Treating patients is not the only thing that hospitals and other healthcare providers need to worry about.
This year, we’ve read in the news about a wide variety of dangerous cyber security incidents that impacted the healthcare sector. In the fall, a number of hospitals in Australia were hit with ransomware. In another incident, we read about six ransomware attacks on U.S. hospitals in a 24-hour period. And more recently, two French hospitals were hit by ransomware attacks in a single week.
As pointed out in a recent report by the CyberPeace Institute, attacks on hospitals – or even on vaccine labs (particularly during the COVID-19 pandemic) – hurt people directly. Both prevention and accountability are crucial. And in this growing environment of cyber threat, what can hospitals and other healthcare providers do to protect their people and organizations? How can they reduce the risk of cyber attacks that are complicating operations, undermining trust, and represent a potential threat to human life?
COVID-19 Increased Cyber Attacks in Healthcare
It’s hard to imagine that anyone would attack a hospital in the middle of a pandemic. But that’s exactly what’s happened.
The danger to disruption of mission-critical activities is real, and hospitals and healthcare centers must adopt practices that lower risk to avoid the interruption of essential medical activities.
The onset of COVID-19 increased the number and scope of cyber incidents experienced at healthcare facilities. We saw a spike in ransomware, data breaches, and other kinds of attacks.
Cyber threats continue to increase across the healthcare sector, as threat actors discover that the technologies providing hospitals with data integration and clinical support – and facilitating patient engagement – frequently are particularly vulnerable to attacks. They provide cyber criminals with opportunities to extract personal data which can be used to shut down entire hospitals by using ransomware.
The danger to disruption of mission-critical activities is real, and hospitals and healthcare centers must adopt practices that lower risk to avoid the interruption of essential medical activities. As pointed out by SC Media, the consequences of data breaches and network outages may be particularly detrimental this year as organizations struggle in the wake of the pandemic to get back on track operationally and financially.
Healthcare Organizations Spend Less on Security
The amount invested by the healthcare industry in cyber security is less than what other sectors are spending. According to Gartner, only 5 percent of healthcare providers’ IT budgets is spent on security, according to Gartner.
According to Cybercrime Magazine, for example, the healthcare industry suffers two or three times the number of cyber attacks suffered by the financial services industry – yet, the financial services industry invests much more in cyber security. According to a study by Deloitte and the Financial Services Information Sharing and Analysis Center, the Financial Services industry spends on average 10 percent of their IT budgets on cyber security.
But the cost of ignoring cyber risk is sometimes hard to measure. According to a recent article in the Wall Street Journal, a malware attack at Universal Health Services cost the company $67 million last year. Providing better cyber resilience can save the financial damage as well as other kinds of fallout of a cyber attack, including the potential risk to human life.
Providing better cyber resilience can save the financial damage as well as other kinds of fallout of a cyber attack, including the potential risk to human life.
Why Healthcare Providers are So Vulnerable
Healthcare facilities host a treasure trove of valuable patient data that can be accessed from numerous vulnerable endpoints. And as the use of connected medical devices has continued to grow and become a normative part of healthcare, data has become increasingly vulnerable.
Moreover, because critical care facilities rely on 24/7 access to medical records in order to provide the right care to their patients, they tend to be more likely than other organizations to pay a ransom immediately. If you’re running a hospital, you are likely to do whatever it takes to avoid a disruption of service to patients. As a result, hospitals and other healthcare providers are prime targets for attack.
Third-Party Vendors
Third-party vendors are yet another security soft-spot that has an impact on the safety of healthcare facilities.
Typically, healthcare providers outsource services such as catering, payroll, and web/app development to third-party vendors, giving these vendors access to sensitive patient data. And because the data is sent outside of the organization, it potentially can be even more vulnerable to data breach.
As pointed out in this recent article on SC Media, the massive SolarWinds attack underscored for healthcare providers the fact that the more partners a facility uses, the greater the risk of a system breach or attack. Hackers are known to exploit known vulnerabilities in third-party vendor’s software. They utilize phishing, spear phishing, and other social engineering tactics to deliver their malicious payloads.
The Insider Threat
Employee behavior is – perhaps surprisingly – one of the primary causes of data breaches at hospitals and healthcare centers. Many hacks are facilitated by employees who, whether intentionally or inadvertently, are directly responsible for the loss of theft of assets, web/application attacks, or privilege misuse.
It is unfortunate but not unusual for employees to accidentally expose sensitive patient data through completely unintentional activities, such as:
- Saving sensitive data on unsecured devices
- Saving sensitive data on devices that get lost
- Accidentally sending health data to the wrong individual
- Publishing private information inappropriately
- Keeping information after leaving a job
Awareness Programs Reduce Cyber Risk
The number of incidents caused by employees by accident can be minimized, simply by providing security awareness training that teaches employees to recognize phishing and link manipulation attempts and to follow standard security procedures.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to have a robust security awareness and training program. There are additional regulations that require training such as the PCI Security Standards Council (PCI DSS). And each state or country also has its own overlapping sets of laws and rules applicable to the industry.
The number of incidents caused by employees by accident can be minimized, simply by providing security awareness training that teaches employees to recognize phishing and link manipulation attempts and to follow standard security procedures.
Support from the Top
To effectively run security awareness training in a hospital or healthcare facility, it’s important to get executive buy-in. The top levels of management need to understand how security incidents can impact everything from client care and the organization’s reputation to the financial bottom line.
With the right resources and support from leadership, security awareness training can teach facility staff how to identify, avoid and report attacks before hacks occur, at just a fraction of the cost of a data breach.
When a Breach Happens, Many Healthcare Providers are Unprepared
When a data breach takes place, many healthcare facilities are not prepared to respond quickly and effectively. Working with a Security Services Provider ahead of time and investing in comprehensive planning to reduce the impact of a potential attack is an important means of reducing cyber risk.
An advanced MSSP such as CyberProof can help you develop an in-depth response plan for handling an emergency, while also providing monitoring services – and if a breach does occur, the MSSP can provide immediate assistance to limit potential damage and liability.
When a data breach takes place, many healthcare facilities are not prepared to respond quickly and effectively. Working with a Security Services Provider ahead of time and investing in comprehensive planning to reduce the impact of a potential attack is an important means of reducing cyber risk.
Want to learn more about how healthcare organizations can reduce their cyber risk? Contact us today!