Cybersecurity risks are some of the most prominent risks to emerge in the 21st century. With the ongoing digitalization of all medical records, hospitals become one of the primary targets for phishing, information theft, and cyber terrorism (Kim, 2018). Since all modern hospitals operate technology that has specialized software and program interfaces, the matters of cybersecurity are more important than ever. At the same time, the national healthcare system remains woefully lagging in ensuring the privacy and security of their patients’ medical records.
The Coalfire Penetration Risk report states that the healthcare industry has the worst protection ever, below tech, retail, and financial services (Donovan, 2018). The report included most of the major hospitals, which indicates deep-seated security issues in the field. Mayo clinic is one of the most prominent healthcare providers in the USA, serving hundreds of thousands of patients on a yearly basis. The purpose of this paper is to analyze internal and external threats to Mayo Clinic’s Personal Healthcare Information (PHI), analyze their risk assessment processes, and make conclusions about the adequacy of their cyber defenses.
External Risks to Hospital Security
While there is a multitude of security risks to hospitals such as Mayo Clinic, the primary external risk to its cybernetic systems are phishing attacks, malware, and encryption blind spots (Wager, Lee, & Glaser, 2017). Phishing attacks are the most common in that they require the least amount of preparation to send out, and can be very effective in luring employees into forfeiting personal data. With doctors and nurses having access to shared healthcare records, this type of external threat became more effective at getting results. Mayo Clinic is a frequent target to such attacks.
The second threat to hospital cybersecurity is malware and ransomware. They can be downloaded through various means, such as through phishing letters or through encryption traffic blindspots (Wager et al., 2017). These programs can shut down access and potentially paralyze the workstation, or even the entire network. Hospitals such as the Mayo clinic are optimal targets for malware and ransomware, due to their need for quick access to patient information. In addition to locking out data, malware can steal or corrupt data, to be later used in blackmailing.
The last issue is associated with the increased usage of cloud servers. These are outside data storage services, which are vulnerable to outside hacking attempts (Wager et al., 2017). The hospital has little to no control over these servers, or their providers.
Nevertheless, many hospitals have the outdated on-premise equipment, which does not allow for storing great amounts of data. Small hospitals that do not receive additional funding, cloud services are a forced measure, which comes with its own set of external security risks. Although Mayo clinic utilizes encrypted cloud services sparingly and in accordance with HIPAA provisions, the risk of outside intervention still exists.
Internal Risks to Hospital Security
Internal threats to Mayo Clinic’s hospital security are largely associated with employees and equipment. Security leaks may be the result of employees’ negligent use of data or, in rare cases, malicious intent. Successes of phishing attempts, for the most part, depend on the inability of employees to recognize legitimate security risks. Employee training and awareness campaigns help mitigate negligence, whereas agency and accountability procedures help prevent malicious intent (Wager et al., 2017).
The second internal threat is associated with outdated equipment and software. Many hospitals utilize old computers and unsupported applications, which do not have the level of security and encryption to withstand hacking attempts (Wager et al., 2017).
In addition, these applications are more prone to malfunction, which could result in misinterpretation or corruption of data. Although Mayo hospital is one of the most financially sustainable, it still has some problems in regards to equipment and software security. Lastly, there are issues with the physical security of server equipment. In the event of a flood or a fire, if the servers are damaged, all physical data may be gone forever. Mayo clinic adheres to strict regulations for flood and fire security and has backup systems in the event of such an occurrence.
Security Risk Assessments at Mayo Clinic
Cybersecurity risks assessments in Mayo Clinic are conducted on a yearly basis. They are handled individually by responsible IT officers of the company, which are over 100 in number (Mayo Clinic, 2018). These individuals are tasked with ensuring that all IT-related equipment has antiviruses, firewalls and that the information utilized in daily operations is properly encrypted (Mayo Clinic, 2018). They are also tasked to educate and debrief all personnel on the latest news on cybersecurity and cybernetic threats. Overall, these assessments are made to ensure the status quo and making sure no breaches were detected.
Outside security companies are involved in making large-scale reforms and upgrades to the existing security system. This approach is useful at neutralizing any major security discrepancies but does not address the speed at which cyber threats are evolving. They can mitigate phishing threats and internal cybersecurity issues but are not enough to make up for aging equipment and evolving malware and decryption software.
Conclusions and Recommendations
Although the state of cybersecurity in Mayo Clinic is better than in other healthcare facilities in the region, its overall quality remains subpar. Aging equipment, as well as the reactive approach to external threats, make it vulnerable to deliberate attacks. Mayo Clinic should adopt a proactive approach, which involves bi-yearly monitoring by specialized cybersecurity firms, as well as significant updates on the existing software and hardware. All personnel should undergo yearly training and reminder sessions in order to recognize the newest phishing and malware practices. HIPAA standards for personal data protection are to be enforced with increased frequency.
References
Donovan, F. (2018). Healthcare IT security worst of any sector with external threats.
Kim, L. (2018). Through the looking glass: What’s happening now and in the future with cybersecurity. Web.
Mayo Clinic. (2018). Innovate, create, and invent.
Wager, K. A., Lee, F. W., & Glaser, J. P. (2017). Health care information systems: A practical approach for health care management (4th ed.). New York, NY: Jossey-Bass.