The healthcare industry is one where the mission is very straightforward – empower people to live with the highest quality of life possible for them. This means keeping lives safe and secure, all while armies of cyber criminals are working diligently to do the opposite. A significant portion of breaches reported in the last year impacted the healthcare industry, and it was costly. For example, it’s been reported that data breaches in this space cost an average of $400 per patient making them an expensive threat to institutions that may be managing thousands, and sometimes millions, of patients. However, only 33 percent of industry organizations claim to have enforced preventative measures to protect their organizations and patients from cyber threats. Here are a few trends to note this year when it comes to cyber security in healthcare and a high-level plan of action to address them.
The breaches keep coming, especially in healthcare.
It’s safe to say that most industries experienced increases in breaches over the last decade, and healthcare was no exception. The sector included some of the most catastrophic breaches of the year and some shed light on a few recurring themes:
- Third parties matter now more than ever. One of the worse healthcare breaches within the last year stemmed from a third party risk. Atrium Health learned that 2.65 million patients data and personal records were exposed after the vendor who managed their patient billing was breached. Nevertheless, that vendor, Accudoc solutions, wasn’t the main headline of this breach. Atrium Health took the brand hit and ended up in the headlines over the catastrophic incident.
- Repeat attacks should be expected. Once a company has survived its first breach, they can clean up the mess and relax a little right? Unfortunately, the answer is no – not at all. It’s the time to be on even higher alert. In a few instances, such as Unitypoint Health, surviving one successful breach just became a honeypot that attracted other bees to swarm in and get what they could as well. The first time around, a successful email phishing attack resulted in the loss of 16,000 patient records at a single campus within their health system. While significant, the hospital was well on their way to recovery when they were hit again. In its second breach within one year, the company was hit with more highly targeted phishing emails that led to the loss of 1.4 million patient records.
- Detection times still need work. Almost half a million patients learned that their data was exposed for nearly a full year after a successful malware attack against LifeBridge Health. This served as a stark reminder, not only of the importance of preventative technology but also the importance of timely detection and response to cyber threats.
Attackers in healthcare don’t just care about data.
When most people hear about mega breaches in the news, similar to the examples above, they are often pertaining to lost patient or employee data. When large volumes of this data get lost, it can cost companies millions in investigative costs, damage control, and response to attacks. A unique trait in health and industries like it, however, is that data is not the most critical asset. The operations that support the preservation of human life are the most vital functions to protect. This can also breed different kinds of threat actors. There will always be the standard cyber criminals who are looking for sensitive information that can be sold in dark markets and through other means for financial gain. However, as we’ve seen through recent events such as ransomware attacks against hospitals, attacking healthcare infrastructure can be just as, if not more, lucrative due to the level of impact. As technology advances, the cross-over between cybersecurity and safety in healthcare inherently increases the potential impact of cyber-attacks on the wellbeing of human beings.
IoT is complicating things.
As if that isn’t enough to warrant action in the industry, researchers have been able to prove that small connected medical devices such as insulin pumps and pacemakers can be hacked. Adding connectivity to these devices has led to revolutions in medical science and have changed the way institutions are able to care for patients, but not without added risks. When using a pacemaker, for example, it’s convenient to be able to manage the device remotely. After all, it’s like a mini computer that may need updates and changes to keep working correctly. These devices are usually surgically embedded within patients. If the device needs critical changes, without connectivity, perhaps doctors would need to conduct surgery again to take the device out, update it, and then put it back. With connectivity, maintenance and communication with the device can be done remotely. This is also an added convenience where someone malicious can use the same channel to interfere with the devices intended operation and cause harm.
We are not doomed; there are ways that healthcare companies can protect themselves.
The first step is to know your assets and know your enemies. Healthcare companies tend to have complex device environments, including many IoT devices, that may also be heavily regulated. It’s important to know what you have and work to anticipate what attackers may be after. Also, don’t think you are exempt from being targeted if you are a small or midsized establishment. Attackers sometimes target those very institutions because they may not have as much to invest in cyber security protection measures and are easier wins. Create a strategy based on robust and layered security technology and processes, like ransomware protection solutions, incident detection and response, and more. Lastly, make sure you have the right resources to deliver on the strategy and also work to educate your employees and customers on cyber security best practices.
Remember that compliance doesn’t mean secure. Healthcare is a heavily regulated industry, and many companies simply strive to meet the compliance mark for HIPAA, GDPR, and others. While this is important to secure data and avoid fines, remember that compliance doesn’t mean total security. These regulations focus on data, and as previously mentioned, the more valuable assets in healthcare are those that support the preservation of life. Doing the bare minimum for compliance doesn’t exempt you from being targeted or breached. Go above and beyond to secure your organization.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.