The healthcare industry has experienced a major change with electronic records enablement which replaced traditional paper-based medical records. This shift improved the efficiency of delivering health care services to the clients/patients and minimized insurance fraud as well as billing errors. However, shifting to an electronic mode of medical data storage calls for additional awareness and responsibility by healthcare professionals to protect the stored information against possible data breach.
Although the main focus of healthcare professionals should be on providing healthcare services of superior quality to their patients, they cannot ignore the importance of protecting patient information. Thus, they should have adequate awareness regarding cyber security as the number and frequency of data breaches is increasing rapidly. Furthermore, PwC research estimated that 86% medical practitioners believe that in the next few years mobile apps will become a significant component of health management of patients. This will again call for a new level of data protection that was not experienced before.
According to the 2017 Data Breach Investigations Report, more than 90% of cyber-attacks were traced back to human error, suggesting that mistakes caused by humans both initiate and amplify the risk of cyber-crime and the damage it poses to businesses: a healthcare organization’s cyber security is only as strong as your weakest employee, and a data breach is more likely to come from human negligence rather than a criminal hack. The major part of data breaches comes from social engineering.
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. It comprises techniques as Baiting, Scareware, Pretexting, etc. Among them stands out Phishing and the most targeted version of Phishing called Spear phishing, in which attackers choose specific victims and individual attack vectors based on the victims job, position and activity.
The best way for business directors, CEOs and managers to combat this threat is to create a risk-aware workplace culture, and that starts with cyber security awareness, that revolves on:
- Generating a pro-active security culture
- Understanding attacks in relation to the wider security landscape (for example, knowing the consequence of phishing)
- Building respect towards the privacy of individuals
- Understanding the meaning of PHI or Protected Health Information and why one should protect it
- Understanding that security is part of the whole organization and impacts everyone
- Knowing the impact of privacy and security rules that apply to the healthcare industry
Security awareness should become an integral part of the overall security strategy of the healthcare industry to prevent possible cyberattacks. Increasing the security awareness of healthcare professionals is the most potent tool to fight against such attacks. However, security awareness is not limited to fighting against social engineering and involves the creation of a culture of security.
This blog post was written for the ProTego project by Salvador García (MS).
References
- https://www.ogl.co.uk
- https://www.infosecinstitute.com
- https://enterprise.verizon.com/
- https://www.pwc.com
- https://www.imperva.com
