Healthcare cybercrime, a form of online terrorism that has been impacting other industries over the past 20 years, is now threatening the very safety and well-being of our nation’s healthcare system. Daily, we read about security breaches in small, medium, and large healthcare organizations that often affect hundreds, thousands, or even millions of people and their private information. Cybercrime is an intentional attack against an organization’s proprietary data assets. It describes any illegal activity in which a computer is used as a means to commit a crime against another individual’s or organization’s computer, network, or database.
Cybercriminals are incredibly intelligent people who commit cybercrimes such as network intrusions, infiltration of electronic worms and viruses, identity theft, data destruction and ransomware. Many healthcare organizations have invested millions of dollars building massive computer processors, data bases, and wired and wireless networks to connect people together. Their goal is to facilitate communication, improve workflows, improve quality, lower costs, and satisfy customers. But how much attention have these organizations given to protecting these investments from today’s cybercriminals? Apparently, not enough as evidenced by the growing incidents of cybercrime in healthcare including the WannaCry ransomware attack which brought 40 NHS hospitals to a complete standstill. No hospital, physician, or other healthcare provider is immune to the operational chaos, harrowing events, and potential financial ruin that can result from sudden cybercrime attacks.
Safety nets and other safeguards are available to minimize these risks, but many providers do not know how vulnerable their IT systems and networks are until it is too late. These breaches occur for many reasons including unknown ‘holes’ in a technology infrastructure, lack of knowledge and financial resources to build and maintain a strong IT security program, non-existent policies and procedures governing information security, and uneducated and unprepared users. One thing is for certain – security compromises are a serious threat, and they will continue to occur along with security audits, and six and seven figure penalty settlements.
Healthcare C-Suite executives and boards must take a direct interest in protecting their organizations from cybercrime. Unfortunately, like in many neighborhoods across the country in which we can no longer leave our doors and windows unlocked and unmonitored, we need to “lock down” our IT infrastructures and ecosystems as tightly as possible.
Coker Group’s whitepaper on cybersecurity defines today’s most devastating form of cybercrime – ransomware – and outlines concrete methods for mitigating this risk. Providers must take prudent steps to identify and address their IT security weaknesses to protect more thoroughly their invaluable data and financial assets from ransomware and other dangerous exposures now and in the future. Their very futures depends on it. A first step in becoming more preemptive is to conduct a thorough assessment of the organization’s IT environment--not just one time, but optimally every six months or at least annually.
The major components to evaluate are an organization’s file, database, and other servers; other hardware including PCs and mobile devices, software, wired and wireless data networks; and Internet connections. The assessment should include a complete, end-to-end vulnerability and threat identification for all application systems, users, and devices in all locations both on and off of the organization’s network. Key findings must be documented, and action plans developed, implemented, and tracked to completion, with the process repeated at scheduled intervals.
Coker provides Cybersecurity education and training and conducts in-depth, one-time, and ongoing IT security assessments for hospitals and other provider organizations. We also offer a Security Office as a Service (SOaaS) for organizations that have limited budgets to tackle IT security needs.