Conduct an interview regarding Healthcare Cybersecurity on the possible vulnerabilities in a healthcare organization and critical educational needs for staff nurses with regard to cybersecurity issues
Conduct an interview with someone in the IT department.
Provide a write up summary of the Healthcare Cybersecurity Interview on the possible vulnerabilities in a healthcare organization and critical educational needs for staff nurses with regard to cybersecurity issues
In today’s electronic world, cybersecurity in healthcare and protecting information is vital for the normal functioning of organizations. Many healthcare organizations have various types of specialized hospital information systems such as EHR systems, e-prescribing systems, practice management support systems, clinical decision support systems, radiology information systems and computerized physician order entry systems. Additionally, thousands of devices that comprise the Internet of Things must be protected as well. These include smart elevators, smart heating, ventilation and air conditioning (HVAC) systems, infusion pumps, remote patient monitoring devices and others. These are examples of some assets which healthcare organizations typically have, in addition to those mentioned below.
Email is a primary means for communication within healthcare organizations. Information of all kinds is transacted, created, received, sent and maintained within email systems. Mailbox storage capacities tend to grow with individuals storing all kinds of valuable information such as intellectual property, financial information, patient information and others. As a result, email security is a very important part of cybersecurity in healthcare.
Phishing is a top threat. Most significant security incidents are caused by phishing. Unwitting users may unknowingly click on a malicious link or open a malicious attachment within a phishing email and infect their computer systems with malware. In certain instances, that malware may spread via the computer network to other computers. The phishing email may also elicit sensitive or proprietary information from the recipient. Phishing emails are highly effective as they typically fool the recipient into taking a desired action such as disclosing sensitive or proprietary information, clicking on a malicious link, or opening a malicious attachment. Accordingly, regular security awareness training is key to thwart phishing attempts.
Unauthorized physical access to a computer or device may lead to its compromise. For example, there are physical techniques that may be used to hack a device. Physical exploitation of a device may defeat technical controls that are otherwise in place. Physically securing a device, then, is important to safeguard its operation, proper configuration and data.
One example is leaving a laptop unattended while traveling or while working in another location. Careless actions may lead to the theft or loss of the laptop. Another example is an evil maid attack in which a device is altered in an undetectable way such that the device may be later accessed by the cybercriminal, such as the installation of a keylogger to record sensitive information, such as credentials.
Legacy systems are those systems that are no longer supported by the manufacturer. Legacy systems may include applications, operating systems, or otherwise. One challenge for cybersecurity in healthcare is that many organizations have a significant legacy system footprint. The disadvantage of legacy systems is that they are typically not supported anymore by the manufacturer and, as such, there is generally a lack of security patches and other updates available.
Legacy systems may exist within organizations because they are too expensive to upgrade or because an upgrade may not be available. Operating system manufacturers may sunset systems and healthcare organizations may not have enough of a cybersecurity budget to be able to upgrade systems to presently supported versions. Medical devices typically have legacy operating systems. Legacy operating systems may also exist to help support legacy applications for which there is no replacement.