The pandemic fast-tracked digital transformation in the healthcare industry by necessity and simultaneously opened up new avenues for cybersecurity threats.
During the pandemic, healthcare providers looked for ways to serve patients outside brick-and-mortar walls and found innovative ways to do so via drive-up vaccinations, virtual appointments, and online check-ins. According to the AT&T Cybersecurity Insights Report, 74% of healthcare organizations have now implemented edge use cases (interactive experiences). Unfortunately, cybercriminals are also seeing how they can take the opportunity to attack, making it necessary for healthcare organizations to fortify their cybersecurity.
The American Hospital Association offers several resources to assist hospital trustees with bolstering cybersecurity efforts. Find these following resources on their site:
- Strategic Cybersecurity and Risk Advisory Services
- Leadership Cybersecurity Education and Awareness
- Cyber and Risk Incident Response Strategy and Advisory Services
- Law Enforcement and National Security Relations
The Healthcare Industry Faces a Broad Scope of Vulnerabilities
Hospital trustees need to take a multifaceted approach to cybersecurity. It’s critical to understand why criminals try to hack into their systems and what types of information they’re looking for.
Trustees must have a strong understanding of how their systems and information connect with other systems in ways that compromise security. Hospital trustees also need to be aware of how mergers and acquisitions create potential new risks and vulnerabilities.
According to a 2021 NIH study, the primary areas that healthcare organizations need to focus on are:
- Distributed denial-of-service attacks
The study also goes into greater detail about the challenges in cybersecurity and key solutions healthcare organizations have adopted to address them.
Healthcare Cybersecurity Continues to Evolve
Just as hackers are increasing the breadth of their knowledge on how to invade electronic networks layer by layer, cybersecurity experts must work just as hard to figure out how to counter their attacks.
IT teams must continually keep pace with cybersecurity innovations, such as using encryption to protect data, integrating automatic removal of information and utilizing mobile encryption.
Digital healthcare is changing in ways that create interconnectivity between patients, primary care doctors, specialists and other care providers. Hospital trustees must be aware of the many places where their patients’ information is being sent, assess the new risks and vulnerabilities those connections create, and have strategies in place to address scenarios should a cyberattack occur.
As cybersecurity continues to evolve in the healthcare space, trustees play a critical role in protecting board work. A board management solution with strong security is the best way to protect board information, such as meeting minutes and other documents.
Cybercriminals continue to attack the healthcare industry with impunity and it’s costing healthcare organizations more and more. Download our guide on Protecting ePHI on Your Board Software to boost data security in the board room.
Hospital Trustees Need to Be Aware of Who Is Attacking and Why
Many hospital trustees are surprised to learn that hackers don’t always come from outside the organization. An insider threat is a person working within a healthcare organization who has access to information about the organization’s security practices, data, and computer systems.
HHS.gov identifies five of the most common insider threats:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
As an example, a healthcare employee may leave an unencrypted mobile device or laptop containing sensitive data out in the open where anyone could see or copy the information. Also, mobile devices can easily be stolen.
Hospital trustees also need to be aware of the motives behind cybercriminal activity. Some of them are politically motivated, where criminals are looking for sensitive state secrets with the goal of crippling our nation’s infrastructure and weakening our military security. Others are individuals, partners, and small groups looking to extort companies for financial gain. Hospital trustees need to be especially aware of insiders with their eyes on stealing information just to prove that they can.
HHS recommends the following steps to prevent insider threats:
- Revise and update cybersecurity guidelines and policies
- Limit privileged access and establish role-based access control
- Implement the zero-trust and multi-factor identification models
- Backup data and deploy data loss prevention tools
- Manage USB devices across the corporate network
Once you’ve identified how cyberattacks happen, your board can tap into the power of technology to target specific areas of fraud and arrange for training.
Using Technology to Facilitate Areas of Fraud Where Hospital Trustees Need Awareness and Training
Hospitals provide many good reasons for hackers to target their systems. It’s a place where they can get credit card information, confidential health information, personal information, business information, and intellectual property all under one roof. All of this information could be combined and sold to be used by other criminals.
Hospital trustees need training in several areas of fraud, including:
- Medical device fraud
- Prescription fraud
- Identity theft
- Tax fraud
In addition to the known potential areas for fraud, hospital trustees need to be aware of new areas of fraud that could open up.
Using Technology to Facilitate Training to Help Tackle Cybersecurity Challenges
Starting with the cybersecurity budget, Bank Info Security suggests that a way healthcare boards can help tackle cybersecurity challenges is to review the cybersecurity allocation in their budgets. Currently, most healthcare organizations only allocate about 6% or less of their technology budgets for cybersecurity initiatives.
A 2022 HIMSS Healthcare Cybersecurity Survey suggests healthcare organizations should invest more heavily in awareness training and hands-on cybersecurity training. Specifically, they recommend focusing on the following areas:
- More frequent training
- Greater inclusion with training
- Understanding risks
- Insider threats
- Breach and security incident reporting
- Privacy awareness training
- HIPAA training
- Security awareness training
- Phishing awareness training
An increased budget could be used to invest in technology to automate such training programs for employees and trustees.
Another valuable resource for healthcare organizations is the Coordinated Healthcare Incident Response Plan (CHIRP) provided by the Healthcare & Public Health Sector Coordinating Councils to assist with developing, implementing, maintaining, and testing an incident response plan to prepare for a cyberattack.
Cyber insurance is becoming necessary in many industries. It’s especially important in the healthcare industry considering the IBM Cost of a Data Breach Report 2023 shows that the healthcare industry reports the most expensive data breaches with an average of over $10 million.
Cybersecurity Training for Trustees
Technology has brought great improvements in healthcare. Unfortunately, there are also risks that come with it. Hospital trustees have many challenges ahead of them as they work to understand medical equipment interconnectivity, electronic data storage, and vulnerabilities. Trustees will also need training on evolving medical practices, like the growing field of telemedicine.
Training on network systems is also vital for hospital trustees, who must understand how open networks and multiple wireless networks work and interconnect. They also need to be able to address issues like independent contractors who bring their own medical equipment into hospitals, and how that introduces risks to hospital-owned equipment and other networks that connect to these devices.
Additionally, training for hospital trustees should extend to the repair technicians who often need access to networks to repair owned and non-owned equipment, potentially increasing cyber risks.
Using a Board Management Solution to Bolster Cybersecurity in Healthcare
Your trustees need a central platform where they can communicate and collaborate to improve cybersecurity, and a board management solution has the necessary tools to do so. From unlimited document storage to granular permissions, a board management solution allows your entire board to work together securely and seamlessly.
See how BoardEffect, a Diligent Brand, can help strengthen your nonprofit healthcare organization’s cyber resilience. Request a demo today.