Healthcare Cybersecurity – Familiar and Unfamiliar Risks?

The following is a guest article by Andy Nieto, Global Healthcare Solutions Manager for Lenovo Health.

As healthcare continues its digital transformation journey, providing care is becoming easier and more efficient for providers. But that convenience comes at a cost.

Technologies like cloud computing and IoT devices carry inherent risks associated with cybersecurity. That points to an increasing need for healthcare organizations to give cybersecurity the appropriate priority and investment to protect their patients, providers, and other stakeholders.

Doctors, nurses, and other care providers are the greatest asset to any healthcare organization, as they are the people who treat and interact with patients. Unfortunately, they are also the greatest cybersecurity risk.

According to the EY Global Information Security Survey 2018–19, 34 percent of healthcare organizations report careless or unaware employees as their biggest vulnerability. To address this, many organizations provide layers of security to protect patient data.

But balancing data security with expedient care is a delicate balancing act. Security controls that delay access and impede clinicians from efficiently taking care of patients are, at best, a nuisance to be avoided. At worst, they are seen as a hindrance that users will actively work to circumvent or disable.

Still, securing patient data is critical. To elevate this concern among healthcare providers requires creating a culture of security within healthcare organizations.

To accomplish that, we should look at familiar security practices, and focus on learning about security vulnerabilities that are unfamiliar.

Familiar Security Risks

Many of the cybersecurity risks faced by healthcare organizations are all too familiar, and we know how to deal with them. For example, most people know not to click on attachments that come from unfamiliar emails.

While that message seems to have gotten through, the bad actors seem to be getting better. They are becoming more skilled at making emails look legitimate, enticing us to click on those URLs.

The problem is magnified in the healthcare industry. A recent Proofpoint survey shows that 77 percent of email attacks on healthcare organizations used malicious URLs.

Email attacks are becoming increasingly sophisticated. Emails are being designed to appear as if they contain legitimate messages or come from trusted sources. Phishing emails are being timed to strike between 7:00 am and 1:00 pm, increasing the likelihood they’ll be opened and clicked.

The attacks are increasing. A recent poll of healthcare organizations revealed 300 percent more phishing emails in the first quarter than during the same period the year before. When cyber invaders find a vulnerability, they continue to exploit it.

Passwords are our first line of defense. They comprise the first layer of any security strategy, but the need to evolve our approach to passwords is long past due.

It is no longer acceptable to simply write down passwords on notepaper. Our authentication must evolve. One step is to encourage the use of password vaults that store passwords in a well-protected digital space.

Another is to adopt passphrases. Instead of trying to remember random characters (for example: #ER*^%ve) or find a word long enough to manipulate with a few symbols (for example: Pa$$w0rd1), users can use a familiar phrase (ThanksgivingisonThursday).

This increased level of complexity makes hacking more difficult, while the passphrase is easy to remember.

However, passphrases do have a drawback; they can take too long to enter. This is where secondary identity authentication becomes important. These authentication tools include multi-factor authentication (MFA) like RFID “tap & go” cards and tokens used in parallel with biometric devices like fingerprint readers for device access.

The advantage to these MFA tools is that they can be leveraged across the organization. The RFID card can be both a building/door access as well as a computer access token.

Unfamiliar Security Risks

Even with our heightened awareness of security, we often take certain things for granted that we shouldn’t.

Have you ever thought that the wireless network you are connecting to may be spoofed? Do you have the capability to look and see if there is a risk to connect to a particular WiFi network? Does your device vendor offer the ability for end users to at a glance see which wireless networks have suspicious behavior?

We often assume that the wireless networks at our favorite coffee shops are legitimate, but that may not be the case.

Again, the issue is magnified in healthcare. Connecting to a spoofed network puts patient data at risk. According to the 2018 Cybersecurity and Risk Awareness Survey, healthcare organizations perform poorly in the areas of protecting and disposing data security and protecting mobile devices and information.

Relatively familiar security risks and advice may not be familiar to your whole employee population. It may be time for a security refresher.

Culture of Security

In a recent Lenovo webinar, we found that 50 percent of participants confirmed that negligent employees represent their biggest security threat.

We must all be vigilant and make sure that all healthcare organizations know and understand security best practices and we make the unfamiliar, familiar. Educating employees is critical to prevention of cybersecurity breaches.

Healthcare providers and organizations have long excelled at creating a culture of care. The skills, techniques and methods for delivering that care have continuously evolved and care givers have embraced the evolution of care delivery.

The time is now to make a “culture of security” a fundamental part of healthcare culture. It’s as important to patient health as any medicine or therapy.

“I believe that information security is a patient safety issue,” said Anahi Santiago, the CISO at ChristianaCare. “Not just a risk to a patient’s information but a risk to a patient’s life. Bad information in a medical record could actually kill someone.”

About Andy Nieto

Andy Nieto, a Colorado native holds advanced degrees in Biology and Chemistry.  For more than 25 years, Mr. Nieto has been a healthcare technology leader fusing both clinical and technical knowledge with extensive experience in architecting, evaluating and implementing solutions resulting in long term organization success and improved patient outcomes. Mr. Nieto has a passion for improving the flow of information inside and outside of clinical networks; specializing in workflow, data systems, networks, and security.

About Lenovo Health

Lenovo is a trusted provider of healthcare technology with a 20+ year history of world-class innovation, industry leading partnerships, and more than a decade of proven healthcare experience. Lenovo Health powers tailored care delivery in 160 countries and 1,600+ healthcare organizations worldwide.  Lenovo Health is a proud sponsor of Healthcare Scene.

Lenovo Health’s vast computing portfolio supports the administrative, clinical, and remote care needs of healthcare facilities with cloud, security, and mobility solutions and accessories that streamline workflow and bring data closer to the patient and clinician.

Learn more about Lenovo Health at