Is your healthcare facility taking steps to protect itself from Ransomware attacks? While we continue to move forward in streamlining many aspects of our social and professional lives into the digital realm, can we say the same for our advancement in the protection of our digital information through thoughtful and robust cybersecurity preparation? Is your healthcare facility vulnerable to Ransomware attacks? If you haven't prioritized cybersecurity for your facility, then your facility very well may be at risk.
What is Cybersecurity?
America's cyber defense agency, CISA (Cybersecurity & Infrastructure Security Agency), defines cybersecurity as "the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information."
Think of it as the TSA checks to pass through to the boarding area for a flight or the plastic columns at the entrances and exits of shopping stores that sound an alarm if someone walks out with a tagged item. Those two examples can serve as appropriate metaphors for you to consider how robust your cybersecurity is. Does your facility have budget and staff attention specifically directed to strengthening and maintaining cybersecurity, or do you have some standard measures in place (like the alarm columns), or are you somewhere in between?
Why are Smaller Healthcare Facilities at Risk of Cyber Attacks?
Smaller facilities that have yet to invest time, money, and thinking into cybersecurity preparation should do so now because data breaches and Ransomware attacks can cause serious disruptions to a facility's workflow and routines and threaten the security of PHI (personal health information). Are there cybersecurity measures you can take that are also cost-effective? Yes, there are. In fact, we've made a list of three steps you can take that are free.
3 Free Steps to Boost Your Facility's Cybersecurity
1. NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a tool created by the National Institute of Standards and Technology (a U.S. government agency). This resource is specifically designed to be applicable to agencies and businesses of all sizes and across all industries. It's thorough, and the NIST website spends a lot of webpage space by providing videos, guides, and FAQs for the framework's implementation. They even have this support information available curated for varying perspectives (i.e., academia, international, small and medium businesses, general, etc.) This tool is free to use and, according to the NIST, "is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders."
2. Cybersecurity Training
Training is a valuable tool for administration and staff. How can your people be part of cybersecurity solutions and preparedness if they aren't aware of the risks or how to avoid/mitigate them? To meet this need in an affordable yet valuable way, again, the government provides a valuable free resource for companies, and these are specifically built and targeted for use by healthcare facilities. The U.S. Department of Health and Human Services (HHS) developed an online training platform called Knowledge on Demand.
Five training courses are available to cover each of the top five cybersecurity threats. Each training includes interactive videos, power point presentations, learning management systems, and resource documents with helpful tips. Other helpful resource tools developed by the HHS include the Health Industry Cybersecurity Practice: Managing Threat and Protecting Patients publication which includes mitigating practices recommendations and an in-depth hospital resiliency analysis.
3. Examine Your System's Password Policy
When your staff is required to set or update their passwords, what is the minimum character length your systems require? According to the NIST, the minimum should be eight characters, but they also recommend that you should allow for at least 64 characters. Logically, the longer the password, the more difficult it would be for hackers to crack. Sixty-four characters may not seem reasonable, but you may also consider requiring more than just the minimum eight. Many cybersecurity experts also recommend maintaining a company password blacklist, which is a list of words that your users are prohibited from using in their passwords. Blacklists should include identifying words or number combinations that relate specifically to your company or other commonly used passwords. If you think you don't need a password blacklist, think again. According to CyberNews, the following are the most commonly used passwords in today's world, 2023:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Ransomware Attacks are a Growing Problem
A study published in the December 2022 issue of the JAMA Health Network found that "the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients." Furthermore, a report from cybersecurity firm Critical Insight found that hackers aren't only focused on the large-scale healthcare systems which present tempting targets with loads of PHI data; they're attacking the smaller hospitals, specialty clinics, and physician groups as well. One reason hackers are targeting smaller healthcare facilities may be the fact that they are less likely to have a substantial budgeted amount directed towards cybersecurity.
What More Can You Do for Cybersecurity Preparedness?
Not everything you can and should do to boost your cybersecurity is free, and yet with limited resources, how can you determine where and how to spend your money in a thoughtful and long-reaching way? Does this mean your healthcare facility should hire a cybersecurity analyst? Perhaps you should. Talk with your IT department about the measures you currently have in place, and review with them the above recommendations. The average cybersecurity analyst salary, according to the U.S. Bureau of Labor Statistics, was $57.63 per hour in 2022. Keep in mind that's a national average, so depending on your geographic location, you may find analysts charging slightly more or less.
You are Not Alone
If you're reading this and feeling bad because cybersecurity hasn't been much of a priority for you, as much as, say, staffing shortages, you aren't alone. According to a Statista report on cybersecurity in 2021, 18% of healthcare organizations didn't know how much money they spent on cybersecurity, and 18% reported only 1-2% of their budgets were allocated to cybersecurity. Healthcare facilities are grappling with big changes and big challenges on multiple fronts.
Now is the time to arm yourself with information and take steps to make cybersecurity a priority for your facility. Be a leader by taking steps to protect your facility from service delivery disruptions and data breaches.
