[BreachExchange] Five Dangerous Healthcare Cybersecurity Myths

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 18 18:17:01 EST 2018


Healthcare organizations are staffed with physicians and other
highly-trained employees whose education and experience give them great
confidence in their decisions. That confidence, however, can be troublesome
if it extends beyond medical decisions and into the world of cybersecurity.
Hospitals, medical centers, and other healthcare entities are treading on
thin ice if they subscribe to these five common but dangerous cybersecurity

1. Myth: Our Firewall and Anti-Virus Software Will Protect Us.

Fact: Not even the most up-to-date antivirus and cybersecurity software
will be effective against new cybersecurity threats and hacking attacks
that easily bypass software and technology firewalls. Technology can
provide a first layer of defense around the perimeter of a healthcare
organization, but that defensive layer is readily breached. Further, once
installed, many healthcare perimeter technology defenses are not updated or
maintained properly, making them even more vulnerable to a cyberattack.

2. Myth: Ransomware is not a problem in the healthcare industry.

Fact: Ransomware attacks, in which a malicious piece of coding freezes
access to data records, accounted for more than one fourth of all reported
cyberattacks on health care organizations in 2016. Hospitals and medical
entities may be underreporting these incidents out of concerns over loss of
patient confidence and damage to the organization’s reputation. Given the
mission critical nature of health care data, health care entities are more
likely to be targeted by ransomware attackers. That’s because these
malicious actors see a quick way to extort ransom funds from a targeted
entity. Moreover, paying ransom to end an attack will not prevent further
ransomware attacks. And hackers that learn of an entity’s willingness to
pay ransom will be tempted to launch further attacks against the same

3. Myth: A strong password policy will insulate us from cyberattacks.

Fact: Requiring employees of healthcare organizations to use strong
passwords is a good start. But that policy alone will not insulate the
organization from a cyberattack. That’s not all of course. Employees’ use
of mobile devices opens new avenues of attack to hackers who prefer to
target external devices that enter the workplace. In addition, if an
employee uses the same strong password for multiple different logins, a
hacker that gleans the password for one login will have access to all other
login accounts. Password managers and dual-factor authentication for
healthcare organization network logins will alleviate these threats. But
they will not totally eliminate this problem.

4. Myth: Our reputation will remain intact even if we experience a

Fact: A healthcare entity’s average actual losses and liabilities from a
single cyberattack exceeded $800,000 in 2017. This does not account for
loss of reputation and other business losses that the entity will
experience as patients seek healthcare providers that offer more security
for their personal medical records. Patients that are concerned over
cybersecurity in healthcare will be drawn to healthcare organizations that
are more known to take greater pains to protect their information and that
maintain cybersecurity insurance that offers compensation for losses and

5. Myth: Internet-connected devices do not raise our exposure to a

Fact: Medical devices that are part of the ever-growing Internet of Things
(IoT) environment can be an easy entry point for a cyber attacker.
Especially if that hacker is intent on breaching a healthcare
organization’s data networks. Why? IoT medical devices typically run on
embedded legacy software that is not updated frequently, if it is updated
or maintained at all. Those devices also open new pathways for hackers to
launch distributed denial-of-service (DDoS) attacks on healthcare
organizations. These attacks overwhelm a network and distract IT security
personnel while hackers look for other entry points into the network.
Cybersecurity in a healthcare environment is wholly incomplete if IoT
medical devices are excluded from a greater cybersecurity strategic plan.

This is a lot of information for an organization to tackle at once. If you
want to improve your defenses, it is probably best to develop a structured
plan. Decide what to handle this quarter and what to handle next quarter.
Little by little you can avoid dangerous healthcare cybersecurity threats.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180118/2345f9fe/attachment.html>

More information about the BreachExchange mailing list