Are there Holes in Healthcare Cybersecurity?
October is Cybersecurity Awareness Month
What draws ten times more money on the black market than personal information stolen from credit cards? Healthcare records. It’s no surprise then that 41% of cybersecurity breaches were targeted towards the healthcare industry last year. Broken down, the data shows that healthcare organizations suffered a disproportionate 32,000 attacks per day per organization. This is compared to 14,300 per day per organization sustained by other industries, and makes healthcare the most vulnerable industry, with five times more total breaches than other industries.
The healthcare industry is the second biggest industry in the U.S., and as its professionals try to enhance patient care and navigate changing regulatory landscapes, healthcare cybersecurity is often relegated to the back burner. What makes this situation particularly disturbing is that the healthcare industry has the most to lose from these types of attacks; in addition to the monetary losses, cyber attacks targeting medical devices can become a real matter of life and death.
This issue is further compounded by the fact that the average healthcare cybersecurity budget is only about half that of other industries, and employees may be motivated by money to share sensitive information. A recent Accenture study revealed that “18% of healthcare employees are willing to sell confidential data to unauthorized parties for as little as $500 to $1,000.”
What’s at Risk?
These attacks threaten patient’s identities and financial well-being – and they can also affect their health. In 2016, hackers targeted the large Maryland-based healthcare system, MedStar Health, with ransomware. MedStar had to shut off its email and patient record database. Even more ominous, it couldn’t provide radiation treatments to patients for several days, a potentially life threatening situation.
Criminals can access other IoMT (Internet of Medical Things) devices connected to a network, including medical lasers, X-ray and MRI machines, ventilators, pacemakers, electric wheelchairs and other critical equipment. Since these devices are comprised of various parts and software from a number of different companies that may not focus on security, they are especially at risk. Hackers can even target specific individuals, as was the case of former U.S. VP Dick Cheney, who received threats warning of an attack on his pacemaker. His doctors had to disable the device.
How Are Criminals Breaching the Networks?
Many hackers use emails to access healthcare networks:
- Ransomware is delivered through emails, accesses other computers through the network and blocks access to data until the ransom is paid.
- Malicious URLs also arrive through email and look as if they were sent by reputable companies. They either download malware or gather sensitive information when selected.
- Malicious attachments can also come through email and look convincing. They can send malware or other macros that install viruses, record keystrokes or even provide remote access to computers and networks.
- Business emails can be used for a type of targeted “spear-phishing” known as “whaling” to create emails that appear to have come from within the organization or another trusted sender. Hackers will send an email to someone with access to money or sensitive information posing as their boss or a higher-level colleague. They’ll prep with a personal email first (with information gleaned online) and then request an action with a sense of immediacy.
- An internal threat can be intentionally malicious or just imprudent. An employee bent on doing wrong can wreak havoc by hacking into the network. Or, an innocent insider may mistakenly send sensitive information to the wrong person, fail to encrypt it, neglect to properly log out of an accessible computer or even browse an unprotected website.
- According to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute conducted in May 2016, 90% of healthcare organizations weathered a data breach in 2016 and only 50% were from a coordinated attack, so it can be safely surmised that many came from careless mistakes.
Smart Healthcare Cybersecurity Solutions
To counteract these threats, those in the healthcare industry can take several steps. By viewing every identity as they would a physical security perimeter, they can focus on validating every access request on every device, verifying the identify of every user and limiting access and privilege. On the network front, healthcare organizations must secure their networks and extend this to the cloud. Any sensitive information that is sent must also be encrypted. Additionally, organizations can implement machine learning to monitor user behavior patterns and spot anomalies that reveal hacker behavior.
Healthcare organizations must also move faster and provide more thorough software patches and updates. They can deploy threat intelligence and automation as well as offer critical cyber-awareness training to employees to help them manage email, social media and other entry points.
If you’re a healthcare professional and would like to learn about how to better secure your data, you can read more here.