This document discusses various cybersecurity threats faced by the healthcare industry, including phishing emails, SQL injection attacks, eavesdropping, and viruses. Phishing emails are a major issue, accounting for 93% of breached healthcare data. Hackers use phishing emails that appear legitimate to trick staff into revealing sensitive information. The document also examines ways to better protect against these threats, such as password protection, data loss prevention, access controls, and staff training. Overall, the document analyzes the cybersecurity risks healthcare organizations face and ways to decrease breaches through education and prevention methods.
1. Systems Thinking on a National Level, Part 2
Drew Davidson, Eric Sinclair Banyon, Shady Navarro, Shalamar
Santana, Ziomara Pagan, & Stephanie Jean Coute
MHA/505
February 11, 2019
Rachael Kehoe
Running head: SYSTEMS THINKING ON A NATIONAL
LEVEL, PART 2
1
SYSTEMS THINKING ON A NATIONAL LEVEL, PART 2
10
Systems Thinking on a National Level, Part 2
Cybersecurity breaches in the Healthcare industry pose a
significant threat to those organizations. According to Gordon
et al., cybersecurity breaches not only affect the patient’s
information but it can also affect the organization's creditability
(2017). When an organization creditability comes into question
due to a cybersecurity breach, that organization may lose
customers due to the fear of their information not being
appropriately protected. In Healthcare it is crucial that we
understand the impact of cybersecurity breaches. Most of the
major hospital in the United States are using electronic medical
records (EMR). A lot of hackers are using phishing methods to
2. trick hospital and breaching their security protocol by tricking
staff members into disclosing sensitive and personal
information (Winder, 2014). Therefore, the following will
discuss way cyber security breaches happen in the healthcare
industry and way to prevent them from happening in the future.
Cyber Security Breach Diagram
Malicious and Non-Malicious
Cyber security breaches in healthcare can happen in several
different ways. These different types of breaches can either be
malicious or non-malicious. A malicious cyber security breech
in healthcare, is when an individual or individuals purposely
hacked into and attack or gain unauthorized access to members
PII. Unauthorized access (such as hacking) to protected
healthcare systems is the result of malicious behavior, things
like holding the system ransom or stealing private information
are acts of malicious behavior (Katz, 2018). Penetrating a
system manually and disabling the systems defenses or by
downloading software programs are other types of malicious
behavior. Hacking is a malicious behavior, but just because the
system is hack doesn’t necessarily mean any personal
information is compromised. A number malicious cyber security
breach may not be done intentionally but can cause just as many
issues as a malicious cyber security breech. When data is
unintentionally left exposed to an authorized access it is a non-
malicious behavior. Cyber security breaches in healthcare can
be the result of employee error or negligence. In healthcare
malicious behavior is a portion of the inflow of cyber security
breaches and non-malicious behavior is the portion of the
outflow of a cyber security breech.
Eavesdropping
As a group, we have identified a multitude of cybersecurity
breaches that are growing concerns amongst the healthcare
providers and companies that offer their services to the
community. Another one of these concerns’ hails in the form of
3. eavesdropping. Eavesdropping is a dilemma within the
healthcare industry. As we advance in the use of technology
about how we communicate patient’s private information,
eavesdropping is one of those breaches that causes heighten
awareness. As the industry advances in the transmission of
information via cyberspace, the threat of information falling in
the hands of those who seek criminal activities are more
prevalent. According to Epic University (“Epic University,
”2019) The term 'eavesdropping' is used to refer to the
interception of communication between two parties by a
malicious third party. Since the beginning of the digital age, the
term has also come to hold great significance in the world of
cybersecurity. Using wireless services, smartphones, and
handheld computers must have protection at all cost. The
encryption of these devices is by far the most critical aspect of
protecting consumers information where this level of
communication rules. If these devices are not able to be
encrypted to protect the consumers, they should not take
precedent. Eavesdropping, within the industry, affect all areas
of cybersecurity. This phase of cybersecurity is like the
kryptonite of all virus. Eavesdropping can infiltrate all aspects
of cybersecurity and reap major havoc for any organizations. It
is essential that we understand what eavesdropping can do to an
organization and provided the necessary tools to combat these
threats. We as individual and organizations must obtain the
required education, training, and etcetera to help protect the
consumer's personal information.
SQL Injection Attacks
Not only is eavesdropping being a problem, but so is having to
deal with SQL injection attacks. Eavesdropping along with the
other forms of cybersecurity attacks cannot be ignored, but this
attack can cut a bit deeper and cause an organization to lose
creditability. This attack affects the coding of a healthcare
organization, and coding within the healthcare system is like
peanut butter and jelly. It’s like mostly you cannot have one
without the other. Here we are talking about getting deep into a
4. database to retrieve a personal information phone number,
address, financial information, etcetera. If the wrong individual
obtains that vital information, an organization will have to deal
with potential liability that is tough to recover. This type of
attack is getting to the heart of the administrative side of thing.
Some of the most critical information is housed for the patients,
and information that violates so many different aspects of a
patients record. Imagine if this attack happens at a large
Hospital and the Cyber thieves were able to decode the system
and completely wipe their database system. I know this is not
something you would want to be a part of figuring out. These
attacks are why it is super essential for employees to be very
cautious when handling patient’s information. Protecting the
privacy of your passwords, not opening phishing emails, not
violate HIPAA rules, not leaving data exposed, and etcetera is
vital. This type of attack happens typically via a company
Website.
All in all, education of how to spot these threats, and not
allowing or minimizing vulnerability goes a long way. This
attack, as well as the other attacks mention, will forever be a
part of our lives. But being prepared to combat these threats can
make the difference between success and failure of any
organization.
HIPPA
HIPPA is an internal source of threats to healthcare information
security. Goals of data security are to allow access to healthcare
information to authorized individuals, allow access only when
needed and retrieve what is accurate for use (Donald &
Berwick, 2018). HIPPA has many gaps which should be
addressed. First, the privacy rule should be made applicable to
all healthcare entities and not only those covered. This means, it
must be made a mandatory. Second, the security rule should not
only cover electronically stored data but also paper records.
Lastly, all covered entities have not fully complied with HIPPA
requirements, a more serious threat to information. Unless these
are addressed, insecurity will still be a problem.
5. Data Loss
As an industry, healthcare institutions need to implement
strategies that can prevent data loss while ensuring privacy and
security of information. Prevention of data loss can be done by
configuring solutions that are designed to protect sensitive data
(Abouelmehdi et al., 2018). This data include Electronic
Medical Records, Protected Health Information and other data
so that it is not accessed and misused in anyway by
unauthorized users (Abouelmehdi et al., 2018). Data loss
prevention tools are helpful for monitoring endpoints, streams
of network data and cloud, thus protecting data from any
potential loss to any insider or outsider.
Phishing Emails
Phishing emails are a huge thing for hackers to get into health
care systems and get protected health information. In fact,
ninety-three percent of the breached data in the health care
industry is due to phishing emails ("Perils Of Healthcare
Phishing And What You Can Do About It", 2019). Then
calculated the eighty-three percent of all doctors have
experienced cyber-attacks from phishing emails ("Perils Of
Healthcare Phishing And What You Can Do About It", 2019).
Many of these attacks have caused a full day of clinical
downtime. How do the hackers do it? The phishing emails look
just like an email a staff member would receive that is safe and
from a trusted source ("Perils Of Healthcare Phishing And What
You Can Do About It", 2019). Phishing emails have caused one-
hundred and fifteen million-dollar lawsuits on health care
facilities ("Most Common Phishing Emails Identified", 2019).
That is more than most have for revenue in a year. Then there
are at least six-teen phishing emails sent to the facility and each
staff member every thirty days ("Most Common Phishing Emails
Identified", 2019). There has to be quarterly training on the
newest phishing email trends according to HIPAA. The most
common phishing email in the health care industry is fake
payments. Health care in America has become so costly and the
hackers have caught on that all healthcare providers have an
6. account that is in default so making malware look as though it
is a payment or is about a payment is the easiest way in to the
protected health information ("Most Common Phishing Emails
Identified", 2019).
Data Exposure
The increase of technology in the healthcare industry has
provided many health organizations with the ability to monitor
their patients remotely through digital devices and electronic
health records. The healthcare data is often collected and stored
into a cloud base system where healthcare providers can have
access anywhere to the patient's data in real-time. However, the
vast network of devices that are connected directly with each
other to collect, process, and share vital information has put
many healthcare organizations at great risk for cybersecurity
breaches. "Failed security has resulted in massive data breaches
that have led to the loss or compromise of millions of
personally identifiable healthcare records. Historically, the
security of information systems, in general, has not been
seriously considered in many instances until a breach has
occurred." (Moganedi, 2018, p. 297). Therefore, it is significant
for healthcare companies to take measurable actions to prevent
their patient's information from being accessible to unwanted
users. Such measures can be made by performing annual HIPPA
security risk analysis, implementing role base permission only
for individual employees to have access to certain areas of the
database, and requiring employees to change their username and
password frequently.
Password Protection
Password protection is so very important when dealing with
access to protected health information. Having to change
passwords at least every three months seems so difficult and so
annoying to many health care providers. HIPAA is in healthcare
it may be the first true definition learned. HIPAA has certain
requirements that are put on passwords for accessing protected
health information. HIPAA wants there to always be a two
factor authorization for logging in to protected health
7. information ("The HIPAA Password Requirements And The
Best Way To Comply With Them", 2018). This means that a
username and password are required plus a pin number ("The
HIPAA Password Requirements And The Best Way To Comply
With Them", 2018). Protected health information is personal
and should always be protected especially when getting the
information or storing the information electronically. HIPAA
also requires every password to access the protected health
information to be at least eight characters long("The HIPAA
Password Requirements And The Best Way To Comply With
Them", 2018). This of course is using numbers and letters. A
suggestion from HIPAA for making a password to gain access to
protected health information is that the capitalization is random
and that you take a phrase that you can remember then mix up
the spelling ("HIPAA Security And Privacy ", 2003).There are
penalties involved with sharing passwords for gaining access to
protected health information one is up to two-hundred and fifty
thousand dollars in a fine and the other is up to ten years in
prison ("HIPAA Security And Privacy ", 2003). There are
simple rules to follow when making sure that your password is
protected. It can be devastating if someone unauthorized gains
access to protected health information. Take our military and
wars into consideration, what if during a war a main terrorist is
after a certain general and hackers can decode a password to
protected health information to find the generals information of
what hospital he is at. Think about law enforcement there have
been many in the news lately and an officer involved shooting
can cause quite an uproar. Imagine the wrong person gaining
access to the officer involved address or where he was being
treated at. The results from these situations would make a bad
situation even worse. These are just a few reasons why
password protection in the health industry is so important.
Viruses
All it takes is one click, and the virus could spread like
wildfire. That is why it is so vital that healthcare organization
train their employee on how to look out for possible phishing
8. emails which is the highest risk for health organizations to
receive a virus. “Before 2016, healthcare organizations were not
thought to be a primary target for ransomware. However, 14
hospitals had become the target of ransomware, and a total of
173 hacking/information technology (IT) incident data breaches
had been officially reported by October 16, 2016, 17, 18.
Hospitals have become an easy target for hackers for two
reasons: The necessity of computer storage of information
associated with patient care and the security holes in IT
systems" (Spence, Bhardwaj, & Paul, 2018, p. 2). Therefore,
healthcare organization must take actions by training their staff
never to open up unknown emails, documents or download
unknown files. Also, healthcare organizations must implement
preventive measures such as having the latest virus software and
running daily virus scans on all electronic devices within the
organization. Without the proper actions taken to prevent data
breaches within the healthcare industry, the percentages of
cybersecurity attacks will continue to rise putting patients at
risk.
Conclusion
Cybersecurity breaches in the Healthcare industry pose a
significant threat to those organizations. That is why security
breaches in the healthcare organizations must be handled
immediately for the safety and security of the patients.
Therefore by educating the staff about various ways security
breaches can occur and ways to prevent them from within and
outside the organization, then the decrease in cybersecurity
beaches will began to improve in the healthcare industry.
Reference
Epic University (2019). What is Eavesdropping in Computer
Security? Retrieved from
https://www.ecpi.edu/blog/what-is-eavesdropping-in-
computer-security.
Gordon, W. J., Fairhall, A., & Landman, A. (2017). Threats to
information security—Public health implications. New England
9. journal of medicine, 377(8), 707-709.
Moganedi, S. (2018, June). Undetectable Data Breach in IoT:
Healthcare Data at Risk. Cyber Warfare and Security, 8(1), 296-
298. Retrieved from https://search-proquest-
com.contentproxy.phoenix.edu
Most common phishing emails identified (2019). Retrieved from
https://www.hipaajournal.com/most-common-healthcare-
phishing-emails-identified
Perils of Healthcare phishing and what you can do about
it(2019). Retrieved from
https://healthitsecurity.com/features/perils-of-healthcare-
phishing-and-what-you-can-do-about-it
Spence, N., Bhardwaj, N., & Paul, D. (2018, June). Ransomware
in Healthcare Facilities: A Harbinger of the
Future? Perspectives in Health Information Management, 1-22.
Retrieved from https://search-proquest-
com.contentproxy.phoenix.edu
Storm, D. (2015). MEDJACCK. Hackers Hijacking Medical
Devices to Create Backdoors in Hospital Networks.
The HIPAA Password Requirements and the Best Way to
Comply With Them(2018). Retrieved from
https://www.hipaajournal.com/hipaa-password-requirements
Winder, D. (2014). "Phish Your Own Staff: Arming Employees
to Beat Modern Attacks," Info security, Nov. 28, 2014.