But many experts in the security industry believe that of all the industries facing serious cyberthreats, healthcare is possibly the most at risk.
They say it is because relatively speaking, healthcare organisations are still behind when it comes to security defences. The nature of healthcare, requires that organisations within this sector keep highly sensitive patient data on file.
Doctors need to have this information to make informed decisions about patients, and the ability to easily share this information within a healthcare network, has resulted in significant advancements in the way patients are treated.
Personal and medical details are also used by staff who handle post-care activities, from post-op follow-up to billing. Brandon Bekker, managing director, Mimecast, Africa and the Middle East said, housing this kind of personal information poses a serious risk and so it is imperative that healthcare institutions make cybersecurity a priority.
“It’s well-documented that external attackers have set their sights on protected health information (PHI). The value of medical records on the black market is at least 10X higher than credit card data. Why? PHI contains more personal data points and cannot just be reissued in the event of a problem. Bank account details and passwords can be changed following a breach; but information about allergies, disabilities, mental health or hereditary conditions, can’t. So, securing this data and a healthcare institution from these calculated threats should be a top priority.”
Bekker added, “When you’re dealing with something as important as people’s lives, it’s not enough to only have security in place, the continuity of services is vital. Take the WannaCry ransomware outbreak last year for example, where entire hospitals in the UK were shut down.”
Healthcare institutions need to have a cyber resilience strategy in place. This will help them defend against threats such as ransomware, allow continuous access to critical applications and information during an attack and provide the ability to recover data to the last known workable state, after a threat is neutralised. Bekker said it even goes beyond external threats.
“Equally important is making sure the organisation is insulated from mistakes by both well-meaning employees and malicious insiders. Busy staff members are bound to make mistakes regarding PHI. With the ubiquity of email, it’s not uncommon to find a breach where employees accidentally (or carelessly) attached a spreadsheet or document containing PHI. A mistake like this could result in personal harm or defamation and will have severe implications for healthcare professionals in countries that have data protection laws in place.”