Cyber security awareness is a critical business issue for every organisation. However, it is quite simply essential in the healthcare sector, where data is particularly sensitive.
The large volumes of confidential data, combined with often vulnerable security systems, and an extensive network of connected medical devices make the healthcare sector a prime target for cybercriminals.
The healthcare industry is one of the most exposed industries, plagued by a myriad of cyber security-related issues, such as security incidents, organisational breaches, and data theft originating from internal and external sources.
Healthcare Cyber Security in Critical Condition
Last year data breaches and ransomware attacks cost healthcare providers an estimated $4 billion. In fact, 67% of healthcare organisations have experienced a cyber security incident in the past twelve months.
Perhaps the most infamous incident occurred in 2017, when a devastating global cyberattack crippled computers in hospitals across the UK. The impact of the WannaCry cyberattack was substantial, with the cyber incident disrupting services across a third of hospital trusts and around 8% of GP practices. The estimated total cost of restoring the affected systems reached £92 million, according to the Department of Health & Social Care.
More recently, healthcare providers and medical research organisations have experienced a surge in phishing attacks linked to the ongoing Covid-19 crisis. Brno University Hospital in the Czech Republic, which is one of the country’s Covid-19 testing centers, was struck with ransomware which resulted in all surgeries being postponed.
Amid a sharp rise in coronavirus-related phishing attacks worldwide, the US Department of Health and Human Services (HHS) also suffered a Distributed Denial of Service (DDoS) attack, which was intended to disrupt the organisation’s response to the Covid-19 pandemic.
The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have reported an array of attacks on medical bodies, especially those that have been involved in the response to the pandemic.
Cyber Security Concerns in the Healthcare Sector
It is clear that hackers will continue to launch cyberattacks targeting the healthcare industry while there are profits to be made, whether selling stolen patient data or holding healthcare systems hostage until the criminals’ demands are met.
The healthcare sector has experienced a significant shift in recent years with the adaptation of new technologies to facilitate data integration, patient engagement, and clinical support.
With this transition from traditional paper-based methods comes a wealth of opportunities for cybercriminals, such as malware that compromises the privacy of patient data, to distributed denial of service (DDoS) attacks that disrupt the ability to provide patient care.
However, organisations are often too preoccupied with defending against external threats to address the very real and dangerous risks that may lie within their own ranks.
The Insider Threat
With a wealth of highly confidential and protected health information (PHI) at their fingertips, healthcare workers have access to high volumes of patient data that needs to be accessible to staff, both on-site and remotely, and on multiple devices.
It’s widely recognised that cybercriminals target the weakest point of an organisation’s defences and, all too often, that means their employees. Last year, the UK Information Commissioner’s Office (ICO) revealed that human error was the cause of 90% of cyber data breaches.
Ultimately, healthcare workers are guardians of data and cyber threats now pose a major public health problem.
To mitigate against the risk, security awareness must become an integral part of the overall security strategy of the healthcare industry to prevent potential cyber attacks.
Prevention Over Prescription
As cyber attacks become more sophisticated and targeted than ever before, cyber security awareness in the healthcare sector is the most powerful weapon against these continually evolving threats and techniques. Despite having multiple layers of security in place, cyber security awareness remains a key challenge for many organisations. Often an ad-hoc approach is adopted, but it’s important to recognise that cyber awareness is more than just simulated phishing.
To truly change cyber security behaviours, organisations must commit to a cyber security awareness program that enables staff to recognise and embrace the important role they play in safeguarding sensitive organisational data.
With the healthcare industry increasingly prone to malicious cyber attacks, the key to improving cyber security awareness in this sector is to implement an effective cyber awareness campaign and create a culture of cyber awareness.
Implementing an Effective Cyber Awareness Campaign
- Start with CEO Leadership
Cyber security is everyone’s responsibility, but resilient organisations have strong CEO leadership. If the CEO is taking cyber security seriously, this will permeate throughout the organisation and help create a culture of enhanced cyber security awareness.
- Know Your Organisational Tolerances
Taking time to properly identify the risks can help shape the messaging, delivery and effective targeting of your cyber security awareness program.
- Defend Your Information Assets
You need to determine what your most valuable information assets are, where they’re located, and who has access to them. Every asset should be classified (for example, public, private or confidential) and protected based on its value. Doing so is crucial when identifying risks and prioritising the areas that need to be defended.
- Focus on High-Risk Groups
The key to an effective security awareness program is ensuring the right training is targeted at the right people. All users are susceptible to cyber threats; however, certain employees have a higher threat profile than others. For example, your HR and Finance departments will be frequently targeted with phishing threats because of their privileged access to valuable data.
- Make It Engaging with Effective Storytelling
Storytelling is one of the most powerful ways to breathe life into your cyber security awareness campaign. Face it, cyber security can be a dry topic, but it’s vital you find ways to engage your staff if you want to positively impact behaviour within your organisation. The message is just too important to get lost in formal, corporate communications
- Get Your Policy Management Up To Date
Policies are crucial in establishing boundaries of behaviour for individuals, processes, relationships and transactions within your organisation. They provide a framework of governance, identify risk and help define compliance, which is important in today’s increasingly complex regulatory landscape.
- Start Preparing for a Data Breach Now
It’s no longer a matter of ‘if’ your organisation is going to be attacked, but ‘when’. You need to start preparing for the inevitable and put a plan in place that ensures appropriate and timely action when security is breached.
- Enlist Cyber Security Champions
Appointing cyber security champions is a great way to empower staff and equip them with the skills needed to prevent a cyber attack.
- Consider Your Supply Chain
Every supplier and third party that connects to your business is a potential risk, so it’s vital you carry out detailed third-party risk assessments to address any issues that could pose a threat to your security. Doing so can help determine what security measures need to be put in place to keep your data secure.
- Implement Proper Oversight and Regular Reviews
The threat landscape is continually evolving, so your cyber security awareness program needs to evolve with it. It’s important to conduct regular reviews of staff readiness to identify areas of weakness and establish whether current policies and training need to be updated.
Create a More Security Conscious Workforce
Cyber Security Awareness for Dummies acts as an indispensable resource for implementing behavioural change and creating a culture of cyber awareness.
In this guide, you will learn:
- What cyber security awareness means for your organisation
- How to implement a cyber risk awareness campaign
- The critical role of policies to establish safe baselines
- How to maintain momentum and staff engagement
- 10 cyber security awareness best practices
Click here to claim your free copy of Cyber Security Awareness for Dummies.