Health care companies must train staff to be vigilant around security.
When cyber security fails in a health care setting, the outcomes can be catastrophic. Patients can become a victim of identity theft and insurance fraud, two of the many forms of crime that can occur when health care IT systems are compromised by malicious attackers.
A profound understanding of these weaknesses allows for a stronger plan for value creation in the form of building better cyber security processes and fortifications.
Health care organisations are an appealing target for malicious attackers as they have a significant amount of personal, sensitive and financial information that can be used in an illegal manner. Patient’s health information can be sold on the dark net, as well as banking information for those healthcare organisations who use an insecure payment method.
MEDICAL IDENTITY THEFT: TWO FORMS
- Consumers steal insurance information to cover benefits their insurance may not include, or because they have no insurance at all. For example, a drug dealer may use fraudulent insurance information to purchase prescription drugs.
- Providers may also file fraudulent claims on an individual’s insurance to obtain reimbursement for procedures they never performed. They may do this to offset the cost of treating uninsured or underinsured clients.
Awareness of cybersecurity threats in the healthcare industry is somewhat behind that of other industries such as financial services, who have been under attack for a longer period and have been forced to learn and make necessary improvements to their security procedures. Meanwhile, malicious attackers have learned that many health care organisations represent easy targets and have a magnitude of data to steal. This was evident in the recent ransomware attacks of several hospitals such as Barwon Health and those in the Gippsland Health Alliance and Southern West Alliance of Rural Health.
In addition to identity theft, many health care organisations take payments in a variety of ways, including at the point of sale which can leave them vulnerable to a range of monetary driven attacks. Health care organisations must exercise a fine balance between the welfare of their patients, as well as appropriately securing the patient’s information and financial records.
When assessing a health care organisation’s cybersecurity maturity, it is important to concentrate on people and process, not simply the IT infrastructure. The most secure system only works if the team using it are well informed of best practise procedures and are vigilantly compliant. Similarly, when merging two health care organisations, it is critical to ensure that the systems for cybersecurity are compatible and the culture of cyber awareness has been instilled within both organisations.
Cyber security experts provide insight that health care organisations continue to be exposed to security threats that have little to do with the inappropriate use of the internet, and everything to do with procedure and culture. Instead of hacking an internal network, malicious attackers are frequently attempting fraud through social engineering techniques, such as telephone vishing or physical visits to the health care organisation. Sometimes they will locate a port and connect a device to the internal network, other times they may be more direct and pose as someone else. Sometimes these attackers will go to great lengths to build up rapport with hospital staff in pursuit of controlled substances among other things.
For more information on cyberthreats in the healthcare industry
If you have any questions in relation to this article or cyber attacks on the health care industry, please do not hesitate to get in touch with your local RSM adviser or the National Head of Security and Privacy Risk Services Darren Booth
This article was adapted from an article published on the RSM US website on 3 October 2019.