There’s a global trend to enact laws compelling organisations to own up when data they possess is compromised by a cyberattack.
Under Australia’s Notifiable Data Breaches scheme, which came into effect in February, applicable healthcare providers must notify the public and the Office of the Australian Information Commissioner if they experience a data breach that is likely to result in serious harm to any individuals whose personal information is involved in the breach.
Similarly, starting 25 May 2018, healthcare organisations may need to comply with the General Data Protection Regulation, or GDPR, if they have an establishment in the European Union, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
Healthcare is one of the most vulnerable industries when it comes to cybersecurity. Patients' health and even their lives can depend on the security and accessibility of their health records.
A HIMSS Analytics study in December last year commissioned by Mimecast found that US healthcare providers overwhelmingly rank email as the number one source of a potential data breach. Compounding the concern is that 77 per cent of those surveyed use email to send private healthcare information.
According to the research, almost 30 per cent of the respondents said they use email for provider-to-provider communication, while 14 per cent use email for patient bills, including insurance, and a slightly smaller percentage use email to schedule appointments.
Emails can contain data that could potentially identify patients. If data is compromised, it can leave patients open to identity theft, fraud and other malicious activities.
Stolen emails aren't the only worry for healthcare companies. Emails can also be a pathway for cybercriminals into a business’s critical systems. The HIMSS Analytics study found that an alarming 78 per cent of healthcare companies surveyed had experienced a malware or ransomware attack in the previous 12 months.
Ransomware is particularly nasty for healthcare organisations, which depend heavily on email. According to 93 per cent of respondents, email is mission critical, while almost half claimed their organisation can’t afford any email downtime.
Another common tactic of cybercrims is phishing, which can allow attackers to gain to access to sensitive systems within organisations.
A variation on the theme are impersonation attacks, with hackers using social engineering to trick users into divulging bank account data, employee personnel details, customer information or credit card numbers to someone they trust, such as the CEO or CFO of the organisation.
The growing global rise in email attacks, coupled with the introduction of mandatory breach notification schemes, add up to a situation in which healthcare organisations can’t ignore cyber – and email – security.
All organisations now need a strategy of cyber resilience for email. This includes taking stock of where patient information is held and breaking down the silos in respective departments that hold client data. Once IT teams understand where data is located, they are able to create strategies to protect it.
Cyber resilience also means conducting threat dress rehearsals in which all the teams, including IT, security, clinical, marketing and administration, come together to practice what would happen in the event of a data breach.
Staff also need to be trained and constantly reminded about good cyber-hygiene. Topics such as identifying malicious emails and not sharing personal data via email all need to be emphasised.
A strong email management policy also needs to pre-emptively examine, vet and quarantine emails with malicious content, links or attachments. By doing this, healthcare organisations can take the risk out of email and ensure that it remains the tool they need to conduct business with patients, agencies and other healthcare providers.
The introduction of data breach laws means that securing email is something that every healthcare organisation needs to make a centrepiece of their cybersecurity strategies. By doing so, they will protect their clients, patients and themselves against compromise, and avoid suffering a data breach and its costly consequences in both financial terms and to their reputation.
Garrett O’Hara is a Principal Technical Consultant for Mimecast.