Cybersecurity risks in healthcare are becoming more prevalent as sensitive patient information is increasingly shared online through digital collaboration platforms. The benefits of collaborating digitally are compelling: enhanced integrated-multidisciplinary care, improvements to the patient’s journey, and better time and cost efficiency. However, these benefits are redundant if an organisation is the victim of a cyber-attack.
Why are cybersecurity risks in healthcare a concern?
In 2021, 81% of UK healthcare organisations suffered a ransomware attack. The healthcare industry is highly prone to attack given the critical nature of networks; healthcare records are an attractive target due to the confidential information they contain which can aid with identity theft, financial fraud, tax fraud, insurance fraud and social engineering. Healthcare organisations will also pay high ransoms to avoid the life-and-death consequences of network downtime.
Compounding this, healthcare has historically been slow to adopt digital solutions, so there remain challenges with legacy systems in place. Healthcare workers also often have less time available to commit to understanding online security threats and vulnerabilities.
Despite this, organisations typically fall into the trap of using general collaboration platforms, such as Microsoft Teams and Zoom. Although popular and appropriate for enterprise use, these platforms have not been designed with the unique security requirements of healthcare in mind.
This blog investigates the top three cybersecurity risks in healthcare associated with using well-known online collaboration platforms, and how to avoid the pitfalls.
1. Compliance with data protection regulations is promised – but comes with caveats
The sensitive nature of Protected Health Information (PHI) means healthcare providers must adhere to much stricter compliance regulations than most, including strict protocols such as GDPR (General Data Protection Regulation) and HIPAA (Health Insurance Portability and Accountability Act). These standards ensure sensitive data is collected, used, stored, and removed in a secure and controlled manner. Auditable paper-trails must be created for all events involving PHI, including a detailed log of who is accessing what data and how that data is being stored, used, and treated.
These security best-practice requirements contradict the open communication ethos of both Microsoft Teams and Zoom, which promote file sharing and distribution. Both platforms maintain the protection of confidential data with a sign-in process, but following this access there remains several questions:
- Where is the sensitive data stored?
- Who has access to it?
- Is it password protected, encrypted, or sent to the cloud?
- If it is stored on the cloud, who has access to that?
These ownership issues become even more significant considering the recent news that Zoom exaggerated their end-to-end encryption capabilities. Zoom claimed to use industry standard AES-256 cryptography but on deeper inspection researchers discovered the weaker AES-128 with an obsolete protocol, leading to an $85million fine.
Although Microsoft Teams can be configured to be HIPAA compliant, there remains a substantial risk of HIPAA noncompliance due to incorrect configuration of systems like Office 365. And, while it is possible to add restrictions to ensure compliance, ensuring consistent adherence to security best practice with large amounts of data circulating through a diverse ecosystem like Microsoft Teams is undoubtably a challenge.
So, although these dominant collaboration platforms promise compliance and secure handling of sensitive data, they are potentially huge sieves of ePHI and HIPAA violations waiting to happen.
Visionable’s solutions have been created specifically for healthcare organisations, with their security requirements considered and embedded in the design – including AE 256 encryption. As a result, we are one of only two UK companies approved for patient consultations in secure settings, such as prisons.
2. Cyber attackers are increasingly viewing prominent collaboration platforms as an opportunity for hacking
The popularity of Microsoft Teams (270 million monthly active users) and Zoom (470,000 paying business customers) makes them attractive opportunities for cyber attackers. Unlike email accounts, end-users have “an inherent trust of the platform” making them less suspicious of unusual activity.
Attackers are “beginning to understand and better utilise Teams as a potential attack vector”. Research by Avanan recently discovered thousands of attacks involving malware through an .exe file dropped into Teams conversations. When clicked, the file would install a Trojan on a user’s computer, which would subsequently install malware.
Microsoft Teams is the most impersonated company for phishing attempts, accounting for 43% of fraudulent company emails sent to users. Time-pressed and stressed workers, such as those in healthcare settings, are particularly susceptible to attacks because they often do not have a chance to pause and assess if something looks wrong.
Attackers are experts at making phishing messages look incredibly realistic. For example, when a user is not actively using Teams or is away from their computer, Teams will send an email notification containing a link to the missed message. Attackers often exploit this feature to launch phishing attacks using malicious code.
Zoom users are experiencing similar threats, such as messages advising them that their Zoom account has been suspended – with a link to capture their Zoom credentials.
An effective mitigation for this threat is two factor authentication; by asking for a second form of identification, it is less likely that a cyber attacker can gain access to data by pretending to be the user.
3. Accidental sharing and data leakage is common
The guest access functionality in Microsoft Teams and Zoom also risks leading to data leaks and unauthorised access. For example, files can be shared with external users or guests for longer than required, or users may not realise there is an external user present in a channel. Similarly, continuing to provide access to a user even after the external meeting has ended risks data leakage or accidental visibility of confidential files.
Aside from guest and external access, accidental sharing internally is a risk due to the simplicity for users to create a new Team, add members and start collaborating. The ease of this process is beneficial in promoting collaboration; however, without the right restrictions in place there is a risk that multiple groups are created and abandoned, leading to potential lack of oversight and life cycle management. As a result, sensitive PHI could be at risk due to outdated or incorrect sharing settings that violate information protection.
What’s more, if a meeting URL is leaked in Teams or Zoom, there is no other gating factor to prevent the wrong person joining a session. Visionable’s platform has been specifically designed to overcome this vulnerability by ensuring users can verify the identity of anyone joining. For example, there is an informed consent process which means a moderator must verify the person entering the call is who they say they are; this is done via a pass phrase, date of birth and postcode or patient ID information.
A security-first collaboration platform, designed with healthcare in mind
Although cybersecurity risks in healthcare remain a challenge, Visionable is proud to be designed with healthcare security in mind and will continue to overcome these common vulnerabilities of alternative collaboration solutions.