Healthcare data is a hot commodity on the black market. This means that companies in the medical industry are prime targets for cybercriminals. At the same time, the medical industry must comply with strict regulations that include the protection of health information. To avoid fines and lawsuits, you need to safeguard your data from the latest cyber schemes.

Mobile Devices Lead to Data Breaches

Cyber criminals will do anything to get healthcare data. While this sometimes includes exploiting vulnerabilities in computer systems or infecting computers with malware, it can also include old-fashioned theft. The rise of mobile devices is making this easier than ever.

As devices have gotten smaller, they’ve also gotten easier to steal. Information may be stored on portable devices, such as laptops or flash drives, and employees may take these devices with them when they work outside the office. If the devices are lost or stolen, a data breach can result.

This is what happened at the University of Rochester Medical Center (URMC). According to the U.S. Department of Health and Human Services, URMC has agreed to pay $3 million after a lost flash drive and a stolen laptop, both of which were unencrypted, resulted in a data breach.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, Office for Civil Rights Director.

Ransomware Is Getting More Sophisticated

Healthcare data can be breached. It can also be taken ransom.

A ransomware attack known as WannaCry made headlines in 2017 when it spread through more than 150 countries. As with other incidents of ransomware, the malware infected computer systems to take control of files, and victims were told to pay a ransom to have their systems restored. However, according to a White House Press Briefing, which attributed the attack to North Korea, computers were not unlocked after ransoms were paid. Although many types of organizations were impacted, the National Health Service in the U.K. was among the hardest hit.

Since then, the threat of ransomware has grown. On October 2, 2019, the FBI issued a public service announcement on ransomware. According to the PSA, “Ransomware attacks are becoming more targeted, sophisticated, and costly.” Common targets include health care organizations.

The FBI says that cybercriminals are using three main techniques to infect computers with ransomware:

• Email Phishing – Cybercriminals send employees emails with malicious files or links. If the employee clicks, malware infects the computer.
• Remote Desktop Protocol Vulnerabilities – Cybercriminals gain unauthorized RDP access either by purchasing credentials on the darknet or by using trial-and-error techniques to obtain them. Once they have RDP access, they can infect systems with ransomware.
• Software Vulnerabilities – Software programs sometimes have security weaknesses that cybercriminals can exploit to take control of systems and infect them with ransomware.

Protect Your Data

All businesses must take steps to keep data safe, but this is especially true for the medical industry.

• Make data protection and cyber security an ongoing priority. Conduct risk assessments, consult with security experts and take steps to control your risks.
• Educate employees, regardless of position, on how to avoid cyberattacks and phishing schemes.
• Keep portable devices secure. Encryption can prevent data from getting into the wrong hands.
• Adhere to smart cyber practices, including strong passwords, secure networks, prompt installation of all security patches, least privilege configurations to control access and anti-virus protection.
• Back up your data. The FBI does not recommend paying a ransom if your system is infected with ransomware. Having a secure backup that is stored offline is a better way of regaining files.

With escalating and ever-evolving threats, cyber liability insurance is no longer a nice to have. Ask your business insurance broker to help you assess your options.