Anyone working in healthcare probably knows that you, your colleagues and your organization are under the near-constant threat of cyber intrusion.
Even worse, recent surveys suggest it's just a matter of time before one of those attacks breaks through whatever safeguards you currently have in place, so it's best to be prepared.
The bad actors behind cybercrime see healthcare as a vulnerable and highly lucrative target. They know what they're doing, and they're not going away.
Cyberattacks in healthcare are the new norm
In 2020, "significant security incidents" were "the norm," according to the Healthcare Information and Management Systems Society (HIMSS).1
The HIMSS reported that in the previous 12 months, 70% of the organizations it surveyed experienced such significant security incidents, including:
- Phishing attacks (57% of respondents)
- Credential harvesting attacks (21%)
- Ransomware and other malware attacks (20%)
- Website or web application attacks (14%)
These intrusions, HIMSS noted, most often resulted in disruption to IT and business operations, but 20% of respondents said they'd also suffered financial losses, and 15% said disruptions had an impact on clinical care.
Another report, by HIPAA Journal, revealed that there were 642 major healthcare data breaches involving 29 million healthcare records in the United States, in 2020 alone.
Such major breaches, involving 500 or more patient records, were up by 25% compared to 2019, which held the previous record for the most breaches. The number of annual healthcare data breaches has doubled since 2014, HIPAA Journal reported.2
The Ponemon Institute has reported further eye-opening stats in its Cost of Data Breach Report 2020:3
- $7.13 million: the average cost of a data breach in healthcare in 2020 — up 10% from 2019
- $3.86 million: the average cost of a data breach across all industries in 2020
- 329 days: the average number of days it took to identify and contain a data breach in healthcare in 2020
- 280 days: the average number of days it took to identify and contain a data breach across all industries in 2020
Many other reports from across the industry only add to the sense that healthcare is facing a crisis growing bigger by the year. There have now been multiple cases, for instance, in which a hospital ransomware attack received direct blame for someone's death.4,5
A recent Ponemon Institute survey of IT professionals found that 22% of healthcare organizations had seen increased mortality rates as a result of such attacks.6
And then there's this, from an IT security software company that regularly publishes research on cybersecurity vulnerabilities: In April 2021, healthcare organizations around the globe endured an average of 109 attempted attacks per week.7
Healthcare, the firm noted, was the most attacked sector by far, with second place going to organizations in the utilities industry, which only averaged 59 attacks each per week.
Cyber threats evolve as healthcare cybersecurity lags
Just as we could hardly have imagined many of the technologies we use today, the cyber threats faced by healthcare and other industries have evolved drastically over time.
Initially, relatively few would-be hackers had the knowledge or ingenuity to pull off a cyberattack. At the same time, this work was prohibitively expensive — and above all, exceptionally risky. That's not how the cyber-threat landscape looks now.
Today, bad actors aren't necessarily software experts. They just need a basic knowledge of how computers work and enough money to pay a professional malware developer for access to the tools required for success. As Info Security magazine recently put it, the malware-as-a-service (MaaS) industry "has grown into a booming business" for cyber thieves.8
Small-time, nontechnical criminals see MaaS as their ticket to possible riches, while even experienced hackers are turning to MaaS because outsourcing malware creation is simply a smart investment.9
Among the other major developments in the shifting world of cyber threats is the tendency of attacks initially targeting single organizations to then spread across their connected customer and partner networks. The use of artificial intelligence (AI) makes these incursions even more effective.
Hackers, as trade magazine CISO MAG explains, are using AI both "to weaponize malware" and to counteract cybersecurity solutions.10 For example, AI can deploy to keep malicious code hidden from antivirus software until an opportune time to attack.
"The malicious models can be present for years without detection as hackers wait to strike when applications are most vulnerable," it notes.
And if the victim tries to thwart the attack through patching or some other defensive measure? According to MIT Technology Review Insights, "Offensive AI risks and developments in the cyber threat landscape are redefining enterprise security, as humans already struggle to keep pace with advanced attacks."
The AI-enabled malware won't miss a beat — it just takes it all in and adapts.11
Healthcare: A valuable target for cybercriminals
Given the many industries from which they have to choose, why would cybercriminals choose to target healthcare organizations?
Here's a look at the five main reasons:
1 | Healthcare data is critical. Healthcare organizations provide critical and time-sensitive services that depend on access to patient data. If a cybercriminal takes that data hostage, the entire system can become paralyzed.
2 | Healthcare data is persistent, which makes it valuable. Unlike the banking industry, which can easily replace a compromised debit or credit card, Social Security numbers and national insurance numbers are permanent, which makes them more valuable to cybercriminals. The black market price for a stolen credit card number is $5.40 compared to $250 for a stolen healthcare record.12
3 | Healthcare organizations are big targets. Most hospitals rely on equipment and applications from dozens or even hundreds of different vendors. In many cases, these tools connect to make care delivery more effective and administration more efficient. For hackers, this makes healthcare a tempting target: Successfully get through on just one device, and you may gain access to an entire health system.
4 | Healthcare organizations often operate on a tight budget. Most hospitals rely on outdated, legacy technologies for at least part of their business. These technologies often run on operating systems that can't effectively update, which makes them vulnerable to attack.
5 | Historically, healthcare cybersecurity hasn't been a priority. Up until recently, the need for efficiency has been the key business driver for adopting IT into healthcare. Security, on the other hand, has mostly been an afterthought — something that's good to have but isn't necessarily critical to operations. Meanwhile, providers and administrators have rarely received the training they'd need to recognize an imminent security threat.
Healthcare cybersecurity issues: Challenges for IT
A recent survey by ISACA, a global professional association of IT professionals, found many healthcare organizations aren't sufficiently prepared to face off with their cyber adversaries.
According to ISACA's poll:13
- 71% of respondents reported having an understaffed cybersecurity team
- 55% said their team had unfilled cybersecurity positions
- 49% said their organization had difficulty retaining qualified cybersecurity professionals
- 43% said they'd experienced an increase in cyberattacks over the past year
- 68% thought it likely or very likely they'd experience a cyberattack in the coming year
The top three attack types respondents said compromised their organization:
- Social engineering
- Advanced persistent threats
Healthcare cybersecurity solutions
The good news is that even as cyber threats increase, there are a number of different steps organizations can take to minimize the risk they'll become the next victim, and most health systems have at least begun to assemble the framework needed for a strong cybersecurity program.
The ISACA survey, for instance, found that 69% of healthcare organizations have a process in place for assessing "cyber maturity," a measure of their adherence to cybersecurity best practices.
It also found that 83% saw the value in developing cybersecurity training and awareness programs. A successful defense against cyberthreats, they've realized, cannot take place in a vacuum.
Cybersecurity for healthcare providers isn't an "IT issue" — it's a problem for the entire healthcare community. Furthermore, most organizations no longer bolt security on after addressing "more important" IT concerns. Instead, they're building these defenses into system development and seeing this approach as essential to their business objectives.
Here's a look at the various strategies they're using, and how they might help your organization as well.
Cybersecurity training for healthcare providers
Historically, most hospitals and health systems have implemented a layered, "defense-in-depth" approach to cybersecurity.
This strategy requires attackers to get through multiple layers of controls — firewalls, antivirus solutions and email spam filters, for example — but it also often ignores the organization's most important protectors: its employees.
Though the Ponemon Institute reports that "malicious insiders" account for 7% of cyberattack data breaches, well-meaning employees are responsible for the vast majority of reported incidents.3
Through email phishing, targeted "spear phishing" and other nefarious social-engineering tactics, hackers have realized it's easy to take advantage of people's natural instinct to trust one another. Making the situation even more complicated, attackers today are using artificial intelligence to boost their chances of success.
"The phishing attacks are getting so sophisticated, that even IT experts like me can be fooled," says Rob Clyde, ISACA Board Director and Executive Chair of White Cloud Security.
A typical phishing attack, for example, might involve an email, ostensibly from the CEO, asking an employee in human resources to send W-2 information for all employees.
Or, Clyde says, imagine a situation in which an administrator receives a message that appears to come from a frantic clinician who claims they need access to a certain system, but they've forgotten the password.
"Maybe it's, 'Hey, I'm working on this guy and he's bleeding out, I have to know what blood type he is, but the system has locked me out — can you help?' What are you going to do in that situation if you're the one at that support desk?"
Navigating the world of social engineering is difficult at best, Clyde admits, but he and others also say it's important for organizations to educate employees to question suspicious emails or phone calls.
"Sadly, training initiatives aren't going to be as effective today as they may have been a few years ago, but you still absolutely need to have an employee cybersecurity awareness program," he says.
Healthcare cybersecurity technologies
Another key component of any strong cybersecurity strategy involves the technologies available for protecting devices and systems. Any organization with an IT department already understands the importance of tools like encryption, anti-malware solutions and a steady and consistent patch-management program, but most experts agree those tactics alone are no longer enough to stop sophisticated attacks.
"The hackers that are out there are looking for vulnerabilities and testing their code against the major antivirus vendors," Clyde explains. "They already know if their malware is going to work" before they unleash an attack.
With that in mind, he recommends using trusted-app listing (also known as "whitelisting") to ensure that computer users only have access to applications deemed safe by the IT administrator.
He also suggests using a technique called "microsharding" that protects data by splitting files into small pieces and storing them in different places on-site or in the cloud.
Finally, Clyde says, every health system should deploy a backup solution to ensure they can restore their systems after an attack. "A backup is not a panacea," he notes, but if you fall prey to ransomware, for example, "it could help you get out of it without having to pay."
Healthcare cybersecurity policies
Lastly, Clyde recommends, it's important that organizations have policies in place so they know how to respond in the event of an attack.
"That policy should be vetted all the way up to your board of directors," he says, "and it should involve significant scenario planning: If you get hit with ransomware and it brings your systems down, are you going to pay a ransom?"
Run through the various possibilities, he notes, and decide upfront how different situations might require your organization to respond in different ways. "The worst time to be making critical decisions like that is when you're in the middle of the crisis. Game it out in advance, and you'll be a lot more clearheaded when it comes to the right decision to make."
© 2021 McKesson Medical-Surgical Inc.