To address the growing rate of cyberattacks against the healthcare industry, HHS released a 30-plus page report outlining best practices hospitals can use to protect patient data.
Nearly 5.6 million patient records were breached in 477 incidents during 2017, up from 450 incidents during 2016, according to a report from cybersecurity firm Protenus. While healthcare organizations attributed the majority of those incidents to hacking attempts (52 percent), others were rooted in loss of records (4 percent) or unknown causes (7 percent).
HHS convened a public-private task group of healthcare and cybersecurity experts in May 2017 to discuss these issues, with the ultimate goal of releasing voluntary guidelines to help hospitals and clinics mitigate the most common cybersecurity threats facing the healthcare and public health sectors.
"Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across myriad public and private stakeholders," the report reads, calling out the role hospitals, IT vendors and governments play in mitigating the risk of cyberattacks. "Cybersecurity must be the responsibility of every healthcare professional, from data entry specialists to physicians to board members."
Here are five of the most common threats facing hospitals and clinics today, as outlined in the report:
1. Email phishing.
"Email phishing is an attempt to trick you, a colleague or someone else in the workplace into giving out information using email," the report reads. "The email appears to come from a legitimate source, such as a friend, coworker, manager, company or even the user's own email address. Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer."
2. Ransomware.
"Ransomware is a type of malware distinct from other malware; its defining characteristic is that it attempts to deny access to a user's data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid," according to the report. "Paying a ransom does not guarantee that the hacker will unencrypt or unlock the stolen or locked data."
3. Loss or theft of equipment or data.
"Every day, mobile devices such as laptops, tablets, smartphones and USB/thumb drives are lost or stolen, and they end up in the hands of hackers," the report reads. "In cases where the lost device was not appropriately safeguarded or password protected, the loss may result in unauthorized or illegal access, dissemination and use of sensitive data."
4. Insider, accidental or intentional data loss.
"There are two types of insider threats: accidental and intentional. An accidental insider threat is unintentional loss caused by honest mistakes, like being tricked, procedural errors or a degree of negligence," the report reads. "An intentional insider threat is malicious loss or theft caused by an employee ... with an objective of personal gain or inflicting harm to the organization or another individual."
5. Attacks against connected medical devices.
Internet-connected medical devices — such as heart monitors — pose a growing concern for patient safety, according to the report. A medical-device malfunction during a cyberattack could disrupt patient treatment or recovery, or even lead to "broad hospital operational impact due to unavailable medical devices and systems."
To read the report's guidelines on how to avoid these types of cybersecurity incidents, click here.