Despite their limited resources, smaller clinics and doctor's offices must ramp up efforts to safeguard their information systems or risk becoming potential gateways to breaches at larger healthcare organizations, says Michael Kaiser, executive director of the National Cyber Security Alliance.
The most common mistake many smaller healthcare provider organizations make is thinking "they are too small to be attacked," Kaiser says in an interview with Information Security Media Group. "Small operations in this space need to understand two things: One, that they have incredibly valuable information ... about a lot of people. Two, it's possible that they can be used as a gateway to other organizations."
Kaiser further explains: "If I can steal the email credentials of a doctor in the practice, I can use those credentials to access his or her email - and then create an email that can be sent to a larger organization. And because it looks like it comes from a legitimate doctor, [the attackers] are using the [doctor's] name to start a phishing attack ... to hack into a larger organization."
Spear-phishing attacks have been implicated in some of the largest healthcare sector breaches over the last year, including the hacker attack that targeted health insurer Anthem Inc., which affected about 79 million individuals.
Unfortunately, when some smaller healthcare providers hear about healthcare sector cyberattacks, they become overwhelmed, and that leads to "paralysis" in terms of taking appropriate action to protect their data and systems, Kasier says.
He suggests that smaller healthcare providers use the cybersecurity framework of the National Institute of Standards and Technology to get educated on how to start bolstering their security strategy.
Smaller organizations need to carefully assess "the most vital assets they have online that need to be protected," he says. That includes having a clear understanding where all patient data resides and the steps being taken to protect and limit access to that data, he notes.
In the interview (see audio link below photo), Kaiser also discusses:
- Healthcare sector cybersecurity trends in the year ahead;
- How the healthcare sector stacks up to other industries in its level of maturity for dealing with evolving cyberthreats;
- Security and privacy risks posed by the Internet of Things, including consumer wearable health devices.
Kaiser joined the National Cyber Security Alliance, a not-for-profit organization that focuses on cybersecurity awareness and educational efforts, in 2008. As NCSA's executive director, he leads NCSA's key outreach and awareness campaign, National Cyber Security Awareness Month. Kaiser also serves on the Department of Commerce's NTIA Online Safety Technology Working Group. Before to joining NCSA, Kaiser spent 25 years in the field of victim's services and rights at such organizations as the National Center for Victims of Crime in Washington and Safe Horizon in New York.