Healthcare organizations such as hospitals and clinics are vulnerable to all manner of cyberattacks, particularly phishing and business email compromise (BEC) scams, man-in-the-middle (MitM) attacks, and data breaches. Third-party risks and ransomware risks are also serious security problems in healthcare, especially in the post-COVID era.
The medical world had already noted such cyberattacks years ago. The COVID-19 pandemic only underlined those worries about cyber attacks. It has also forced organizations to consider how they can strengthen their cybersecurity controls.
Cyberattacks and breaches first surged in 2020. Then they hit an all-time high in 2021, when breaches exposed the protected health information (PHI) of 45 million people – a 32 percent jump from 2020. The average cost of such data breaches also rose to a record high of $9.4 million last year.
How can healthcare organizations respond to this difficult cybersecurity climate? This article will consider that question.
What Kind of Cyber Attacks Affect Healthcare Organizations?
In late 2020, the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity update to healthcare providers. The update called the cybersecurity threat to healthcare “credible, ongoing, and persistent.”
Here are five of the most pressing cyber threats targeting healthcare organizations:
Roughly one-third of healthcare organizations were hit by ransomware in 2020. These attacks resulted in a slew of problems for hospitals all over the United States:
- IT outages that lasted for several days
- Exposure of patient information to hackers
- Forced replacements of computing systems
- Difficulties accessing information about appointments and surgeries
- Forced, pre-emptive email shutdowns
Ransomware attacks have hit hundreds of hospitals in recent years. A threat actor deploys ransomware on one or more healthcare computer systems; once the attacker gains entry to the system, the ransomware allows him or her to encrypt the target’s files and data. The attacker then demands payment from the organization in return for unlocking access to the encrypted data.
Ransomware attacks can prevent doctors and nurses from accessing patient electronic health records (EHRs). Medical devices such as monitors could stop working, so the staff won’t get the information and alerts that are essential for patient safety and care.
Phishing and Business Email Compromise
According to the HIPAA Journal, phishing attacks are “a greater threat to the healthcare industry than any other attack vector.” In such attacks, the attacker sends fake emails to employees that seem like they originated from a reputed sender.
The email instructs victims to click on a link to a web page where they will be asked to enter their login credentials or some other sensitive data. The message may also ask them to download an attachment infected with malware or ransomware.
The malware may create gateways for the hacker to enter the organization’s computer network and access PHI or other sensitive information. By accessing PHI, the attacker may be able to steal patient identities (which he or she then sells on the black market for profile) or commit insurance fraud.
Business Email Compromise (BEC) is a special type of phishing scam in which attackers spoof the email of a senior executive at the target, and then trick subordinate employees into transferring money to a fraudulent account. According to the Center for Internet Security (CIS), this scam has increased by 1,300 percent since 2015.
BEC attacks are often successful because attackers properly “mimic” a person of power and target only a few people (generally those who handle finances). Such emails can escape basic security strategies like email filtering and could result in the loss of money, PHI, or even prescription drugs.
Man-in-the-Middle (MitM) Attacks
In an MitM attack, an “eavesdropper” hijacks communications between two authorized parties and then alters or copies the in-transit data without the knowledge of either party. The attacker can also alter sensitive EHRs and PHI or insert ransomware into sensitive files.
MitM attacks often become possible because organizations employ a strategy intended to improve data security on their internet transactions. Their use of Secure Hypertext Transport Protocol (HTTPS) requires the installation of trusted certificates on client devices, making it harder to verify the certificate chain and leaving connections vulnerable to malicious MITM attacks.
The healthcare sector experiences one of the highest incidences of data breaches. Major causes of breaches are credential-stealing malware, insiders who purposefully or accidentally disclose sensitive patient data, and lost computing devices.
According to the Verizon Data Breach Report of 2021, financially motivated external actors were responsible for 61 percent of breaches in 2021. PHI is a highly valuable “prize” because one patient record can sell for as much as $363 on the black market. If the attacker can get his hands on large numbers of medical records, he stands to earn huge profits.
PHI is also attractive because criminals can use it to perpetrate frauds, file fake insurance claims, purchase or resell medical equipment, and obtain prescriptions for their own use or for resale on the black market.
The Impact of COVID-19 on Cyberattacks in Healthcare
When the pandemic first struck in 2020, the volume and intensity of cyberattacks on U.S. hospitals and their IT systems increased. Data breaches increased by 55 percent from 2019 levels, and more than 1 million people were affected in almost every month of the year. Moreover, the average cost of a healthcare breach was $7.13 million, the highest among all industries that year. The COVID-19 pandemic was primarily responsible for this surge in criminal activity.
Following the pandemic, more hospitals started setting up makeshift sites for virus and vaccine testing. Many also rolled out telemedicine systems and had to deal with an expanded remote workforce and COVID-positive patients swamping their wards.
The pandemic forced many organizations to reallocate resources and funds to virus response efforts, sometimes resulting in smaller cybersecurity budgets and teams to deal with ransomware threats or phishing scams. In addition to ignoring or delaying many routine security measures, that also led to fewer efforts to validate the security measures of third-party vendors.
Weaker cybersecurity allowed cyberattackers to renew their activities, and more threats started coming from ransomware gangs and financial scammers. Many state-backed hackers ramped up their efforts to steal vaccine-related research and other data from healthcare systems.
Improper records disposal, compromised remote technology, and device theft also led to an uptick in breaches and ransomware attacks. The risk of supply chain attacks also increased as more hospitals and medical centers used a patchwork of goods and systems from third parties.
How Hospitals Can Protect Themselves From Cyber Attacks
As cyberattackers become smarter, healthcare organizations must strengthen their protection of assets and data. For example, they must implement strong security controls to assure that sensitive information is only accessible on a need-to-know basis.
Healthcare organizations should also establish a risk management program to assess cyber risk and identify security gaps. One way to do this is by adopting standard frameworks such as the NIST Cybersecurity Framework.
Healthcare providers must maintain secure data backups to assure seamless access in case of a breach or ransomware attack. They must also encrypt in-transit and at-rest data to prevent misuse or compromise by unauthorized or malicious users.
Other crucial cybersecurity best practices for healthcare organizations are:
- Whitelisting of devices, users, and applications, plus blacklisting of unsafe websites
- Vendor due diligence for managing third-party risk
- Regular assessments of third-party risk and cyberdefenses
- Cybersecurity training on the proper usage, handling, and storage of PHI, identification of phishing emails, and prevention of ransomware attacks
- Multi-factor authentication (MFA) and other strong access controls to restrict access to authorized users
- Regular patching of all devices, operating systems, and software
- Incident response planning to effectively deal with a cyberattack
Improve Cybersecurity with Reciprocity ROAR
The COVID-19 pandemic has increased the risk of data breaches and serious cyberattacks against the healthcare sector. Hospitals and other organizations cannot afford to grow lax about their cyberdefenses. If anything, they need a way to boost these defenses.
A strong defense starts with improved visibility into the threat landscape. This is where a cutting-edge risk management platform such as Reciprocity ROAR can help. ROAR shows where risk is changing to help hospital cybersecurity teams stay ahead of ever-evolving threats.
Reciprocity ROAR operationalizes risk management across threats, vulnerabilities, and incidents from one centralized platform. It also simplifies risk calculations, evaluations, and communication for more robust enterprise risk management.
With ROAR, hospitals, clinics, and other healthcare providers can continuously monitor cyber threats and implement measures to mitigate business exposure.