Healthcare spotlight on cyber security

Healthcare cyber security series

Throughout 2020, cyber-criminals continued to target industries where there are huge financial rewards, like health and care in the UK. Employees dealing with the distraction and disruption of the pandemic can leave a company exposed, and the risk of attack remains high on the list of concerns for many leaders.¹

With the expansion of the remote workforce, detecting and preventing social engineering scams has become more difficult. While the increase in distractions when working from home have been widely discussed, physical separation from the workplace is also a factor. Without a co-worker to converse with at the next desk, employees are less likely to do a 'sense check' of a suspicious email.²  

Cyber-crime is more sophisticated than ever, and your employees are your first line of defence. To nurture a culture of compliance in your business, start with building awareness, ensuring your staff understand the risks including what suspicious activity looks like.

To make up for some of the cyber jargon you’re about to experience, we’ve created this handy glossary of terminology for reference.

Why is the health and care industry so lucrative for cyber-criminals?

During the second quarter of 2020, cyber-criminals had remarkable success in duping health and care workers with phishing and social engineering scams. However, the industry has always been a firm favourite with scammers – Beazley’s 2019 Breach Briefing listed healthcare as the most targeted industry, with accidental disclosure the top cause of loss.³  

So why is the healthcare industry a firm favourite with cyber-crime groups?

In an Information Commissioner's Office (ICO) review of care homes alone, they reported:

• Little formal training on cyber security and data protection
• Shared generic accounts to gain access to IT
• Weak passwords
• Encryption of personal data on portable devices often not implemented
• Little restriction of the use of portable media⁴

Sound familiar? If so, it’s time to put a plan in place to safeguard your data, intellectual property (IP), reputation – and money!

What is the cost of a cyber breach?

The highest claim paid by Beazley in 2018 was for business email compromise (BEC) and cost them over £1.8 million. The average cost of a BEC claim is a little over £50,000.⁵

According to IBM’s Cost of a Data Breach Report, the average cost per compromised record is increasing steadily over the last three years. In 2019 the cost was £110 (per record). To put this into context, 5.2 million records were stolen in Marriott’s most recent breach - which could amount to over £500 million. Losses from business email compromise (BEC) have skyrocketed over the last year, and are increasing. The cost can be broken down into several categories including:

• Lost hours from employees
• Remediation
• Incident response
• Damaged reputation
• Lost intellectual property
• Direct monetary losses
• Compliance fines
• Lost revenue
• Legal fees

Costs associated with remediation will usually account for the largest chunk of the total. Costs can be mitigated by cyber liability insurance policies, procedures, technology and training.

Prevention

Protecting your business from cyber-crime and data breach doesn’t need to be expensive. Modest investment in training and process changes can provide outsized returns, reducing the likelihood of falling victim.

1. Alert employees
Particularly those in accounting, finance, HR, and benefits, to be made aware of these scams through security awareness campaigns. Provide periodic anti-fraud training that teaches all employees to detect and avoid phishing and social engineering scams.

2. Establish an out-of-band verification process
Required to confirm the identity of any person requesting a funds transfer, a change to banking information or payment instructions, or access to sensitive data such as tax and payroll information.

• Require voice verification for all changes involving banking information
• Don’t trust contact details provided in the request. If the request is fraudulent, the criminal will have supplied fake contact information, too
• If the request is by email, call and speak to the person at a number you know to be correct
• If the request is by phone, use an email address you know to be correct
• Instead of using “Reply,” forward the email and type in the email address you know to be correct

3. Set up multi-factor-authentication (MFA)
A MFA should be set up for any remote access to your email system, your VPN, your ACH system, and other sensitive applications. Many platforms now provide for MFA at little or no cost.

4. Tell customers
Let your customers or clients know that you will not change banking instructions (without authentication) and to treat any such request as possibly fraudulent.

5. Reduce email retention periods
Reducing email retention periods limits the amount of data held in email inboxes.

6. Consider implementing email security improvements
For example, the Sender Policy Framework (SPF) email security standard or an advanced email threat protection product.⁶ 

To receive the latest content straight to your inbox, sign up to our health and care eNewsletter here.

 

 

^Sources: 

^{1. Robert Hannigan of BlueVoyant Internaltional - Teiss}

^{2. Beazley Cyber Breach Insights and Prevention}

^{3. Beazley Breach Briefing 2019}

^{4. Findings from the ICO advisory visits to residential care homes for adults and children}

^{5. Beazley Breach Briefing 2019}

^{6. Beazley Breach Briefing 2019}