With the further digitalization of the medical sphere, the well-stocked caches of sensitive and personal information, as well as clinical data, are the object of predatory behavior growing on the industry. This article dives into the reason why healthcare data is so valuable, the various cyber threats that exist today, and what healthcare organizations can do in order to effectively defend themselves against these threats in this high threat digital environment.
A digital revolution is going on in the healthcare industry. EHRs, Web-based medical tools, cloud-based effective patient management software, and other internet-enabled medical tools have changed medical care. The purpose of these advancements is, however, not a freedom without penalty, as there is an unintended consequence, which is an exponentially more numerous and lucrative attack surface to the cybercriminals. To a hacker, however, healthcare data does not only consist of stacks of patient charts. It is a treasure trove (in other words a gold mine) of personally identifiable information, financial documents, insurance and sensitive medical history of individuals - and it is all in a single location and sometimes inadequately secured.
In contrast to credit card information, which can be canceled or modified fast, healthcare information is more permanent and textured and provides value even in long term on the dark web. It has facilitated identity theft, insurance frauds, ransom and blackmail. Due to its long-term usefulness and poor cybersecurity positioning among a number of healthcare institutions, it is not difficult to understand why cybercriminals are showing a lot of interest in the healthcare industry.
Cyberattacks on the healthcare industry are a growing problem and to get an idea of why it is so, it is essential to realize how highly valued healthcare data is in the black market. On dark web, a single patient record can go as high as hundreds of dollars whereas a stolen credit card number costs a few bucks. This is because it has a multi-dimensional usefulness.
The content of health data is first name, address, date of birth, Social Security number, insurance, diagnosis, history of treatment, prescription, and in most instances also biometrics and genetic data.
With this detailed profile, there is a possibility to use it in a variety of frauds - ranging between opening new lines of credit, making false insurance claims, receiving prescription medication, and using the medical conditions of people as an extortion tool.
In addition to this, healthcare records that have been stolen cannot be traced or detected. Victims might not even realize that their information has been used wrongly even months or years later and hackers have much time to capitalize on the information. In comparison to other industries where there are more developed fraud detection systems, healthcare is still years away in terms of combating cybercrime, which is a low stress/high yield effort on the part of the threat actors.
Though the digital growth of healthcare is absolutely essential in contemporary care provision, it has also resulted in an unintentional proliferation of possible points of entry by the attackers. All the hospitals, clinics, insurance companies, diagnostic labs, and the third-party service providers are digitally related. They present a new form of vulnerabilities with every system, application, or device.
The fast incorporation of Internet of Medical Things (IoMT) gadgets infusion pumps, cardiac monitors as well as wearable health trackers are further widening the battleground. The gadgets are usually using inferior software, there have not been good authentication processes and there is a lack of patching at all, so it is easy to create an intrusion.
Also, the areas of telemedicine platforms and remote care solutions, which have gained momentum in the conditions of the COVID-19 mass disease, have introduced additional exposure. Most of these solutions were released into the market without proper security controls thus providing another point of entry to the sensitive systems.
Phishing attacks are also especially susceptible to healthcare organizations. Cybercriminals will find it easy to exploit human error because of the complicated operating conditions they face and the fact that communication with humans is relied upon. The moment a nurse or any other administrator opens a malicious email can give the necessary foothold to the attackers to take control of the whole hospital network.
A vast array of cyber threats on the healthcare sector is present, as various attacks have become an ordinary challenge, including opportunistic and highly sophisticated, targeted campaigns.
Ransomware - has become the most disruptive of them. The hospitals have also had their systems encrypted, thus they have had to close down important operations, transfer patients, and even go back to using papers as a form of recording patients. In dramatic situations, ransomware attacks are also associated with delays with patient care and even with fatalities.
Data breaches - is another major issue. The past few years have seen some of the biggest breaches in the world that reveal millions of records in the healthcare industry. Such exploits usually happen because of ineffective access controls, legacy systems, and lack of proper cyber hygiene habits.
Insider threats - Malicious or accidental insider threats also haunt the industry. The medical staff has a special access to huge data of sensitive data. In most of the situations, a serious violation of compliance and reputational damage occurs after unauthorized access or misuse of this data.
There is also the risk of third party. Billing, diagnostics, IT services, and yes even data storage are done by using external vendors by many healthcare providers. The third parties, where the level of cybersecurity controls provided is inadequate, are weak links to the security chain and such security lacks effective protection of the entire network.
To respond to these threats related to unsound cybersecurity, regulators have made sure that healthcare system implements tight rules on data protection. HIPAA in the U.S. imposes administrative, physical, and technical safeguards to protect the data of the patients and their privacy. The infringements may be subject to heavy fines and legal penalties.
Other regulations are also very strict including the General Data Protection Regulation (GDPR) in Europe and these regulations specify high standards in particular in respect to storage and transferring of personal health data across borders. Other countries such as India are also introducing legislation such as the Digital Personal Data Protection Act, in a bid to introduce accountability and transparency on the manner in which data of the client is utilized.
However, in spite of these frameworks, compliance is not what constitutes cybersecurity. Several organizations take security as an item to tick in the list of operations instead of security being a priority in their routine activities. As much as regulations serve as a minimum requirement, ultimate security is achieved through the establishment of strong and active cybersecurity culture.
The inefficiency in healthcare cybersecurity can be illustrated by several real-life events that are considered to be highly publicized with regard to healthcare. In May of 2017, the WannaCry ransomware attack disabled the National Health Service (NHS) of the United Kingdom by canceling medical procedures, locking providers out of their accounts, and jeopardizing patient safety. The cause of the cause? Bad network segmentation and legacy systems that have not been patched.
In the U.S. Anthem Inc., which is among the health insurers largest in size, experienced a breach in the year 2015 where nearly 80 million records were involved. The adversaries made use of a phishing campaign to get inside, and they went undetected several months. Financial and reputation damage was enormous and the company had to pay millions of dollars in fines and settlements.
Lately, it has become the case of smaller hospitals and even privately operated clinics being besieged by ransomware gang which targets their small security budgets and strained IT departments. Often, the quiet payment of ransom is made in many of these instances simply in order to resume operations and establish a very dangerous precedent of providing incentive to such an attack.
Indirect expenses of cyberattacks within healthcare are immense as well. Interferences during operation can be dangerous with regards to loss of life. When the privacy of the patient is violated, they lose trust. Criminal responsibility, political liability and brand damage may persist to loom over a company long time after an event.
There is data integrity worry also. When attackers control or tamper with clinical data - in the form of test results in a laboratory, medication records, or diagnostic test pictures - the effects might be disastrous. Such tampering may cause errors in medication leading to wrong diagnoses, wrong treatment, and deaths.
Healthcare resources are also exhausted because of cybercrime. Instead of putting time, money and staff effort into patient care, they will be used to go through recovery, litigious processes and infrastructure redesigns.
Healthcare organizations need to eliminate this increasing threat by abandoning reactive security systems. Cyber resilience Aspects Cyber resilience is a crucial process that makes a healthcare organization ready to mitigate, work in times of a cyber attack, and recover after it. Cyber resilience is one of healthcare facilities that should be taught during the very fabric of health work.
This includes the multilayered approach to security. Vital elements must include strong authentication, encrypting data in transit and at rest and regular security auditing, user training and effective incident response processes. It is also defined as investing in real time threat intelligence, anomaly detection and endpoint protection.
The company must think about cybersecurity as a strategic resource rather than IT-related. Digital risk has to be embraced by the board room like financial risk. Recruitment of competent cybersecurity experts, provision of adequate budgetary allocations and imposition of responsibility at the highest point of the organization are potential concerns.
Besides, cooperation plays the role. The healthcare institutions, government agencies, technology solutions and cybersecurity companies should meet to share the threat intelligence, set the industry guidelines and create an integrated defense.
The health sector is at a critical point as cyber risk is followed by an increase in both complexity and size. Digitization of patient care is not a choice but, instead, is an inevitability. The same could be said about risks. But there is also a point though that turns into an opportunity, a turning point at which the industry can decide to change its tactics in regard to the realm of digital security.
Healthcare information has already been proclaimed as the new gold mine by cybercriminals. The stakeholders which are the healthcare providers, policymakers, IT leaders and security professionals, have the responsibility of making sure that this gold mine is not left without any protection.
It is no longer acceptable to lose data to bad actors in a time when data can indeed save lives. Now is the time to invest in good cybersecurity as saving money or doing it due to laws and regulations is no longer enough, as it is about the maintenance of the trust that the healthcare system can and should be built on.
Sarah Richards, a member of the Editorial Team at American Hospital & Healthcare Management, uses her extensive background in healthcare communication to create clear and engaging content. With a strong commitment to making complex healthcare topics accessible, Sarah helps the team achieve its goal of delivering timely and impactful information to the global healthcare community.
