Over the last decade, the cybersecurity risk to healthcare has grown dramatically, as has the sophistication of cyberattacks.
The integration of technology, interoperability, and data analytics raises consumers’ and businesses’ vulnerability to malicious computer assaults with each new development.
It’s clearer than ever that cybersecurity is essential for protecting healthcare data. According to Becker’s Hospital Review, health care businesses lose $5.6 billion each year due to data breaches.
According to a new Breach Barometer Study: Year in Review, there was an average of at least one health data breach every day in 2016, affecting almost 27.2 million patient records.
Cyberattacks are especially worrisome for healthcare providers since they may directly endanger the security of systems and data, as well as the health and safety of patients.
Healthcare organizations are attractive targets for cybercriminals for three primary reasons:
- Criminals may sell patient medical and billing information on the darknet for insurance fraud purposes in a matter of minutes.
- Ransomware’s ability to restrict patient care and back-office infrastructure makes it more probable that paying ransoms will be successful.
- Medical devices that are connected to the internet are vulnerable to hacking.
Table of Contents
Why is Cybersecurity Important in Healthcare?
Cyber assaults may prevent medical professionals from accessing patient data, which might result in fatal medical mistakes or treatment gaps.
If healthcare providers are unable to keep their business operations going due to information technology difficulties, they risk facing significant financial difficulties and reputational damage.
During a ransomware assault on a major Maryland health system, MedStar Health, email and records databases were shut down for days.
According to TechCrunch, the system was unable to provide essential services such as radiation therapy for cancer patients because of the outage.
Due to the rapid shift to electronic health records (EHRs) over the last decade, vulnerabilities in information technology (IT) have increased in the healthcare sector.
According to TechCrunch, inadequate cybersecurity spending and the high black market value of stolen patient data have made health providers a tempting target for hackers.
According to a recent poll from the Healthcare Information and Management Systems Society, approximately 75% of health organizations suffered a major security breach in 2019.
Email phishing assaults, outdated systems, third-party software exposure, insufficient IT personnel, and laxity with security rules are just a few of the most significant healthcare cybersecurity concerns.
Healthcare organizations must secure information systems to keep patients safe while nevertheless complying with government data privacy laws.
Noncompliance with HIPAA rules on patient data privacy in the United States may result in large financial penalties for hospitals, clinics, and other care centers.
Between 2005 and 2020, the U.S. Department of Health and Human Services (HHS) handled more than 225,900 HIPAA complaint inquiries with about 28,600 cases resulting in corrective actions and 75 cases resulting in fines totaling over $116.5 million.
Why do we need A1 Cyber professionals in the healthcare sector?
Healthcare organizations, along with many others in the business world, are increasing their expenditures on cybersecurity to combat the surge in cyber assaults. This means an increased demand for IT professionals with a background in network security.
The position of an information security analyst is one of the top 10 fastest-growing occupations in the United States, according to the U.S. Bureau of Labor Statistics (BLS), with a projected growth rate of 32.5 percent between 2019 and 2029.
In the healthcare sector, cybersecurity experts are in high demand to build parts of systems that protect patient data, such as enhanced firewalls, encryption solutions, and compartmentalized networks.
Experts in data security know-how to test for system flaws, investigate occurrences, replace aged or dangerous hardware and software, and create security protocols.
By educating employees and inspiring the leadership team to maintain network security, information security professionals can also develop a culture of risk evaluation.
Cybersecurity threats in healthcare
Hospitals, large and small, are attractive targets for hackers. The growing number of healthcare-related cyber attacks is a sign that lesser healthcare providers are being attacked by criminals at an increasing rate.
As the healthcare industry develops and improves procedures and patient care with new technologies, criminals and cyber attacker groups seek to capitalize on the gaps that come with them.
The following blog series will look at one MS-ISAC analyst’s opinions regarding today’s sources of dissatisfaction for healthcare IT and cybersecurity specialists.
The healthcare sector is rife with cybersecurity concerns. These problems range from malware that jeopardizes equipment and patient privacy to distributed denial of service (DDoS) assaults, which cause facilities to be unable to give care.
Other critical infrastructure sectors face similar assaults, but the healthcare industry’s goal poses unique challenges. Cyber-attacks in the healthcare sector might have far-reaching consequences beyond financial loss and privacy breaches.
For instance, Hospitals are especially vulnerable to ransomware, which is a particularly severe type of malware that can put lives at risk if patient data is lost.
What are the specific cybersecurity issues in healthcare?
Healthcare organizations were among the most targeted in recent years. Independent physicians, hospitals, and dentists are often unable to devote expensive cybersecurity measures.
They are the same targets for hackers and face the same cybersecurity risks, yet they offer similar bull’s-eye opportunities.
According to the American Medical Association, nearly 57.5% of all medical practices in the United States have fewer than 10 physicians, and around 11% are solo practitioners.
Many small healthcare providers are unable or unwilling to pay extravagant ransoms, forcing them to shut down their operations.
The hackers may demand a ransom, but it does not guarantee that they will release data or equipment. It also doesn’t ensure that they won’t sell your patient’s information on the darknet.
Healthcare Ransomware: A Problem in the Field?
The recent boost in reports of hospitals being attacked by ransomware is difficult to overlook.
The MS-ISAC, in collaboration with our partners at the National Health Information Sharing and Analysis Center (NH-ISAC) and Financial Services Information Sharing and Analysis Center (FS-ISAC), hosted seminars throughout the country on how to defend against ransomware.
Ransomware is a sort of malware that infiltrates computers and files, making them unreadable until a ransom is paid. When healthcare services are suddenly suspended, it can have a significant impact on the entire company.
Hospitals are then forced to return to pen and paper, slowing down the medical process and ultimately stealing money that might have been used to upgrade the hospital.
Typically, ransomware enters victims’ computers in one of three ways:
- by infecting them through email attachments,
- downloading software from file-sharing sites without permission,
- infecting systems after exploiting vulnerabilities,
- or when you see an advertisement that contains malware (malvertising).
Because malware writers are constantly modifying and evolving their methods, tactics, and procedures (TTPs), it’s nearly impossible for security professionals to keep up.
Furthermore, ransomware as a service (RaaS) makes it simple for anybody with little to no technical expertise to mount ransomware assaults on targets of their choosing.
Scenario-1
Quite many hospitals across the country have been hit with ransomware recently after a server system based on outdated JBoss software was exploited.
In these situations, the attacker uploaded malware to an out-of-date server without requiring the victim’s assistance, as opposed to infecting hospitals via workstations utilized by normal employees.
In another example, Hollywood Presbyterian Hospital in California was one of the hospitals disrupted by a ransomware attack that delayed patient care and resulted in the hospital having to pay $17,000 to regain network access.
Actors leveraged an open-source tool called JexBoss to locate and exploit vulnerable JBoss servers, as well as infected networks, regardless of sector.
While there is no hard evidence, some researchers believe that the high ransom demands seen in healthcare-related incidents suggest that the cyber attackers were aware of who they had infected.
The attackers may have been aware that computers infected by a malware infection are frequently important to a hospital’s goal, and the ransomware might make them inoperable, delaying patient care and putting tremendous pressure on organizations to address the problem as soon as possible.
Hospitals, particularly those with financial reserves, may face greater pressure than other businesses. This pressure, as well as the fact that hospitals typically have money on hand, might boost the chances of attackers receiving payment.
Ransomware can wreak havoc on a business’s day-to-day operations by restricting access to data and systems.
By blocking access to files and systems, ransomware may be extremely damaging to daily operations for businesses that have not prepared for it.
MS-ISAC’s Primer on Ransomware provides the essential actions every business should take to protect itself from ransomware by properly securing networks, systems, and end-users.
Keeping your antivirus up to date, using appropriate email filtering, and maintaining up-to-date backups and keeping them offline are only a few of the recommendations offered in the Primer to assist safeguard your organization against ransomware.
DDoS Attacks: A Serious Threat in the Healthcare Industry
Hacktivists and cybercriminals frequently employ distributed denial of service (DDoS) attacks to overwhelm a network to the point of unusability.
A lack of connectivity can be devastating for healthcare organizations that require network access to deliver optimal client care or need Internet access to send and receive emails, scripts, records, and other information.
Some DDoS assaults are opportunistic or even inadvertent, but many are done for a social, political, ideological, or financial reason linked to an issue that incites the cyber attackers.
Scenario-2
This was the case with Boston Children’s Hospital in the year 2014. After the children’s hospital in Boston recommended that one of their patients, a 14-year-old girl, be admitted as a ward of the state and that custody be given to her parents.
After the recommendation, Anonymous (a well-known hacktivist organization) launched a DDoS assault on the facility.
The doctors thought the youngster’s sickness was really a mental illness, with her parents pushing for expensive therapies for something she didn’t have.
The custody dispute thrust Boston Children’s Hospital into the middle of this contentious matter, and certain people, including members of Anonymous, saw it as a violation of the girl’s rights.
After Harvard University’s power was restored, Anonymous took action by launching distributed denial-of-service attacks against the institution’s network, disrupting Internet access for others on the network, including Harvard University and all of its hospitals.
According to the Boston Globe, many people’s medical records were unavailable for more than a week because of technical problems.
Some medical patients and healthcare staff could not access their online accounts to check appointments, test results, and other case information.
According to the arrest affidavit of the attacker, because of this incident, the institution spent more than $300,500 addressing and mitigating the consequences.
Understanding the many ways that DDoS assaults are conducted can help you detect and defend against them. There are several types of DDoS attacks, each with its own set of risks and challenges for defenders.
In the MS-ISAC Guide to DDoS Attacks, you’ll find an explanation of the many types of assaults (including several forms of basic and reflection DDoS assaults), as well as unique advice for each sort.
Maintaining an effective collaboration with your upstream network service provider, as well as partnerships with firms that provide DDoS mitigation services, are two suggested methods for defending against DDoS assaults.
Healthcare Sector Data Breaches
Every day it seems that another hospital is in the news as a result of a data breach.
The procedure is depressingly familiar: individuals receive notification by email of the breach, which they are informed will be covered for two years of free credit and identity monitoring. (One might wonder – Is there anybody left who isn’t being watched?)
The health sector has more data breaches than any other industry, according to the Ponemon Institute and Verizon Data Breach Investigations Report.
Although there may be some bias in this assertion due to HIPPA’s well-defined, legally required reporting requirements, which make it more probable that healthcare breaches will be reported compared to other sectors.
The Act makes it more likely that healthcare security incidents will be disclosed because of the strict reporting criteria set out by the legislation.
Healthcare Sector Breach Causes
Breaches in the healthcare sector are common. These can be caused by a variety of events, including credential-stealing malware, an insider who unintentionally or deliberately leaks patient data, or misplaced laptops or other devices.
On the black market, personal health information (PHI) is more valuable than credit card credentials or normal Personally Identifiable Information (PII).
As a result, cybercriminals have a stronger motivation to target medical databases. They may sell the PHI and/or use it for their own benefit.
According to the health and human services breach report, over 15 million health records have been stolen as a result of data breaches.
Scenario-3
The average cost of a data breach caused by a non-healthcare organization per stolen record is $157. Healthcare organizations pay an average of $357 in costs.
Information on credit cards and personal identifiable information (PII) sells for between $1.5 and $2 on the black market, whereas PHI may be worth as much as $367, according to the Infosec Institute.
This is due to the fact that one’s personal health history, which includes diseases, illnesses, operations, etc., can’t be altered, unlike credit card information or Social Security Numbers.
PHI can be dangerous since it allows criminals to target their victims based on disabilities or compensation.
It may also be used to create fraudulent insurance claims, allowing for the purchase and resale of medical equipment. Criminals have used PHI illegally to obtain drugs for personal use or sale.
A more pessimistic view: Despite a number of prior reports stressing the notion that personal information is more lucrative, a study released in May by McAfee Labs claims that credit card data is actually more valuable.
The document still acknowledges a significant demand for personal information.
Application security and network security are critical for preventing a breach from taking place in the first place. Encryption is the greatest method to keep patient data out of reach after an intruder has gained access to healthcare systems.
It’s critical that encryption is used both at rest and in transit, as well as that third parties and vendors with access to healthcare networks or databases are properly handling patient data.
To avoid data breaches caused by employee error, such as a lost device or unintentional disclosure, employees should be trained on proper usage and protection of PHI.
Network Security in Healthcare
In today’s digital world, it’s critical for businesses to have cybersecurity in place so that healthcare can function.
Healthcare organizations employ a variety of specialized hospital information systems, including EHR systems, e-prescribing systems, practice management support systems, clinical decision support solutions, radiology information systems, and computerized physician order entry applications.
Many more things must be secured in the Internet of Things. The smart home is as much about providing as it is about technology.
From voice assistants to video doorbells and everything in-between, these systems include smart elevators, smart heating, ventilation, and air conditioning (HVAC) systems, infusion pumps, remote patient monitoring gadgets, and others.
Here are some examples of common hospital assets in addition to the ones mentioned below.
Within healthcare, email is a vital channel of communication. Email systems are used for all sorts of data transmittal, creation, reception, sending, and archiving.
Individuals save everything from intellectual property to money records to patient information in their email boxes. As a result, email security is an essential component of cybersecurity in healthcare.
Phishing
Phishing is one of the most serious threats. The majority of major security incidents are caused by phishing scams. Users may inadvertently click on a harmful link or open an infected attachment in a phishing email and infect their computers with malware.
That malware, in some cases, may propagate via the network to other machines. The phishing email could also elicit sensitive or proprietary data from the recipient.
Phishing emails are quite successful since they typically fool recipients into taking a specific action such as giving sensitive or proprietary information, clicking on a harmful link, or opening an unknown attachment.
As a result, effective security awareness training is critical to resisting phishing assaults.
Physical Security
Hacking may be utilized to gain unauthorized access to a computer or device, allowing for its compromise.
Physical methods, for example, are used to hack a gadget. Physical penetration of a device might overcome technological defenses that are otherwise in place.
Legacy Systems
The term “legacy system” refers to obsolete systems that are no longer maintained by the manufacturer. Legacy systems might include programs, operating systems, and other technologies.
Many healthcare organizations have a large legacy system footprint, which poses a problem for cybersecurity.
The disadvantage of legacy systems is that they are frequently not maintained anymore by the manufacturer, resulting in a lack of security updates and fixes.
Because transitioning to new systems is difficult or impossible, legacy systems may remain in place.
Because operating system providers retire software, medical organizations may not have enough money to update systems to the most recent versions. Medical devices are generally equipped with legacy operating systems.
Legacy computer programs for which there is no replacement might require legacy operating systems as a backup.
Top 9 Challenges for Cybersecurity in the Healthcare Sector
Healthcare Information Security
The kind of security measures you should employ is determined by the data storage strategies employed, the kinds of data you gather, how long you keep the information, and so on.
In general, you should use security solutions that include patient, employee, contractor, vendor, supplier, and other forms of data protection.
Access to patient information must be limited on a need-to-know basis. Not everyone needs access to this data, for example, insurance information and billing records.
Rather than giving access to all employees who might process insurance claims or bill patients for outstanding balances, you should restrict it to only those individuals responsible for these operations.
The same is true with patient records that contain information on their diagnoses, treatment plans, drugs, and so on. Only attending physicians and nurses working for them have access to this data.
Other healthcare professionals may require access as well; however, it should be controlled on a case-by-case basis and restricted to only the specific data they need.
Here are some of the most frequent and reliable healthcare information and data security solutions:
Automated Data Backup and Recovery – You want to make sure your data are backed up on a regular basis to secure servers like a portable NAS server.
Portable servers are convenient if you need to backup data at many sites or ensure that your backup is saved offsite in a secure location.
Employing Data Encryption – When data is moved from workstations to servers, the internet, or cloud-based systems, it must be encrypted. Encryption is the most secure level currently available and it should be used without exception.
You should use anti-virus/malware/spyware applications to keep your systems safe from viruses, malware, spyware, and other malicious software. You should pick a suitable app that best suits your needs and maintain it up to date at all times.
Monitoring Tools for Organizations – There are several kinds of apps available that may track a wide range of activities, processes, and procedures.
You may use an app to keep track of who is accessing, updating, creating, moving, and deleting files. Another app can spot potential data breaches.
Apps are also available to assist you in detecting illicit access, modifications to user accounts, and other issues.
Multi-Factor Authentication – Another approach to safeguard your data is to enable multi-factor authentication methods, which need users to provide their username and password before verifying one or more additional things, such as entering a one-time use passcode sent to their email account or mobile phone.
Ransomware Protection – You’ll want to look for ransomware protection in your antivirus software. This malicious act locks you out of your own systems and holds them, hostage, until you pay a ransom to the hacker.
Even if you pay the ransom, there is no assurance that they will permanently restore access to your data.
Cyber Attacks on Hospitals
Healthcare has always been a prime target of cybercriminals. Healthcare providers and their patients store and processes extremely sensitive data such as medical records, payment data and personally identifiable information (PII).
While the healthcare industry is well aware of the risks at hand, they are often frequent victims of cyberattacks. There’s no wonder that the cases of ePHI (electronically protected health information) theft doubled from 2013 to 2014.
The healthcare industry is certainly not blind to such dangers and invests billions into IT security every year. Data breaches involving patient records affect more than half a million people (on average), which costs around $380 per record.
In 2015, we saw how ransomware, which encrypts infected computers and demands a ransom to unlock them, has devastated the computer networks of hospitals.
The attack on Hollywood Presbyterian Medical Center was particularly damaging because it temporarily stopped patient care.
It seems that 2022 will be another year that cybercriminals will focus their resources on hospitals. Here’s a recent example that confirms this trend:
The Allscripts attack
On January 11, 2018 the IT network of electronic healthcare records (EHR) vendor Allscripts went down after a ransomware attack.
The company is considered one of the biggest healthcare providers in the US and its more than 14,000 customers include 600 hospitals and nearly 18,200 practices.
The service disruption comes at a crucial time for the company because competition is tough and its third-quarter financial results were below analysts’ expectations.
Allscripts has stated that patient data was never compromised during the outage, but without EHRs, hospitals could not access important information such as patient records and medical histories.
The lapse caused delays to surgeries and diagnostic imaging procedures, while postponed appointments had to be rescheduled.
In a press release, Allscripts stated that it notified the Federal Bureau of Investigation (FBI) and is working closely with security experts to investigate the root cause of the attack.
Wrap up
Healthcare is vulnerable to cyber attacks in a variety of ways, from the confidentiality of sensitive health information to insurance premiums to patient care.
Increasingly, healthcare leaders are calling for more government regulation to guarantee patients’ rights are protected while others advocate for tighter controls to protect them from hackers and data breaches.
However, many healthcare executives recognize that the only way to avoid additional onerous isthrough complete voluntary compliance with the most stringent standards.
The scariest of all cyber dangers may still be ahead, despite the fact that today’s acknowledged healthcare cybersecurity risks are frightening. Last year, researchers in Israel unveiled a computer virus that might insert tumors into CT and MRI scans.
This malware could fool doctors into misdiagnosing patients in the wild, according to Kim Zetter’s story in The Washington Post.
Healthcare has unique cybersecurity problems that must be addressed.
When human lives, not just money, are on the line, the world’s brightest and best computer scientists, medical researchers, and business executives must collaborate to discover creative solutions to cyber security threats bearing down on traditional healthcare.