Staying Data Healthy in the Ransomware Era

IT teams within the healthcare sector must make data theft more difficult. Here are three key steps to do so.

Security is no longer just about keeping data safe; it’s about protecting our health, safety and our wellbeing.

Research from Beazley found that the healthcare sector experienced the highest increase in ransomware demands, jumping 133% during the first six months of 2017.

During that time, the high-profile WannaCry ransomware hijacked the UK’s National Health Service. When the attack occurred and doctors and nurses tried to access patient files, a pop-up appeared notifying them that the data was under ransom and that they needed to pay a fee to access the records again. This had catastrophic outcomes as emergency trauma treatments, transplants and other life-saving medical procedures needed to be staggered or diverted to other facilities. Patients quickly lost faith. Not only that, but the hospitals could also encounter costly regulatory penalties.

So, what should be done to protect data and medical practices in this market?

Update and backup 

The need to make software updates available and easy to install is now more important than ever. The next WannaCry could easily leverage vulnerabilities across mobile or IoT platforms, some of which don’t even have software updates available. While some manufacturers are building their own update systems, many are already starting to leverage third-party systems for secure software updates.

The other key lesson is the need to back up critical data in a safe location. There are numerous cloud and on-premises services available. It’s important to choose a trusted system that will not only back up the data but also encrypt it, allowing secure access from a variety of endpoints.

When implementing the backup solution, the IT team should also ensure it includes a feature that provides a link to backed-up electronic medical records. The solution should also send mass notifications of steps to follow, so clinical staff can quickly and safely retrieve the data. This will prevent a sudden inundation of help-desk calls and reduce panic.

Education is key

The IT team should be mindful that medical practitioners are not security professionals, so the need for education is vital. It should also be explained how they can identify and avoid phishing scams to ensure sensitive patient data is not compromised.

Alongside employee training, it is also important to implement a tool that protects all data within the organization. A solution is offered via a containerization tool, which is an authenticated, encrypted area of a user’s device that can be used to insulate sensitive corporate information away from the personal side of the device. This means that even if a criminal cracks a stolen device, they won’t gain access to the content, credentials and configuration details. The container can also prevent cutting and pasting of information to unsecured emails, SMS, or IMs to further avoid phishing scams.

Secure file sharing

There have been several cases when medical practitioners have not had access to secure file-sharing solutions, so they have had to resort to using insecure data transfer tools to share patient records. Most recently it was reported that doctors are using Snapchat to send patient scans to each other. These insecure methods are risky and could result in data being stolen or compromised.

To prevent medical files from falling into the wrong hands, the IT team should implement a secure-file sharing solution so practitioners can send records in and outside the organization safely and securely. Using the company’s approved secure-file sharing solution will encrypt medical records, as well as ensure users can access their documents anytime and anywhere. With tools like this, it better protects the data and guarantees the information is within the user’s control.

Legal requirements

For healthcare professionals to ensure the best patient care possible, there are some legal precautions that can be taken. Cybersecurity requirements can be written into the procurement policies to force device, IT hardware, and software makers to build security into everything they sell. It is important that any installed applications are user-friendly; otherwise, staff will turn to less-secure shadow IT workarounds (like personal messaging apps and cloud storage).

IT teams within the healthcare sector should remember that technology is available to make data theft within the organization more difficult. They should recognise the importance of regularly updating their IT system and introduce employee training courses and security guidelines to ensure that staff are fully aware of the risks involved, as well as the preventative tactics. IT professionals should also deploy multiple layers of cyber threat protection and secure their networks. Failure to do so runs the risk of being a victim of the next big cyber-attack, ultimately experiencing data loss and even more of a concern – potential loss of life.

While cyber-attacks are unfortunate, they should serve as a much-needed wake-up call to the healthcare sector. Protecting patients doesn’t stop the moment they leave the medical center. Health practitioners are under an obligation to keep their patients’ records completely safe and secure.

Source: CSO Security news