Find out how CardioScan is protecting your data. Download our Security Information fact sheet:
A 2019 IBM study showed that the average cost to business globally per lost or stolen record in a data breach was $150USD, while to a healthcare provider, the loss of a patient record cost almost three times that at $429USD. When scaled into the thousands of records, it could be catastrophic. Furthermore, on average, it took 93 days for the healthcare industry to contain a data breach – making prevention a much better approach, than remedy.
With more than 30 years in the sector and with operations in Europe, Asia, America and Australia and New Zealand, CardioScan shares vast insight to cybersecurity worldwide. In this 3-part series, we examine the common threats and best practice security measures health clinics may need to consider when protecting against security breach.
While many may think first of hackers, there are four main types of security threat – some include a deliberate nefarious intent, while others can be the result of an accident. However, all have the potential to cause significant harm, and that’s why it’s so important to be aware of the risk that each one poses. After all, data security is not the responsibility of the IT department, but instead requires a business-wide approach.
A hacker is an example of a malicious outsider, who typically use techniques like phishing and social engineering to attack individuals and corporations. Last year, the healthcare industry reeled as it witnessed such an attack in Singapore, when hackers targeted the SingHealth database, including the details of Prime Minister Lee Hsien Loong. Hackers are typically driven by money, with 76% of hackers financially motivated to carry out an attack. If successful, an attack costs businesses $6.45m on USD on average, according to a 2019 IBM study so it’s financially critical to put measures in place to protect yourself.
Data encryption is paramount to protecting against hackers, as the harder the data is to decrypt, the more robust the defence is against their phishing and social engineering attempts – even if they do manage to initially penetrate company systems.
More common than you might think, a jaded employee with legitimate access to company data, but with plans to use it for nefarious purposes, is an example of a malicious insider. Insiders can often be a bigger threat than hackers, with IBM data from 2016 finding that 68% of all network attacks targeting healthcare organisations during that year were carried out by insiders.
Malicious are looking to cause harm to an individual or company after a perceived wrongdoing by the party/s being targeted, which is why it’s important to manage those with access to patient data. All interactions with patient data should be logged, so that if a leak does arise, its source can be more easily traced. Additionally, monitoring for changes to important files means that it is immediately apparent if they are being modified by a malicious source.
Not every data breach is a result of malicious intent. People can be tricked by official-looking emails, send information to the wrong person, upload data to a public location or misconfigure servers where data is stored. Employee training is crucial, as otherwise, hundreds of thousands of patient records could be at risk. This training should be regularly conducted, as well as tested at regular intervals.
It’s also important to have firewalls and anti-virus in place so that if malware, spyware or ransomware is accidentally installed it is quarantined rather than able to wreak havoc on your systems and obtain sensitive data. These security measures don’t need to constantly be monitored, but instead can prevent attacks in the background.
Leaving a laptop, phone or other device in a public place and forgetting it’s there is another common threat. It can happen to anyone, without meaning it. While this isn’t the worst outcome if the device in question is encrypted, an unencrypted and unlocked device or external hard drive that contains sensitive information can be damaging to any business if it ends up in the wrong hands.
With greater awareness of the risks and some of the measures to lessen the risks, what more should health businesses be doing to improve cybersecurity? Firstly, all businesses should be backing up their data regularly, in order to prevent being held ransom. Ransomware is a growing and significant threat, as hackers will often charge amounts upwards of tens of thousands of dollars in order to return the data they have obtained. It’s also important to make sure that these backups are regularly being tested, so in case they are needed, they are proven to be working.
It’s also important to look inwards, as well as outwards. Insiders who cause data compromise can often act undetected, as it’s not immediately clear what they are up to. They could be interacting with the data they are accessing for illegitimate purposes every day, so it’s important to take an integrated approach to data security. The more people that have access to sensitive data, the higher the chance that said data is at risk, which means only providing access to those who absolutely need it. Similarly, the easier the data is to access, the higher the chances that it can be stolen. Providing several layers of protecting for sensitive data, as well as controlling the flow of those who access it, goes a long way towards protecting it.
Protecting your data is not only important to your business, but important to your patients. Your patients are entrusting you with their confidential information, and it is up to you to provide them the peace of mind that their data won’t fall into the wrong hands. There is an increasing threat level when it comes to people attempting to maliciously obtain sensitive information, but there is also more understanding surrounding how to protect oneself from these attacks. With a whole-of-business approach, your business can be safe in the knowledge that when a threat arises, you’ll be best prepared to combat it.
Phishing: A type of hack where an attacker pretends to be a trusted entity. They then try to trick people into provide or confirm personal details through establishing contact over email, social media, phone call or text message. They are designed to look genuine, so it’s important to be vigilant.
Social engineering: A broad term used for malicious activities accomplished through human reaction. Phishing is a type of social engineering.
Firewalls: A network security system that monitors and controls incoming and outgoing network traffic based on security rules that are established. It forms a barrier between your business’ internal network and an untrusted external network like the Internet.
Malware: Short for malicious software, malware is any computer program designed to infiltrate and damage devices without the user’s consent.
Spyware: A type of malware, spyware is unwanted software that infiltrates your device and steals your data and information.
Ransomware: A type of malware, ransomware is designed to deny access to a device or data until a ransom is paid.
Encrypted: If data is encrypted, it has been converted into a code designed to prevent unauthorised access.