Doctor typing on keyboard

Addressing 3 Critical Communication Security Weaknesses in the Healthcare Industry

In recent months, New Mexico-based Presbyterian Healthcare Services finally closed a settlement deal over a class action lawsuit filed by patients, pertaining to a 2019 phishing attack. The resulting security breach led to compromised email accounts and a major data compromise affecting more than 180,000 patients and health plan subscribers. The settlement forces Presbyterian Healthcare Services to pay up to $5,750 to the affected parties. This settlement can mean millions in losses for the organization – all because they failed to properly secure their emails.

The healthcare industry is already regarded as the top target of cyber attackers according to an FBI report. Hospitals and other healthcare organizations cannot downplay cyber threats aimed at their communications or correspondence, which are crucial in their regular operations, especially in the services they provide. Hence, they cannot limit communication to reduce the threats. They need effective security mechanisms, tools, strategies, and protocols.

Here are three of the most crucial security weaknesses in healthcare communications and the ways to effectively address them.

1. Email Encryption Weaknesses

Email security is supposedly standard practice among organizations, but it appears that many are not doing enough to secure this communication channel. A study on email security practices shows 51% of organizations reporting that malware managed to penetrate their email filters. The same study reveals that 68% of companies do not employ email encryption. They claim to have email protection, but they lack this crucial function. In some cases, organizations do use encryption but they do not have it activated by default.

To comply with the security requirements stipulated by HIPAA, healthcare organizations need to make sure their emails are adequately encrypted. However, some email encryption solutions require senders to designate each email that gets encrypted, which leads to lapses when corresponding with patients on the fly. Many healthcare providers try to circumvent these requirements altogether by requiring patients to log into portals with mult-ifactor authentication to see all of their messages, but that only introduces user experience friction, leading to messages going unseen.

Using Paubox, it’s easy to ensure that all email communications are encrypted and HIPAA-compliant, while continuing to use the same email client apps that your team is used to. Once configured, Paubox’s email engine implements encryption by default, using TLS 1.3 or 1.2 on all messages, to ensure that sensitive data is only accessible to intended recipients. If the patient’s device or email service does not support encryption, Paubox can generate a link through which the recipient can view the message via a secure web page, with no portal login required.

2. Threats of Social Engineering

The Presbyterian Healthcare Services data compromise mentioned earlier happened because of phishing, a form of social engineering attack. It is not a rare case. Cybercriminals often manage to overcome an organization’s security controls to access confidential communications by taking advantage of human weaknesses. It is often easier to mislead people into downloading malware or bypassing security mechanisms than to confront automated cybersecurity systems head-on.

The social engineering problem targeting the healthcare sector is getting worse with the advent of generative AI. Nowadays, threat actors have access to new technologies such as deepfakes and voice cloning that facilitate more effective deception. They can also quickly generate new web pages with the help of AI to impersonate patient record portals and other web pages used by patients. It is fast and easy for threat actors to convince patients and healthcare employees to reveal private data.

To address social engineering threats, it is important to invest in cybersecurity training for everyone in the organization. Everyone must know how to detect potential instances of phishing and deception. Everyone needs to observe cybersecurity best practices. It also helps to use cybersecurity platforms aimed at combating social engineering.

There are software solutions that can help organizations address social engineering more effectively. KnowBe4, for example, provides a way to systematize cybersecurity training. It allows you to establish a strong cybersecurity culture by generating a risk score, outlining an organization’s risk history, and providing a dashboard to facilitate the management of social engineering threats and oversee compliance with relevant regulations.

3. Security Weaknesses Associated with BYOD

Many organizations have embraced Bring Your Own Device (BYOD) policies. It allows them to save costs on IT devices. It also entails lower or no maintenance costs for the organization. Additionally, many healthcare providers support BYOD, because it allows team members to be more responsive by using their own phones to correspond with patients even beyond standard office hours. Devices connected to an organization’s network under the BYOD scheme, however, pose serious security risks to healthcare communications.

It is more complicated to manage the security of BYOD devices, since an organization’s IT cannot exercise full control over what applications are installed in them and how their cybersecurity settings are managed. It can also be tricky to regulate the copying of sensitive files into these devices, even if they are covered by HIPAA’s requirements.

Additionally, allowing employees to log in to accounts through personal devices can expose data, including login credentials, to more threats. Organizations may benefit from the savings in device acquisition and maintenance, but ultimately, they have to spend more resources and effort in boosting security mechanisms and controls.

Organizations need to provide ample cybersecurity training to BYOD device users and enhance their cybersecurity posture to take into account the new vulnerabilities and attack surfaces associated with BYOD. They can use Microsoft Intune to enhance the management of devices that connect to the network, including the apps used and the identities of users. Compatible with all popular operating systems, Intune helps secure communications in the healthcare setting by managing devices and apps to make sure that they do not have vulnerabilities that can be exploited to steal or leak sensitive data.

In Conclusion

Communication is a fundamental aspect of healthcare services. It should be secured to maintain patient trust and comply with regulatory requirements for data privacy and security. The failure to secure healthcare communication can lead to serious damage to patients and healthcare providers. Organizations need to pay attention to security weaknesses that come with weak encryption or the lack thereof, social engineering attacks, and BYOD device vulnerabilities.

 

Staff Writer at CPO Magazine