Healthcare facilities remain in the crosshairs of cyber criminals seeking commercially exploitable data. They target electronic health data and personally identifiable information maintained by healthcare establishments.
Awareness of the top cyber security threats in healthcare is the first step in managing such threats. Here is a rundown of the top cybersecurity issues and how enterprises can overcome such threats.
The attacks on health records are increasing by the year
Almost all institutions, from large hospitals to private practices and from vendors to providers, are at risk. To illustrate the magnitude of the threat, there were 63 data breaches, compromising 500+ health records, in March 2023 alone. These figures represent a 47% increase from February 2023 and a 40% increase from March 2022. On average, medical care facilities experience 2.8 million breaches per month.
A 2022 survey by the Ponemon Institute revealed that 94% of healthcare organisations have experienced a data breach in the past two years. A healthcare data breach costs $9.35 million for the enterprise, on average.
Attackers target protected health information (PHI) and personally identifiable information (PII) of patients. Verizon’s 2023 Data Breach Investigations Report estimates 67% of compromised data being PII data.
Criminals in possession of PHI can commit identity theft and insurance fraud. Cyber attackers hold such data for ransom or sell it on the dark web. On average, a single PHI record sells for up to $250, and some records sell for as high as $1,000 each. On average, stolen credit card details sell for up to $120 on the dark web.
Another target is intellectual property (IP), such as patents held by research hospitals. State-sponsored hackers value such IPs. Even otherwise, such data offers good prospects for ransomware.
The increasing costs and implications of cyber attacks
Healthcare establishments hit by cyber attacks suffer from financial losses and reputational damage.
After an attack, enterprises face increasing costs to repair or replace the IT infrastructure. They invariably hire external experts for recovery services and to secure servers.
A major data breach costs a healthcare organisation $10.1 million. The indirect costs are even higher. Service disruptions and appointment rescheduling can wreak havoc on a company’s finances. Many businesses never recover from the associated loss of reputation.
One of the recent high-profile attacks involved Scripps Health, a non-profit healthcare provider. A breach in 2021 led to losses of $113 million, which included $20 million in incident response and recovery and $90+ million in lost revenue. The company also faced class-action lawsuits for its negligence in safeguarding patient medical records. The company settled by paying $3.5 million to affected patients.
The increasing commonplace occurrence of ransomware
Verizon’s 2023 DBIR highlights ransomware as one of the most consistent threats facing healthcare. Successful breaches leading to ransomware have become increasingly common since 2021. Over 1 in 3 healthcare organisations fell victim to a ransomware attack in 2020. Verizon estimates ransomware attacks to comprise 24% of all breach types today.
The popularity of ransomware attacks is due to its success. Many victim establishments panic, fearing regulatory consequences, customer wrath, and public relations outrage. They pay up the ransom despite the FBI and other law enforcement agencies worldwide warning against such a response.
The emergence of ransomware-as-a-service (RaaS) in the dark web makes it easier for cybercriminals to launch attacks. RaaS allows any aspiring cybercriminal to sign up and launch an attack without prior cyberattack knowledge.
Increased prevalence of DDoS attacks
Healthcare facilities remain susceptible to distributed denial-of-service (DDoS) attacks. DDoS attacks involve a flood of fake connection requests directed at a targeted server. The heavy traffic makes the target systems and resources unusable. The victims cannot access their data, including patent records or appointments. Botnet malware forcibly recruits endpoints to participate in such coordinated attacks.
DDoS attacks can disrupt a network without having to infiltrate or slip in malware first. It is also very easy to deploy. The possible speed and devastation make cybercriminals adopt DDoS attacks as a variant of the ransomware model. Cybercriminals launch DDoS attacks to force healthcare organisations offline. They discontinue their attack when the victims pay a ransom.
DDoS attacks on healthcare establishments are common. A major attack on 1 November 2023 disrupted internet connectivity for many healthcare establishments in Singapore.
The increasing internal threats
Verizon’s 2023 DBIR attributes internal threats as the cause for more than one out of every three breaches in the healthcare sector. These internal threats are more due to errors and other mistakes than rogue insiders.
Common internal errors that leave the door ajar for cyber attackers include:
- Employees with high-level access accidentally posting their passwords somewhere online.
- Storing a patient’s file on an insecure server.
- Employees follow the attackers’ instructions when the attackers assume a voice of authority or display a sense of urgency.
Lurking cyber criminals take advantage of such missteps to effect a breach and syphon off the data.
Increasing regulations
The healthcare industry faces increasing regulations in response to the increasing cybercrime incidents.
Different jurisdictions impose different compliance regulations.
The United Kingdom subjects healthcare institutions to a cyber readiness exercise. Enterprises not keeping pace with national standards get support. Violators face penalties and legal consequences.
The European Union General Data Privacy Regulation (GDPR), the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regulate the storage of PPI and PII. These rules mandate strict enforcement action and heavy penalties for non-compliance. HIPAA, for instance, mandates companies to protect PHI against unauthorised access or use. Companies also have to report breaches. Violations lead to significant financial penalties and even criminal liability.
In the wake of relentless cyber attacks, the US National Institute of Standards and Technology (NIST) released several cybersecurity publications. Healthcare providers can follow NIST 800-53 security standards to ensure their networks remain robust and resilient against cyber attacks.
Healthcare enterprises have become more effective at complying with the regulations. For instance, the number of HIPAA enforcement actions has declined in recent years, and the average penalty for a HIPAA violation has decreased.
Conclusion
Healthcare enterprises must update their systems and comply with regulations to remain safe. They must update software and systems to ensure their technology infrastructure is current and secure. Older systems rarely have security features to protect against the latest threats. Side-by-side, they need to get the basics rights, such as switching to multi-factor authentication, raising awareness and educating employees on threats, implementing access controls, deploying antivirus and installing anti-malware suites. Regular backups improve resilience and protect against the disruptions caused by ransomware attacks.