Are there Holes in Healthcare Cybersecurity?

Are there Holes in Healthcare Cybersecurity?

October is Cybersecurity Awareness Month

What draws ten times more money on the black market than personal information stolen from credit cards? Healthcare records. It’s no surprise then that 41% of cybersecurity breaches were targeted towards the healthcare industry last year. Broken down, the data shows that healthcare organizations suffered a disproportionate 32,000 attacks per day per organization. This is compared to 14,300 per day per organization sustained by other industries, and makes healthcare the most vulnerable industry, with five times more total breaches than other industries.

The healthcare industry is the second biggest industry in the U.S., and as its professionals try to enhance patient care and navigate changing regulatory landscapes, healthcare cybersecurity is often relegated to the back burner. What makes this situation particularly disturbing is that the healthcare industry has the most to lose from these types of attacks; in addition to the monetary losses, cyber attacks targeting medical devices can become a real matter of life and death.

This issue is further compounded by the fact that the average healthcare cybersecurity budget is only about half that of other industries, and employees may be motivated by money to share sensitive information. A recent Accenture study revealed that “18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000.”

What’s at Risk?

These attacks threaten patient’s identities and financial well-being – and they can also affect their health. In 2016, hackers targeted the large Maryland-based healthcare system, MedStar Health, with ransomware. MedStar had to shut off its email and patient record database. Even more ominous, it couldn’t provide radiation treatments to patients for several days, a potentially life threatening situation.

Criminals can access other IoMT (Internet of Medical Things) devices connected to a network, including medical lasers, X-ray and MRI machines, ventilators, pacemakers, electric wheelchairs and other critical equipment. Since these devices are comprised of various parts and software from a number of different companies that may not focus on security, they are especially at risk. Hackers can even target specific individuals, as was the case of former U.S. VP Dick Cheney, who received threats warning of an attack on his pacemaker. His doctors had to disable the device.

How Are Criminals Breaching the Networks?

Many hackers use emails to access healthcare networks:

  • Ransomware is delivered through emails, accesses other computers through the network and blocks access to data until the ransom is paid.
  • Malicious URLs also arrive through email and look as if they were sent by reputable companies. They either download malware or gather sensitive information when selected.
  • Malicious attachments can also come through email and look convincing. They can send malware or other macros that install viruses, record keystrokes or even provide remote access to computers and networks.
  • Business emails can be used for a type of targeted “spear-phishing” known as “whaling” to create emails that appear to have come from within the organization or another trusted sender. Hackers will send an email to someone with access to money or sensitive information posing as their boss or a higher-level colleague. They’ll prep with a personal email first (with information gleaned online) and then request an action with a sense of immediacy.
  • An internal threat can be intentionally malicious or just imprudent. An employee bent on doing wrong can wreak havoc by hacking into the network. Or, an innocent insider may mistakenly send sensitive information to the wrong person, fail to encrypt it, neglect to properly log out of an accessible computer or even browse an unprotected website.
  • According to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute conducted in May 2016, 90% of healthcare organizations weathered a data breach in 2016 and only 50% were from a coordinated attack, so it can be safely surmised that many came from careless mistakes.

Smart Healthcare Cybersecurity Solutions

To counteract these threats, those in the healthcare industry can take several steps. By viewing every identity as they would a physical security perimeter, they can focus on validating every access request on every device, verifying the identify of every user and limiting access and privilege. On the network front, healthcare organizations must secure their networks and extend this to the cloud. Any sensitive information that is sent must also be encrypted. Additionally, organizations can implement machine learning to monitor user behavior patterns and spot anomalies that reveal hacker behavior.

Healthcare organizations must also move faster and provide more thorough software patches and updates. They can deploy threat intelligence and automation as well as offer critical cyber-awareness training to employees to help them manage email, social media and other entry points.

If you’re a healthcare professional and would like to learn about how to better secure your data, you can read more here.


Make the Most of OSHA’s Safe + Sound Week

Make the Most of OSHA’s Safe + Sound Week

This week is “Safe + Sound Week,” a nationwide awareness campaign created by OHSA. The comprehensive program, dedicated to keeping U.S. companies, employees and the public safe, is both important and enlightening.

Running from Monday through Sunday, this week focuses on raising awareness and understanding of the value of safety and health programs which affect everything from management leadership to worker participation to finding and fixing workplace hazards.

Why Should You Participate?

You know that workplace injuries and illnesses directly impact employers’ bottom line. But are you aware that in addition to social costs, U.S. employers pay almost $1 billion per week for workers’ compensation costs? This number includes direct costs like workers’ compensation payments, medical expenses and legal services payments—and indirect costs like training replacement employees, investigating accidents and deploying corrective measures, as well as lost productivity, damaged equipment and property repairs, and the additional costs that come with lower employee morale and absenteeism.

A safe business is a strong business.

How Do I Get Started?

Even though you’re part of the way through the week, you can still take advantage of this time to focus on safety and health habits.

On the OSHA website, you’ll find well-defined activities that make a real and lasting impact on your organization. Whether you want to host an employee-only event or include customers as well, there are a number of brief and productive activities that accomplish the week’s objectives. You’ll also earn a certificate and web badge that recognize your efforts and promote good adherence to these practices all year long.

OSHA identifies three core elements on which to focus: management leadership, worker participation and finding and fixing hazards.

Management Leadership:

Your dedication to safety and health should be clear at the highest levels of your organization. Start by establishing core values around safety and health and creating related goals. Then offer resources and make sure to always practice safe behaviors. Your actions at the top will drive the entire organization’s actions. Owners, executives, managers, supervisors and other leaders can make a big difference in their company’s cultures and systems. OSHA provides some real actionable checklists and smart ways to accomplish this.

Worker Participation:

Employees are the lifeblood of any business, and they must adhere to and be proponents of a safe and healthy work environment. To this end, they can set, implement, evaluate and enhance safety and health programs already in place, as well as offer recommendations where they feel there is a need for additional support. Employees should feel free to alert their superiors to perceived hazards as well. Since they’re the experts that work closely with the equipment and tools, they’re an invaluable resource for potential safety and health issues. OSHA provides some solid strategies to enhance and encourage worker safety and health practices too.

A systematic approach to finding and fixing hazards:

With a proactive, consistent effort, organizations can find and manage sources of potential injuries or illnesses. Whether you’re collecting and reviewing information about known or potential hazards in the workplace, determining the causes of hazards, or setting hazard controls, it’s essential to make this an ongoing program. OSHA recommends these tools to maintain the practice.

Safe + Sound = Smart

Whether you implement one or 100 of these ideas, you’ll be making your organization that much safer and smarter. After you’ve completed your events, you can download a certificate and web badge to recognize your organization and your workers. If you haven’t already, we encourage you to start today.



Using Technology to Prevent Violence in Schools and Hospitals

Using Technology to Prevent Violence in Schools and Hospitals

Our last post examined the high incidence of workplace violence in the healthcare and educational sectors. Since healthcare professionals work with a large, shifting population prone to a high rate of volatility, and educators often fall prey to students’ acts of violence, both are at a higher risk than the general population. If there is an incident, time is of the essence, and clear communication is key. So what are the best ways to protect these important public servants?

Protecting our Healthcare Facilities

While education and training are critical components of a sound security plan, technology is playing an increasingly important role. The strongest security strategies incorporate a holistic approach, including education and training regarding early warning signs of danger, smart security policies, regular drills, and the effective use of technology.

Healthcare facilities have adopted several important technological solutions to prevent, respond to, and mitigate acts of violence:

  • Leveraging Software: Many hospitals flag incoming patients exhibiting a past history of violence by including a security risk code in their electronic medical record, or EMR.
  • Access Control: Healthcare facilities apply locks, alarms, and sensors to doors and windows; many can be monitored remotely to prevent violent outbreaks.
  • Metal Detectors and X-Ray Machines: These tools ferret out potential issues and deter both visitors and patients from bringing weapons.
  • Panic Buttons: Since 82% of physical violence occurs in a patient’s room, these are one of the most effective tools, per the Emergency Nurses Association (ENA). Panic buttons can be embedded into a wearable device or located in the patient’s room for added protection.
  • Networked Video Security Systems: These can be remotely monitored to help keep an eye on important areas; they’re connected to first responders for a fast response.

Protecting our Schools

Many U.S. schools employ a holistic approach to prevent, respond to, and mitigate acts of violence. Their strategy includes a positive school climate, smart emergency response plans and policies, regular drills, and overall situational awareness, in addition to school security systems that incorporate new technology.

Recently, the RAND Corporation and Johns Hopkins University undertook separate comprehensive studies to track the types of security technology being used by schools, as well as to provide recommendations on how to leverage them more effectively. Here are the recommended strategies:

  • Access Control Technology: Door locks, alarms, and sensors can be tracked remotely, and instantly alert a centralized controller to a security issue.
  • Sensors: Gunshot-detection sensors are networked to reach first responders and school administrations.
  • Panic Buttons: Even ID cards can be equipped with panic buttons so that they’re mobile.
  • Good Lighting: All areas must be well lit to deter crime and illuminate perpetrators.
  • Communications Tools:
    • Anonymous Tip Lines: These programs can receive tips from various media channels, both online and offline.
    • Digital Floor Plans: Layouts on map-like grids help first responders navigate an unfamiliar scene quickly.
    • Mobile Apps and Platforms for Real-time Response Management: These include SOS buttons, video capabilities, and staff communication tools to contact first responders in seconds instead of minutes.
    • Portals: These centralized sites are smart educational resources, with state and federal laws, prevention tips, incident response information, training sessions, and violence alerts.
      • National Open-source Database: New York’s John Jay College of Criminal Justice built an open-source national database to track K-12 school shootings.
      • Campus Shield: The brainchild of Miami-Dade Schools Police, this pilot program funnels social media feeds, attendance records, school incident reports, local crimes, and citizens’ tips to the district’s network of surveillance cameras, the school-visitor system, the gunshot-detection system, and a team of mental-health specialists.
  • Social Media Scanning Tools: IST vendor Verint collects, analyzes, and synthesizes intelligence from social media as well as other internet platforms to identify possible threats that can then be addressed proactively.
  • Security Software: One type of software application development provides instant background checks of visitors.
  • Weapons Detection: X-ray machines and metal detectors can identify weapons and also deter their use.

Interested in learning more? IST is on the cutting edge of using technology to prevent violence in schools and hospitals, and we can provide a variety of effective tools for any industry. Contact us here.

Should You Be Worried About Workplace Violence?

Part of a series for National Safety Month

Did you know that almost two million people were victims of workplace violence in the past year? That’s more than one in four workers each year, to the tune of over $121 billion in lost revenue. According to OSHA, homicide, the most drastic, is the third leading cause of workplace deaths in the U.S. These numbers are troubling, but when you recognize that many companies under-report non-fatal injuries and illnesses, they become even more so.

A recent Washington State study found that many incidents go unreported due to a lack of awareness by the company, a lack of communication within, or even a lack of incentive to report. Employees often don’t raise their hands because they don’t fully understand what constitutes violence or they fear retribution, and company executives are sometimes put off by the time-consuming Survey of Occupational Injury and Illness (SOII) reports they’d need to complete. So this begs the question:  How many more incidents actually occurred? Sadly, we don’t know.

Workplace violence can be defined in two ways. The first is more commonly recognized since it’s frequently covered by the media: A disgruntled customer or employee takes a firearm and shoots people at a place of work. In actuality, the more common transgressions fall under OSHA’s definition of “any act or threat of physical violence, harassment, intimidation or other threatening disruptive behavior that occurs at the work sites. It ranges from threats and verbal abuse to physical assaults and even homicide.” (Source: Workplace Violence Research Institute) 

Workplace Violence in Healthcare Settings:  Be Aware in Healthcare

After law enforcement, healthcare professionals are most at risk since they come into contact with a high volume of patients in unstable situations. In fact, they’re almost twice as likely as those in the private sector to be a victim of workplace violence (OSHA). Healthcare and social assistance professionals comprise 12% of our workforce, yet experience 75% of workplace violence incidents. Manufacturers and construction area workers also clock in higher than the U.S. average.

Here are some more facts:

  • A full 80% of EMS personnel have been maliciously attacked by patients.
  • Homicide is the second biggest threat to home healthcare professionals
  • Within the past year, 78% of ER physicians and 100% of ER nurses experienced violence at the hands of their patients
  • Between 2000 and 2011, American hospitals had 154 shootings

(Source:  Ravemobilesafety)

School Violence Prevention: Dangerous Lessons

The workplace that attracts the most media attention is schools. Aside from the terrifying rash of school shootings, faculty grapples with violence on a daily basis. Approximately 44% of teachers report being physically attacked at school each year. In fact, 80% of teachers recounted at least one experience in the current or past year, and 94% of these were perpetrated by students. Cost estimates to teachers, parents, and taxpayers come in at $2 billion annually.

How to Prevent Workplace Violence

So is your workplace at risk? OSHA identified these risk factors:

  • Do you have contact with the public?
  • Is there an exchange of money?
  • Do you deliver passengers, goods, or services?
  • Do you have a mobile workplace like a taxicab or police cruiser?
  • Do you work with unstable or volatile persons in health care, social services, or criminal justice settings?
  • Do you work alone or in small numbers?
  • Do you work late at night or during early morning hours?
  • Do you work in high-crime areas?
  • Do you guard valuable property or possessions?
  • Do you work in community-based settings?

Here are some OSHA-recommended deterrents:

  • Physical barriers like bullet-resistant enclosures or shields, pass-through windows, or deep service counters
  • Alarm systems, panic buttons, global positioning systems (GPS), and radios (“open mike switch”)
  • Convex mirrors, elevated vantage points, clear visibility of service and cash register areas
  • Bright and effective lighting
  • Adequate staffing
  • Arranging your furniture to prevent entrapment
  • Cash-handling controls, use of drop safes
  • Height markers on exit doors
  • Emergency procedures to use in case of robbery
  • Training in identifying hazardous situations and appropriate responses in emergencies
  • Video surveillance equipment, in-car surveillance cameras, and closed circuit TV
  • Establishing liaisons with local police

(Source: OSHA)

How Do We Fix This?

Education is critical when you’re deciding how to prevent workplace violence. If employees fully understand the OSHA definitions of workplace violence, they they’re more likely to recognize and report incidents. Employers have the responsibility to provide a safe environment, through prevention and through alerting the authorities. Every company should have an emergency action plan and be prepared to implement it with the help of local law enforcement. Employers must track and report incidents correctly and adopt a zero-tolerance policy towards workplace violence. For every dollar invested in preventing workplace violence, $3 or more is saved.

And finally, remember that even when you’re not working, you’re often visiting another’s workplace. So always be on the alert.

In our next post in this series, we’ll explore how to use technology to prevent incidents like these in hospitals and schools.