Strengthening Cybersecurity in Small to Mid-Sized Healthcare Companies: Essential Steps to Protect Patient Data

According to the US Department of Health and Human Services, cyber criminals unleash 4,000 ransomware attacks daily¹. Many of these threats target healthcare organizations where they have few staff to mitigate, contain, eradicate and investigate attacks. Ransomware is the most common method by which these devastating cyber attacks are carried out, leaving healthcare organizations with few options, often leading to negative impacts on productivity and revenue.

US hospitals were primary targets in 2021 and 2022 as attackers forced victims to return to paper and pen to continue treating patients². Without effective security controls, small and mid-sized businesses in the healthcare industry are left vulnerable to sophisticated attacks. More often than not, they find themselves responding to incidents that could have been prevented had they sought to implement a few best practices within their day-to-day processes.

How Data Breaches Affect Your Patients

Becoming a victim of a data breach harms more than the organization itself. The HIPAA Journal reported that the healthcare industry suffered from 707 data breaches in 2022³. For each of the 707 breaches, at least 500 patients were affected. As a result, these patients find themselves at risk of identity theft, phishing, social engineering and becoming a target for multiple scams that threaten their finances.

As for the impact to the organization, the same report indicates that the cost of a data breach in healthcare organizations averaged $10.1 million per incident. The global average across all industries is $4.35 million, so it is evident that the resulting cost of these poor security controls is much higher in the healthcare industry. This is likely due to the nature of the data stolen, litigation costs, incident response, remediation of vulnerabilities, and violations incurred from HIPAA and other regulations.

Taking Necessary Steps to Protect Patient Data

Cyber criminals know that small businesses do not have quite as much valuable data as their enterprise counterparts. However, it is that same lack of resources that makes them an easier target, and even the smallest of breaches can still benefit threat actors financially. While most cyber attackers do focus on monetary gains in exchange for their efforts, financial benefits come in many different forms. Attackers might focus on extorting money out of your organization using ransomware or simply exfiltrating data where they can sell it on darknet markets.

You will find that the best cybersecurity controls and strategies mold to your individual business requirements, but here are some general guidelines to follow to establish a baseline of proper security hygiene.

Have a Thorough Backup and Retention Plan

Without backups, threats such as ransomware can cripple your business and destroy productivity. Other malware damages your infrastructure, but few things come close to the damage caused by an effective ransomware attack. You can still suffer downtime even with backups in place, but at least you have a way to recover your data and files quickly with more limited impact on productivity.

Frequency of backups and your retention plan are based primarily on the volume and dynamic nature of the data in question. Some businesses can function perfectly fine with daily backups, but larger organizations tend to back up data several times a day. The retention plan determines the length of time you keep those backups. Most organizations have a data retention policy of at least two weeks with redundancy off-site in an attempt to stop ransomware from affecting critical files.

Keep Audits of Data Changes and Monitor the Environment

HIPAA requires audit trails of patient data and continuous monitoring of your environment to look for any important changes. Any software application claiming to be HIPAA-compliant should have auditing as a feature of its cybersecurity controls. Audit trails take a snapshot of anyone accessing data, making changes to it, or requesting access to view it.

Monitoring is another critical component in maintaining proper security controls. There are many sophisticated tools that use artificial intelligence to help identify suspicious activity on the network, automatically lock down data, and send messages to the appropriate content. Intrusion detection and prevention activity stops attacks before they can damage the environment.

Update Software, Especially with Security Patches

Outdated software lacks the security features necessary to protect from the latest threats. Developers release security patches necessary to stop public threats, and HIPAA requires that your software is updated regularly. Patch management software will scan your servers and workstations for any outdated software and automatically patch it, unless you decide to manually update applications.

Every server should have a supported operating system installed. Outdated operating systems are often responsible for data breaches, including the infamous Equifax compromise where cyber criminals took off with 147 million consumer records⁴. In some cases, cyber criminals scan large portions of the web to find public servers hosting vulnerable applications and exploit them automatically within seconds.

Train Employees to Detect Phishing and Social Engineering

Many of the biggest data breaches start with a phishing email. Social engineering is another common way cyber criminals convince employees to divulge sensitive information or hand over their credentials. Human operators are your weakest link, but they must know the signs of an active threat and what to do to stop it.

Cybersecurity awareness training is essential to reduce the risk of insider threats. Not every insider threat is malicious, but phishing plays on your employees' sense of urgency and attempts to trick them in a way that causes them to miss common signs. Cybersecurity training educates employees and helps them slow down and identify a legitimate request from a fraudulent one.

Have an Incident Response Plan

Being proactive with your cybersecurity doesn’t completely eliminate risks, so you need an incident response plan to manage active threats as quickly as possible. Containing a threat is the first step, but then you need to eradicate it and determine the exploited vulnerability. An effective incident response plan also explains the hierarchy of authority and the process to follow in the aftermath of a compromise.

Incident response is a high-stress event, so a plan helps everyone involved know what to do and avoid missing critical steps in the process. The more efficient your process for incident response, the less damage your organization will suffer after a compromise.

How Access Point Can Help

Access Point’s expertise in cybersecurity and compliance frameworks can help healthcare organizations remain HIPAA-compliant, defend against internal and third-party threats, and create a plan to limit damage in the event of a compromise. Access Point can help you analyze your security program’s current level of maturity and help to keep you from becoming the next victim.

To find out more about how you can improve your current cybersecurity posture, contact our team about our advisory support services.

Sources

¹ https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

² https://www.hipaajournal.com/2022-healthcare-data-breach-report/

³ https://www.ibm.com/reports/data-breach

⁴ https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf