Recently, a cyberattack targeting Britain’s National Health Service (NHS) 111 service, the system used to refer patients for care, including ambulances being dispatched caused a loss of service. The attack was one of many global healthcare related attacks that have bombarded the digital ecosystem since the covid pandemic began.
Covid and the correlating growth in remote work by employees have certainly led to more cyberattacks against the healthcare industry. Last year, 45 million individuals were affected by healthcare attacks, up from 34 million in 2020. That number has tripled in just three years, growing from 14 million in 2018, according to a report from cybersecurity company Critical Insights. Healthcare data breaches hit all-time high in 2021, impacting 45M people | Fierce Healthcare.
More statistics confirm that nefarious trend. “Thousands of healthcare organizations have been targeted by cybersecurity threats in the last few years, with hospitals accounting for 30% of all large-scale data security incidents. Over the last three years, a staggering 93% of healthcare organizations experienced a data breach, while 57% of healthcare organizations have had more than 5 breaches.” Healthcare Cybersecurity: The Biggest Stats & Trends in 2022 (safetydetectives.com)
Why Are Cybercriminals Targeting Healthcare?
The criminal hacker focus on healthcare is not surprising. As medical care becomes more networked and interconnected via computers and devices, the digital landscape of health administrators, hospitals and patients, has become increasingly vulnerable.
From a security perspective, the cybersecurity healthcare landscape has many facets to protect. These include the information security networks of medical facilities and hospitals, medical equipment and devices and protection of the privacy of patients. Those elements are connected via software applications and configured networks allowing for the interchange of data. Like most industries in our emerging digital era, technologies, processes and people are the cornerstones of the healthcare cybersecurity transformation.
What are Cybercriminals Targeting?
The increasing reliance on medical devices also poses problems for healthcare cybersecurity, including ransomware. According to the company Cynerio in their study The State of Healthcare IoT Device Security 2022, “Over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk.” 61e70fd9286e1d6d68a86ba8_A Cynerio Report – The State of IoMT Device Security 2022.pdf (webflow.com)
Medical devices can include devices such as ventilators, monitors, pumps, electrocardiographs, lasers, medical apps and diagnostic imaging systems. Many of the devices are wireless (including medical infusion pumps or IVs) and send communications and update software over open airwaves. This opens threat vectors that could be exploited remotely. Because of these threats, the Food and Drug Administration recently named Kevin Fu as the agency’s first Acting Director of Medical Device Cybersecurity in its Center for Devices and Radiological Health.
Many healthcare facilities are also undergoing digital transformation and migration to the cloud but have not yet prepared for the cyber threats confronting them throughout their operations. A 2022 AT&T Cybersecurity Insight Report found that healthcare risks are increasingly clustering around edge and cloud assets. They found that 63.8% of healthcare organizations ranked attacks against server/data at the network edge as cyber threats of highest concern to them. And that 63.4% of healthcare organizations said attacks against associated cloud workloads were some of the riskiest future attacks against them. AT&T Cybersecurity Insights Report: A Focus on Healthcare | AT&T Cybersecurity (att.com)
In addition to networks and devices, healthcare records are a favored target of hackers. Protecting patient privacy is a paramount priority of healthcare stakeholders. HIPAA compliance and other regulatory security protocols are regularly being evaluated by federal agencies and legislators. The privacy and security measures for Electronic Health Records (HER) are guided by the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronically protected health information via physical and technical safeguards.
NIST has recently published a draft update to its healthcare cybersecurity guide, Special Publication 800-66r1. Their document contains expanded guidance on risk assessments and risk management and aims to help educate about the security standards 371 included in the HIPAA Security Rule. NIST SP 800-66r2 initial public draft, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.
Especially significant in accounting for the increase in targeted cyberattacks is that most healthcare facilities have other budget priorities ahead of cybersecurity such as procuring the latest health and hospital technologies. Cybersecurity has traditionally been a low spend item for hospital administrators but because of the scourge of hacks and ransomware attacks that have happened since covid, cybersecurity is no longer an afterthought and any institutions are investing in cyber expertise, managed security and cybersecurity technologies.
Ransomware as a Preferred Method of Attack
For criminal hackers, healthcare facilities are viewed as achievable targets where they can reap quick monetary gains. Hackers can steal medical records that are commodities with a resale value on the Dark Web. Extortion via ransomware has been a preferred method of choice for many criminal hacking groups when it comes to attacks on the healthcare industry. The reason has been that the likelihood is strong that hospital administrators will pay ransoms to gain back operational control over facilities to reduce liabilities and put patients at risk. Hospitals and healthcare facilities also want to protect their reputations and prevent cybersecurity incidents from going public.
A survey of healthcare organizations worldwide between January and February 2021 by the firm Sophos found that 34% were hit by ransomware in the last year. Their survey also found that “among the 63% of healthcare organizations that were not hit by ransomware but expect to be in the future, the most common reason (57%) is that other organizations in the healthcare sector have been targeted. 55% of respondents said that ransomware attacks are getting increasingly hard to stop due to their sophistication,” sophos-state-of-ransomware-in-healthcare-2021-wp.pdf.
Healthcare Cybersecurity and Managing Risk
Like most elements in cybersecurity protecting hospitals and healthcare facilities really comes down to managing risk, not just with technologies but with leadership from both industry and government. Healthcare is listed by the Department for Homeland Security as critical infrastructure and needs to be protected with industrial safeguards and standards.
As a first step, healthcare organizations take steps to protect sensitive data by conducting regular security assessments and penetration tests and by implementing intrusion detection and response capabilities. Such practices can also help mitigate IT misconfigurations and bot threats and identify potential insider threats.
As NIST and other risk management guiding organizations suggest, hospitals and healthcare facilities should practice sound cyber hygiene, including multifactor authentication and employee training. They should also employ real-time monitoring of their networked systems, multiple firewalls and layered security. Encryption of medical devices to reduce security risks is also recommended. Hospitals and medical facilities should also have planned for continuity, backup and recovery. The risks are too high not to have an end-to-end approach for holistic cybersecurity.
What it really comes down to is that healthcare is a vital function for our well-being and mortality and is indispensable to both people and the economy. Investments toward bolstering cybersecurity of all these health related institutions under potential cyberattacks need to be considered urgent and increased significantly as we are all directly and indirectly at risk.