The Tenet Case: Are Hackers Targeting the Healthcare Industry?
How Healthcare Can Stay Safe in this Cybersecurity Landscape.
Tenet Healthcare Corporation is an international healthcare services corporation with headquarters in Dallas, Texas that operates 65 hospitals and more than 450 healthcare institutions.
Recently, telephone service and some IT systems from at least two Tenet hospitals in the West Palm Beach area went offline.
Tenet stated that essential services had been restored to the greatest extent possible and that facilities that had been disrupted had “begun to resume regular operations.” The outage was just momentary, and hospitals were able to continue providing treatment by using backup systems.
Image Source: The Dallas Morning News
The nature of the event, as well as whether or not patient data was exposed, were not disclosed by the corporation. Tenet said that it had halted access to the vulnerable applications and had initiated an investigation, in addition to taking additional security measures to protect the network.
Efforts to restore impacted information technology operations continue to make important progress.
Source: HIPAA Journal
Healthcare as a Target
This is not the first cyberattack that targeted healthcare institutions. Last year we witnessed a surge in ransomware attacks with malicious actors going after important healthcare entities like the Canadian Insurer Guard.me, one of the world’s largest insurance carriers, Ireland’s Department of Health, New Hampshire Hospital, and many others.
Healthcare institutions are especially susceptible to being targeted by cyberattacks because they hold so much information that has a high monetary and intelligence value to cybercriminals and nation-state actors, making them a prime target for their cyberattacks. Patients’ protected health information (PHI), financial information such as credit card and bank account numbers, personally identifying information (PII) such as Social Security Numbers, and intellectual property related to medical research and innovation are among the types of data that have been targeted for collection.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being shared without the patient’s permission or knowledge.
Regulations like HIPAA are created for healthcare providers from the US, whereas GDPR regards worldwide operations, thus making healthcare providers and business partners ensure they are aware of the newest rules and choose suppliers and business associates who are equally aware.
Cybercrime in the healthcare sector is exploding and Tenet is just one example! Last year, a cyberattack cost the system around $100 million in lost revenue, and the frequency with which hackers hit healthcare institutions is flaring up with each year. As computer systems are running health systems like respiratory monitors, people might actually die if there are no cybersecurity measures in place and if there is no cybersecurity awareness! It’s vital for healthcare institutions to implement a strong security strategy, at all levels, from patch management to privileged access management and DNS filtering. My advice? Unify security solutions, because the disparity in them causes critical data to be overlooked.
Morten Kjaersgaard – Heimdal Security CEO
What Can Healthcare Organizations Do to Improve Cybersecurity?
Educate the staff
Security awareness training could provide healthcare workers with the information they need to make informed choices and protect patient data, as the human factor continues to be a major security risk in many businesses, but especially in healthcare.
Training and awareness campaigns allow staff to be aware of cyber risks and empower them to be more cautious. It should be embedded into the culture of the business so that security becomes a priority (in the same way patient confidentially is).
Make patching a priority
Just like treating a patient is important to also treat your IT infrastructure.
You can address technical vulnerabilities by patching your systems, as this will reduce your attack surface, and your organization will become less exposed to cyberattacks or security breaches. It’s important to note that automating this process can reduce manual work, meaning IT and security teams can improve their efficiency.
Secure your endpoints
Endpoint security (or protection) solutions make use of cloud-based threat information databases to give security administrators rapid access to the most up-to-date threat intelligence without requiring them to manually update their systems. The key benefit is that all threats are noticed and responded to faster or automatically. This is particularly important with the increased use of BYODs.
Endpoint security solutions continuously monitor the files, applications, processes, and system activities within a network, looking for any malicious signs and indicators of compromise, and can be easily integrated into a company’s environment.
Restrict access to data and apps
Introduce access controls to help secure healthcare data by limiting access to patient information and apps to only those who need it to do their jobs. User authentication ensures that only authorized users may access protected data. Multi-factor authentication is advised, forcing users to authenticate their identity using two or more ways, such as a token, a mobile phone, a SIM card, a USB stick, a key fob, an ID card, or a biological factor, such as face or voice recognition, fingerprint, DNA, handwriting, or retina scan.
Understand and mitigate the IoT devices’ risks
Mobile gadgets now mean way more than just mobile phones and tablets, as linked gadgets come in various shapes and sizes thanks to the Internet of Things (IoT).
In the healthcare industry, anything from medical gadgets like blood pressure monitors to security cameras may be connected to the network and, therefore, become a threat if not properly mitigated.
Healthcare organizations must therefore understand how IoT devices can put their patients’, employees and systems at risk. This should be not only to secure the data and maintain information integrity but also to prevent operational downtime which can costs not only time – but in extreme cases, also lives.
Understand the importance of prevention
Proactive prevention is just as essential as having an audit trail to assist in the determination of the cause of an occurrence. Inadequacies in vendor and business partner security may be identified by frequent risk assessments. With regular risk assessments, healthcare providers and their business companions may better prevent expensive data breaches and the numerous negative consequences that come with them, such as reputational harm and regulatory fines, and other negative consequences.
Back up your data properly
Consider the effect of ransomware on data integrity and availability. Not backing up data in the event of an emergency may be devastating. For this reason, it is advised to perform periodic offshore data backups with rigorous encryption and access restrictions.
By doing this, organizations that do fall victim to cyberattacks will also be able to resume operations faster. In the healthcare industry, this is vital as it means patient records can be accessed by medical professionals and they can resume treatment and reduce delays.
Complex technologies make use of machine learning to not only build a database of suspicious behaviors that currently exist but also to identify new ones as they emerge.
Heimdal™ Threat Prevention and its DarkLayer Guard™ & VectorN Detection technologies can help you to stay safe. Our unique technology is divided into two modules: the Network module and the Endpoint module, which may be used alone or in conjunction with one another.
By implementing the appropriate plan and using cutting-edge technologies to support it, you can avoid threats and you may be certain that the Heimdal Security suite of solutions is available to you whenever you need it.
Contact us at firstname.lastname@example.org and find out which of our products are right for your organization.