Yet the nature of healthcare makes it perhaps even more important. Depending on the nature of the organisation, it could be holding highly confidential medical information and data about customers or even valuable IP relating to a new medicine that is yet to be launched. Healthcare is also a sector that has very strict regulatory compliance and one that is starting to embrace digital innovation and tools, after being relatively slow to get started.
This all means that healthcare organisations can be very vulnerable to cyber-attack. Recent Clearswift research revealed that more than two-thirds of healthcare organisations in the UK have suffered a cybersecurity incident over the last 12 months, so it’s a problem that needs to be treated with the utmost seriousness.
What are the main cybersecurity threats facing the healthcare sector currently and what can their information security teams do to mitigate against that threat?
The main cybersecurity threats to the healthcare sector
In addition to looking at the frequency of cyber-attack, the recent research was also very insightful into the type of threat that is of the most concern for healthcare organisations. Almost half (48 per cent) of all healthcare cyber-incidents in the last 12 months have been the result of malware or viruses introduced to the network by third-party devices.
Such third-party devices include USB sticks and a range of different IoT devices connected to the network. Given the complexity of healthcare networks and the growing volume of such devices, it’s a major task for IT security teams to keep track of all the devices connected to the network, with each and every device another potential entry point or point of origin for security threats.
There’s also the challenge of employees sharing sensitive data with unauthorised recipients – 39 per cent of breaches within the healthcare sector occurred as a result of such behaviour. Most of these will have occurred because of human error rather than malicious intent, but it still serves to highlight just how easily an organisation’s compliance and security can be put at risk.
This is especially true when one considers that another key threat for the sector is employees not following protocol/data protection policies. Whether this is for more general policy such as GDPR or more industry-specific ones such as the Health Service (Control of Patient Information) Regulations and HIPAA, not following policy can be very damaging and have serious consequences.
The rise of social engineering lures
Twenty-eight per cent of our survey respondents identified malicious content entering the network via links in emails or social media posts as a key threat. So-called social engineering lures are growing in use, as cybercriminals target employees with emails about current news or events, in the hope that they click on the URL. Once the employee is compromised, cybercriminals can gain access to sensitive information or release malware/viruses onto the network.
It’s a tactic that is growing in use because it is so relatively easy to do. Cybercriminals can lock onto anything in the news at that time, and attacks in 2020 have included campaigns based around the Oscars and the Superbowl. In the healthcare sector, it’s not hard to imagine that employees could be a little more vulnerable than others to campaigns that utilise the coronavirus in some way.
Such tactics also enable cybercriminals to penetrate the wider hospital supply chain and use that as a means for further attacks. Phishing attacks can be very realistic, with fake invoices from suppliers encouraging money to be redirected.
Similarly, as the UK eventually completes Brexit at the end of 2020, hackers could send email correspondence that appears to come from one regulatory body or another. There will be a period of confusion over what is and what is not required, both for UK healthcare organisations that still hold EU data and vice versa.
Mitigating the threat from cyberattack
For healthcare organisations keen to protect against these threats, then one of the most important factors to consider is addressing the culture. An organisation could have the very best cybersecurity software available, but if employees do not give cybersecurity proper consideration, then they could very easily still be breached.
This culture must be driven from the very top. The c-suite must make it crystal clear that cybersecurity is important to the organisation and that they are going to be taking it just as seriously as the rest of the company. This should include the provision of ongoing training, covering areas such as potential signs to look out for in a phishing email, and a top-level awareness of GDPR and other healthcare-specific regulations that might carry a threat.
It’s also vital to mitigate against threats arriving via email, which in healthcare is still very much the most common form of communication and therefore also one of the main forms of attack. Its use is becoming far more creative too, with cybercriminals using images as well as text as a means to hide malicious content.
Advanced email and web security solutions can help mitigate cyber-risks by detecting and removing threats such as malicious links in emails and attachments, or from documents downloaded from the web, and disable the URLs before they enter the network. This automatic sanitisation protects the organisation from staff mistakenly clicking on malicious links which, as our recent research suggests, is still an important issue within the healthcare sector.
Cybersecurity in healthcare is hugely important and organisations need to do everything within their power to ensure they are well protected against all threats, which grow in volume and sophistication all the time. The good news is that with the right approach, any healthcare firm can keep itself safe and secure, both now and in the future. Is your organisation on the right path?