare organizations often having budget cuts, making security a hard thing for the board to prioritize.
It doesn’t need to break to be fixed
Healthcare IT professionals have made it clear that they aren’t confident they could prevent their trust from a severe breach. Many assume the board will only focus on security once a significant breach occurs, and wonder how bad it needs to get for them to listen. It is time healthcare organizations learned from enterprises that have seen breaches occur and acted. In the meantime, there is work that requires little investment that IT professionals can do to protect the network.
Educate and enforce
Employees are often the weakest link when it comes to security in the workplace. Few workers understand how simple it is for a cybercriminal to gain access to the network through an employee’s mobile phone, and often opt to use their own devices in the workplace.
However, it is vital that healthcare IT teams have a consolidated overview of what devices are connected to the network by running an awareness campaign that encompasses both education and enforcement. By doing so, employees will have a better understanding of the potential threats that could come from having an unauthorized device connected to the network.
For example, healthcare workers need to be shown how a cybercriminal could infiltrate the network through hacking someone’s phone. This would also start a dialogue between healthcare employees, helping them to prioritize security and thus giving the IT department a better chance of protecting the organization from a breach.
It’s naturally assumed that healthcare IT professionals should be able to effectively protect his or her organization from an attack. However, even the most experienced security professional would struggle to do so without the right tools in place. To protect healthcare organizations from disastrous attacks requires funding, investment, and cooperation from employees.
Joe Kim
CTO