Cybersecurity Hygiene for the Healthcare Industry

Hospitals and the healthcare community as a whole have become the most common and lucrative target for cyber-attack. Many breaches are targeted and sophisticated while others are surprisingly random and simple. The Internet of Things has increased the attack surface with a host of new vulnerabilities and an alarming number of organizations lack even the most basic cybersecurity hygiene, yet everyone is surprised when there is a breach and sensitive information is exfiltrated. Bad actors come in all forms with a multitude of methods, motivations and exploits but virtually all of them start with a phishing attack. All it takes is one click on a malicious link and an entire organization can be infected. The initial goal of a hacker is to obtain legitimate admin credentials then move laterally throughout a network escalating the level of privileges for access. Exfiltration of sensitive information and injecting falsified content are easy with the right access. Strangely, the health sector as a whole offers virtually zero training on social engineering or even basic standards for a cybersecurity-centric organizational culture. Continuous education on the latest exploits and techniques used by hackers is a mandatory prerequisite to initiating an environment conducive to security. Regularly patching vulnerabilities in applications used industry wide are crucial as vulnerabilities lead to exploit kits designed to infiltrate and corrupt distracted organizations. The most organized risks to the health sector in the United States come from State Sponsored and Hacker for Hire groups, primarily out of China. Platforms such as Elderwood offer a plethora of new Zero Days to organizations such as Deep Panda, Axiom and Hidden Lynx etc. whose sole purpose is to breach networks, exfiltrate data and corrupt critical infrastructure networks. The intention of this series is to introduce the basics in both Healthcare Informatics and Cybersecurity as a proper comprehension of both is the first step to a more secure environment. Cybersecurity should be part of the curriculum for students studying healthcare informatics and healthcare as a whole but sadly Academia has yet to catch up with the fast paced initiatives of hackers. True patient health record privacy and network security can only be realized if hospitals and the health sector take an aggressive and blatant approach to a cybersecurity-centric culture with continuous attention to proper cybersecurity hygiene.