Organizations associated with people’s health have Higher probability of suffering from a cyberattackas indicated by Administrative Excellence Club. It is estimated that it is the third most persecuted sector by cybercriminals in Spain. In fact, globally, it is the country that reported the most accidents in 2022, up 74% from the previous year (well above the overall average of 38%).
This happens because Various reasons. First, they are organizations that protect sensitive information of all their patients in their databases: reports, tests, pictures, diagnoses, and so on. On the other hand, the chaos it can generate in places like a hospital, where practically all processes are computerized — consultations, purchasing supplies, prescriptions, etc. — also puts it in the spotlight.
Preventing attacks in the healthcare sector
And through the meetings of the Health Forum of the Club of Excellence in Management, a List of recommendations that can help prevent these cyberattacks and, if they do occur, reduce their impact.
- Invest to the maximum: In an efficient way but without reducing the costs, because the repercussions of a cyber attack are usually catastrophic, around 10 million euros on average. The most prominent example of this is what the American insurance company Anthem suffered in 2015, which affected 78.8 million patients and cost it about 400 million euros in clean-up, recovery, lawsuits and investigations.
- Security in the supply chain: It is estimated that nearly half of the data that fraudulently leaves a healthcare organization is done silently, routed through service providers with whom they have some link. They should also be required to have a strong commitment to cyber security in an approved manner.
- Be aware of the new “Cyber Regulations”: Obtaining ongoing advice in this area is essential to comply with the law as well as to prevent problems detected from other sectors. An example of this is the transfer of the Spanish regulation to the European Directive NIS2, to eliminate existing differences between member states with regard to the security of networks and information systems, which will enter into force next autumn.
- Understanding of the ruling: One of the points that the NIS2 directive requires of health organizations is that governing bodies must agree to and take responsibility for adopted cybersecurity risk management measures. This means training and understanding, so that there is greater awareness.
- Security policies and risk analysis: Continuously measure and search for vulnerabilities to rectify immediately, while integrating incident management professionals into teams, who are able to detect and eliminate vulnerabilities.
- Awareness raising training: Many people work in health sector organizations, and most of them use computer resources connected to the center’s network. And they should all be aware of basic cyber hygiene practices: avoiding downloads, clicking on suspicious links, using external USB devices… To raise awareness about the problems this can cause, training is essential.
- Strong access mechanisms: A classic that cannot be ignored, because sometimes cybercriminals get in through simple passwords. In the same way, it is important to renew IT infrastructures to prevent them from becoming obsolete and to divide the networks of the same center so that if a cyber attack does not affect all areas of management in the organization.