Malware and Ransomware AttacksThe most pressing cybersecurity threats in the past few years are ransomware attacks. One of the heaviest attacks in recent times was against three DCH hospitals in Alabama. Eventually, the hospital system recovered their files from the attackers only after parting with an undisclosed sum of money. According to the 2019 Verizon Data Breach Investigation Report (DBIR), ransomware accounted for over 70% of malware attacks suffered by healthcare outfits last year. Assumptions that such attacks only affect large healthcare organizations are wrong. According to the RiskIQ brief on Ransomware in the Health Sector 2020, small hospitals and healthcare centers are the most often targeted. The reason is simple: they have the least budget and resources for security, becoming soft targets for attackers. In the absence of official figures, experts estimate that at least 85% of small- or medium-sized hospitals lack a single IT security person on staff. Solutions: In view of rising ransomware attacks, healthcare organizations should perform regular backups, and every backup should be stored offline or on a separate network from the major network. In the event of an attack, data recovery is better than being held at ransom. Consistent evaluation of security infrastructure must also take place to find out and block vulnerabilities.
Data Theft and BreachesSo far in 2020, no less than 28 healthcare data breaches have been reported. One of the worst was the Beaumont Health data breach that impacted over 110,000 patients. The important thing to note is that though news of it emerged this year, the incident actually occurred in mid-2019. That such a revelation took so long to come out is a testament to the damning subtlety of data breaches. According to the Protenus Breach Barometer, in 2019, the average time it took a healthcare organization to discover a data breach was 224 days. That was an improvement compared to 2018! Also, the healthcare sector suffers the most from data breaches financially. According to an IBM Security report, the cost of a data breach in health globally in 2019 was a whopping $11 million. In second place was the financial sector at $5.5 million. Solutions: Encryption goes a long way in mitigating data breaches. Encryption protects not only the hospital system from being hacked, but it also ensures that the protected records would be unreadable to the attacker without the possession of a unique decryption key. Healthcare providers should therefore consider integrating customer-centric encryption into their infrastructure, particularly a solution which makes for tightly secure yet flexible user experience.
Insider ThreatsAccording to the 2020 Verizon DBIR, internal threats accounted for 48% of data breaches. Although it is a lower percentage than the 59% recorded in the previous year’s report, the figure underscores the fact that insider threats are still a tremendous problem in healthcare cybersecurity. Many organizations (not just in the healthcare sector) aim most of their resources at combating external threats, all-the-while oblivious to the fact that insider attacks are just as dangerous. This form of attack is even more difficult to check since anybody from indirect employees (18%) to staffers with allowed access (78.2%) may stage an attack. Solutions: Kathy Hughes of Northwell Health recommends Security Information Event Management (SIEM) technology for combating insider threats. Such a data loss prevention technique alerts management to any suspicious activity on the hospital network or database.
Phishing Attacks and Employee ErrorsIn another view, insider threats are not limited to deliberate criminal actions. They include the negligent worker who connected to the hospital system via an unsafe network. They also include the worker who fell for an email phishing, exposing the hospital system to a malware attack. The ‘curious’ employee snooping around poses a security risk, too. According to the HIMSS Cybersecurity Survey in 2019, 59% of healthcare IT experts claimed that email was the most common point of information compromise. The second, at 25%, was human error. Solution: Healthcare providers need to upend cybersecurity education for their employees. There is a deep public lack of trust (one-third, per a survey) in the ability of healthcare IT systems to not yield to a cyber-attack. Many errors could be avoided if medical staff were trained in basic cybersecurity hygiene to avoid inadvertent dangerous exposure of patient data and also to identify warning signs of a potential attack.
Third-Party Errors/AttacksHospitals often outsource some of their jobs such as cleaning and security to professional agencies. If any of these indirect employees, including contractors, business associates, etc., have access to the hospital network, they can unwittingly or willfully do damage. Most times, these vulnerabilities may go undetected for a long time. For instance, the largest healthcare data breach of the last year was traced to a business associate. The attack on the American Medical Collection Agency put the information of about 12 million patients at risk; the actual figure could be much higher. According to the 2020 Protenus Breach Barometer, business associates were responsible for the breach of over 24 million patient records in the whole of 2019. Solutions: Onboarding third-party vendors, contractors, and associates should begin with a full cyber risk assessment. In fact, the outcome of such an assessment should play a major role in determining which organization to work with. But this shouldn’t be a one-off affair. Once there is a working relationship, there should be continuous monitoring of the third-party as well for security risks.
Internet of (Medical) Things InsecurityCybersecurity experts and researchers have demonstrated that most medical IoT devices deployed today have serious cybersecurity risks and are easy attack entry points. The average medical device has about 6.2 vulnerabilities. Considering that hundreds of those have been in use in clinics and hospitals for many years (over 20 years, averagely), cyber attackers have an easy time of it. Worse is that there is no agency responsible for testing medical devices for cybersecurity vulnerabilities. This leaves the security of the devices completely in the hands of manufacturers, who are often overcome by a need to control the market quickly before considering the attendant risks. Solution: According to the FDA, the responsibility for the security of medical devices lies with manufacturers and healthcare providers. Providers should test every device they deploy for security risks and vulnerabilities.
ConclusionCybersecurity in healthcare is a serious issue given the sensitivity of information passed around. Healthcare providers urgently need to step up their security as they adopt cloud computing methods. There should be constant evaluations and upgrades of security infrastructure to meet the current global best standards. This would begin by having a security expert(s) assess your facilities for security risks and give specific advice for improvement.