Protecting healthcare workers from targeted cyber-attacks
James Thorpe
Share this content
Errol Weiss, Chief Security Officer, Health-ISAC explains how we can protect healthcare workers from targeted cyber-attacks.
The healthcare sector faces a major threat in cyber-crime, with organisations falling victim to devastating attacks. However, criminal tactics like phishing don’t always target organisations.
Certain attacks can also steal information from healthcare workers and subject them to all sorts of fraudulent schemes, notably identity theft.
Keeping workers safe is vital in an industry that’s been struggling with long term labour shortages.
By not mitigating vulnerabilities, organisations are contributing to an unsafe work environment and creating challenges in employee retention.
The risk to workers is significant. A hacker could potentially obtain a worker’s banking information, home address and social security number from a poorly protected system.
They might also steal the worker’s identity or attempt to extort money by threatening to post information on the dark web.
And, although it’s rare for a worker’s contract to be terminated for being involved in a cyber-attack, the incident can affect the worker’s reputation and impede their ability to advance their career.
If healthcare organisations intend to protect their workers, it’s crucial for them to grasp the true danger of cyber-crime and the risks it poses to the people who run their business.
With this in mind, here are some extremely common cybersecurity vulnerabilities in healthcare organisations – ones that criminals can exploit to target individual workers.
Outdated software
Organisations may inadvertently leave software systems vulnerable to infiltration by neglecting to regularly update or patch systems.
Compared to current software, outdated and unpatched systems are easier to hack into.
HR-related systems that house sensitive employee data like phone numbers, identification credentials and banking information for payment processing could be vulnerable.
Every outdated piece of software or missed patch update serves as a potential entry point for criminals.
Healthcare organisations tolerate legacy software and unpatched systems for numerous reasons, such as the understandable prioritisation of patient services above IT risk management procedures.
The number and variety of third party software suppliers that organisations work with can be daunting.
When you use different software for functions like billing, record keeping or telehealth, it’s harder to make sure each piece of software is updated and patched.
Single-layer security protocols
Attacks against healthcare systems often arise from attackers’ gaining access to employee credentials.
Armed with an individual’s credentials, a cyber-criminal can log into an internal software system at a healthcare organisation as if they were an employee and access real personal data, which can be used for identity theft and fraud.
The hacker could go on a shopping spree using the employee’s banking information or set up a fake credit card account in the employee’s name.
Relying on passwords as the sole barrier to sensitive data no longer makes sense and is not considered best practice. Healthcare organisations should add another, stronger layer of protection to their internal systems by implementing multi-factor authentication (MFA).
This often involves a one-time code sent to an individual’s phone or computer.
So, even if a hacker steals someone’s credentials, they also have to access the text message or email containing the code to access the healthcare system, which is much harder to do from a remote location.
Insufficient training
A big reason healthcare organisations are easy targets for hackers is the industry’s relative lack of cybersecurity expertise and awareness.
Naturally, healthcare workers aren’t typically well-versed in common tactics of cyber-criminals, which makes individuals more likely to be manipulated into revealing personal data or login information through a phishing attack.
One of the oldest phishing schemes is when a hacker poses as an IT professional and asks a targeted victim in an email to reveal their login information so the “IT professional” can fix an unspecified issue.
Once the hacker logs into the system, they can gradually obtain personal information about the employee, who remains completely unaware that a cyber-attack is underway.
The best defence against legacy cyber-attacks like phishing is adequate training and education. Training will help workers understand how to distinguish attacks from authentic messages, especially as new technology is being used by cyber-criminals to make phishing emails more convincing.
Healthcare systems also need to ensure employees know who they can turn to if they receive a suspicious email, aren’t sure if the email is legitimate or otherwise.
Protection through collaboration
The healthcare industry’s ability to protect its workers from cyber-crime directly depends on its knowledge of modern criminal tactics, especially those targeting individual workers.
However, healthcare workers may be reluctant to report cyber-incidents to the authorities due to fear of being fired, embarrassment or possibly to avoid any damage to the firm’s reputation.
Another factor may be the tendency for the organisation itself to keep a low profile when it suffers a cyber-attack, rather than reporting the attack to industry peers and publicising attack methodologies.
When organisations neglect to publicise experiences with cyber-crime, the organisation and its workers remain vulnerable. As a result, workers may be unaware of threats they face as individuals.
To protect themselves and their workers, it’s imperative for healthcare organisations to share information, such as how an attacker was able to obtain unauthorised access to the victim’s system, with other organisations.
This will encourage healthcare workers to be more open about their own experiences with incidents and help peers prepare for similar threats.
It’s under this type of transparent culture that healthcare workers can reduce their vulnerability by staying up-to-date with tactics as well as ongoing changes in standard cybersecurity protocols.
In the digital age, working in healthcare requires the ability to quickly recognise cyber-incidents and keep extremely sensitive data – including workers’ personal information – out of the hands of cyber-criminals.
It’s up to organisations to provide the necessary resources to help workers acquire these essential skills and ensure their own safety in the process.