“The health sector is in desperate need of a cyber hygiene injection”
― James Scott
In the era of technological innovation, big data, relentless digitalization pace, and interconnectivity, malicious actors have been perfecting and diversifying their cyber-artillery, intensifying their attacks on one of the most vulnerable, lucrative, and data-rich industries: healthcare. The existence of strict laws and regulations meant to ensure data protection and privacy (e.g. HIPAA, GDPR, PDPA, etc.) is a clear indicator of the incalculable value that lies within EHRs, for instance. Given the devastating effects of cyberattacks on patient care delivery and safety, keeping data secure – beyond financial damages – has become a matter of life and death.
Healthcare Cybersecurity: worrisome statistics
According to Security, one-third of cyberattacks targeted healthcare organizations, causing huge financial damages, compromising patient care delivery, and even endangering patients’ lives. As Statista highlights, in 2022 alone, the average cost per data breach worldwide amounts to $4.35 million, showing an increasing trend when compared to previous years. According to the same source, the healthcare industry registered the highest average cost.
Globally, from November 2020 to October 2021, finance and healthcare were the two most targeted industries by basic web application attacks.
In 2021 alone, around 45% of healthcare organizations in the U.S. reported experiencing at least one phishing attack in the past year. The second most common type of cyberattack was ransomware, followed by breach or data leakage in the 4th position.
According to Esentire, cybercriminals show a clear preference for health/medical clinics and healthcare services over other healthcare organizations such as hospitals, hospices, or pharma.
Effects of cyberattacks on patient safety and care
According to a survey conducted on 641 IT security consultants in healthcare organizations by Ponemon Institute, one single cyberattack can have disastrous consequences:
The respondents highlighted six main cybersecurity threats:
As it can be observed, insecure medical devices (e.g. insulin pumps, pacemakers, etc.) and eHealth apps (e.g. telemedicine, remote health monitoring, etc.) are among their main concerns. It is not difficult to imagine that cyberattacks automatically impact patient care delivery and safety, resulting in delays in tests and procedures or longer hospital stays. But the most striking fact the survey makes visible is that cyberattacks increase the mortality rate:
Why is patient data so valuable for cybercriminals?
To begin with, according to SecureLink, the value of a healthcare data record may reach $250 on the black market. Compare that with the value of a payment card: $5.40. But what is it exactly that makes data records so valuable? One PHI-compromised record gives cybercriminals access to the patient’s Social Security number, payment information, medical history, birth date, demographic data, health insurance details, contact information, etc. HIPAA Journal makes it clear: stolen healthcare data allows cybercriminals to commit a wide variety of crimes:
- Identity theft
- Extortion and blackmail
- Support criminal activities by creating identity kits with the stolen data
- Get access to expensive equipment, medical services, or prescription medication
- File fraudulent insurance claims
What makes healthcare organizations vulnerable to cyberattacks?
We have already seen what motivates cybercriminals to target healthcare organizations. But what exactly makes these organizations so vulnerable to cyberattacks? Technological innovations have offered attackers new easy entry points. Let’s take a look at some examples:
Medical devices (X-rays, insulin pumps, etc.)
While it is true that medical devices do not store data themselves, they can be used as an entry point to get access to servers, other devices, or to install ransomware.
Outdated systems and technologies
In the era of sophisticated cyberattacks, mitigating data breaches can only be achieved by keeping essential software updated. And that includes investing (and then maintaining) in infrastructure protection.
Staff accessing networks remotely
Concepts such as interconnectivity or interoperability in the healthcare industry have revolutionized patient care. However, healthcare professionals do not always access networks from secure devices or locations, thus enhancing the risks of opportunistic cyberattacks.
Lack of essential cybersecurity education
Lack of time, reluctance, or budget constraints are only some of the factors that prevent healthcare professionals from keeping up with cybersecurity best practices. Put simply, that may be a synonym of the dreaded ‘human error’ with catastrophic consequences. An innocent click on a phishing email can wreak havoc!
Healthcare cybersecurity: a team effort to ensure patient safety
As Stop Ransomware highlights, cybersecurity in the healthcare industry is a joint responsibility of both public and private stakeholders. That includes healthcare organizations, governments, IT vendors, and medical device manufacturers alike. As of today, we will focus on healthcare organizations. Mainly because it’s been a good while since firewalls and regular password changes have stopped being efficient by themselves. In order to keep data safe, healthcare organizations need to take more advanced security measures.
Mandatory basic cybersecurity measures:
- Network security (i.e. VPN, firewall, network segmentation, antivirus and antimalware software, etc.)
- Limited access privileges
- Data encryption
- Email and web filters
- Regular systems, software, and devices updates
- Regular staff training in basic cybersecurity best practices
- Restrict third-party access
- Strict policies regarding the use of personal devices at work
- Off-site data backup
There is a lot more healthcare organizations can do apart from these basic measures:
- Implement multi-factor and biometric authentication
- AI-powered detection and prevention solutions that allow organizations to identify patterns, detect suspicious activities, and respond to threats
- Conduct regular penetration testing, vulnerability and risk assessments
- Conduct a HIPAA compliance audit
- Keep up with threat intelligence in your industry to prevent and mitigate cyberattacks (e.g. Health Industry Cybersecurity Tactical Crisis Response Guide)
- Test backup procedures to make sure you can restore crucial data if an attack occurs
- Audit, maintain, and update all your IT resources
- Tailor an incident response plan and practice it
- To be able to improve cybersecurity, you need to track security metrics (e.g. number of critical vulnerabilities detected through penetration testing, Mean Time to Detect, Mean Time to Resolve, etc.)
- Constantly monitor staff and build a zero-trust security environment
- Use network segmentation to deploy firewalls and restrict access to specific areas
- Renew SSL certificates regularly
- Automate security and IT tasks
- Use air gapping (physical or logical) for data backup
We began the article with a relevant quote and we will end it with another one. Not because we like quotes (though we do!) but because it would be impossible for us to sum it up better: “The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: Cybersecurity is much more than an IT topic.” (Stephane Nappo) It is clear that technology and healthcare will keep holding hands, despite the inherent risks. As long as there will be money and valuable data at stake, there will be cybercriminals devising methods to get their hands on them.