The healthcare and public health industries have been one of the prime targets for cybercrime over the last two years. Unfortunately, this trend is expected to accelerate, rather than abate. The combination of valuable data that can be sold, diverse technologies that are remote or network accessible, and inadequate cybersecurity make healthcare entities an ideal target for cyber criminals.
Healthcare entities share many similarities, in both technology and cybersecurity, with other industries. However, the healthcare sector and public health organizations also face cybersecurity and technology challenges, requirements, and constraints that are unique. In this blog, we explore six critical cybersecurity challenges unique to healthcare:
In the healthcare industry, cyberattacks put lives are at stake. Unlike other industry verticals, the physical and mental well-being of patients is of primary importance, and this human element requires cybersecurity to be a top focus. The death of a patient in Germany as the result of a ransomware cyberattack in 2020 underlines this fundamental point. Cybersecurity planning and preparation become all the more critical.
2020 saw an explosion of healthcare industry-related data breaches, with data breaches up over 55% from the previous year. No doubt, the global pandemic was a major contributing factor in cyberattacks, but even in 2019, healthcare was one of the top three industry sectors that were attacked. As of August 2021, the number of breaches dropped, but the number of healthcare records breached was well-above the 12-month average.
Patient privacy is another area where the healthcare industry faces unique challenges for security failures. Breaches of healthcare information expose people's most sensitive information. An example of this came back in 2020, when hackers tried to gain access to the health records of famous patients. This practice increased during the Covid-19 pandemic.
Prior to 2020, hospital cybersecurity budgets were on the lower end of the scale for security resources, as compared to other industry sectors, such as banking and finance. Even when positions were allocated to technology and cybersecurity teams, many healthcare organizations froze new hiring and left them unfilled.
As the pandemic took hold in 2020, many hospitals lost money, and even laid-off staff, because of a halt in more lucrative elective surgeries and non-life-threatening health services. As budgets were slashed, resources for cybersecurity teams were also cut, at precisely the same time that cyberattacks were exploding, and ransomware attacks against hospitals were becoming commonplace.
Not only have these troubling resource trends weakened the morale and effectiveness of cybersecurity teams in healthcare industry, the data, and ultimately the customers of healthcare facilities, faced additional risks due to inability to stop cyberattacks and fully fulfill their cyber defense responsibilities.
In addition, as new systems and technological capabilities, such as more telehealth and telemedicine systems, came online to assist people who did not want to (or could not) leave their homes during the pandemic, cyberthreats increased with the increased use of the Internet to deliver services. The use of home computer equipment, virtual private networks, new office systems and new portals and video equipment both opened up new opportunities and posed new cyber security challenges at the same time.
Security Officers should serve as trusted advisors to hospital administrators and boards, making them aware of the cybersecurity risks and repercussions of data breaches, ransomware attacks, and infrastructure failures.
Healthcare industry jobs range from doctors and nurses to scientific researchers, lab workers, receptionists and traditional office workers. This diverse workforce presents challenges to offering meaningful, effective security awareness training. Employees come from all education and skill levels, ages and backgrounds, requiring training designed to appeal to a wide audience, while still being effective for each individual.
Another challenge for the healthcare sector is that, with many other important priorities on their agenda, both administrators and staff can take a "check the box" mentality regarding security awareness training – just complete training as quickly as possible. This attitude leaves organizations and their staff vulnerable to security incidents, like PHI data breaches. That is why both general security awareness training and HIPAA training are mandated by compliance regulations for healthcare and public health entities.
Yet another challenge is the large quantity of training required of healthcare staff, sometimes dealing with critical health-related topics. In this light, staff can misunderstand cybersecurity training as non-essential. However, as discussed elsewhere in this blog, cybersecurity is critical, with cyber attacks having potential life and death consequences, and PHI data breaches causing significant impacts to the personal and financial wellbeing of healthcare recipients. Top management needs to not only convey the importance of security awareness training for their staff, but incorporate it into their own behaviors. Furthermore, security awareness training itself must fit the busy schedules of healthcare workers, and convey critical information in an effective, impactful way.
Finally, budgets for security awareness training are often limited, sometimes resulting in healthcare sector organizations selecting the least expensive alternative. Often overlooked is the reality that the most expensive part of training is the staff's time, far exceeding the actual cost of the training purchase. Furthermore, low-cost trainings are usually of lower quality, leaving employees poorly prepared to face the onslaught of cybersecurity threats.
With the Covid-19 pandemic grabbing global headlines in 2020 and 2021, the rise in ransomware against healthcare sector organizations has accelerated to new heights. Indeed, the health sector was named as one of the top four most targeted sectors in 2020, and the healthcare impacts have been enormous – even forcing the closure of hospitals.
A Privacy Affairs study found healthcare data breaches increased by 2,733% between 2009 and 2019 in the U.S. This is a trend that is not subsiding. From January 1 - May 31, 2021, there were 250 data breaches resulting in the exposure of 17,2626,107 records of unsecured health information (DHS Breach Portal).
It is no wonder that data breaches are so high with cybercriminals targeting healthcare. A recent survey found that 57% or respondents had experienced phishing attacks and 20% ransomware or other malware (2020 HIMSS Cybersecurity Survey, HIMSS). Clearly, the need for security awareness training and phishing training in healthcare is essential.
A joint cybersecurity advisory on ransomware announced that CISA, FBI, and HHS have credible information of "increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." The advisory goes on to offer remediation steps for healthcare organizations who find indicators of compromise on their networks.
The joint advisory alert, as well as Ransomware Task Force report, offer recommendations for addressing ransomware attacks on the healthcare sector.
The Internet of Things (IoT) has brought non-traditional computer equipment connected to the Internet within the reach of bad actors who seek to do harm. While baby monitors or other smart home devices are certainly vulnerable, so are the numerous pieces of equipment that are commonly used in doctors' offices and hospitals all over the world.
Scientific studies have shown that cybersecurity vulnerabilities can cause serious concerns to patient health, and the supply chain must be monitored to ensure that patches are kept up to date and the latest software and firmware is maintained for the years that these devices are used.
One example of this cybersecurity challenge came last year when millions of medical devices were impacted by Ripple20 vulnerabilities. These high-risk vulnerabilities could allow an attacker to perform a host of malicious activities, such as stealing data, affecting the functionality of an infusion pump, or causing a device to malfunction.
Perhaps the most unique aspect of protecting healthcare facilities is the 24/7/365 nature of medical operations, many of which are for critical care. Indeed, hospital emergency rooms are as critical resources for personal health crises, as well as for the wider population during natural disasters from fires to floods to hurricanes and tornadoes, to man-made disasters.
This unique role means that power, water and other utilities must be available, even when primary sources go offline. Backup systems and life-sustaining equipment need to be tested under various conditions.
Cyberattacks that impact critical services, when combined with man-made or natural disasters, will have even more devastating impacts, costing lives and bringing even more suffering during the most difficult circumstances.
Planning and preparedness for the healthcare sector is essential, as well as the budget necessary for critical cybersecurity functions. However, often planning and budgets have focused on infrastructure, devices, and technology, and not cybersecurity. It is imperative that this changes. Healthcare planning must include steps that ensure cybersecurity training plays a vital role in ensuring patient health. The resiliency of the healthcare sector is vital to societal security and well-being, as seen during the Covid-19 pandemic.