April 7, 2021 is World Health Day. As we move well into the second year of the COVID-19 pandemic, our safety and well-being continues to be a priority for all of us. Unfortunately, for cyber attackers, healthcare is top of mind for a very different reason: financial gain.
Over the past several months, it may have felt like you read about a cyberattack on a healthcare facility or medical research institution every other day. Believe it or not, that was actually an under-estimation!
Cybersecurity software firm Tenable recently conducted an analysis of publicly-disclosed data breaches: there were 237 breaches reported in 2020 alone, with 56 more reported in the first two months of 2021. And it isn’t just the frequency of attacks on healthcare that is so problematic. The severity of the attacks has been devastating. IBM’s Cost of a Data Breach Report 2020 identifies attacks on healthcare as the most expensive – for the tenth year in a row! – with an average cost of a breach in excess of $7.13M USD.
Why is healthcare always under attack?
Tenable’s full report presents a fascinating insight into some of the key threat vectors faced by the healthcare sector in 2020 and 2021. But why is healthcare consistently a prime target?
Types of Information: Healthcare organizations can store a huge range of highly sensitive data about an individual. Consider all the personally-identifiable information held at a clinic or hospital, including personal contact information, financial details, along with a host of potentially sensitive personal health details. Healthcare research laboratories can hold valuable intellectual property and financial information, also attractive targets for extortion, ransom, or theft-for-resale.
No tolerance for downtime: Healthcare systems are also targets for ransomware attack due to the essential nature of their services. Delays in providing urgent care could literally be a matter of life or death, so threat actors holding systems for ransom have significant leverage when making their demands.
Pervasive use of mobile and IoT devices: Healthcare facilities must seamlessly support a diverse group of specialists, suppliers, patients, visitors, and staff using their own personal devices along with record-keeping tablets and monitors. All of these stakeholders need access to a wide range of data sources, systems, and resources – and all of that access must be secured. Further, the explosion of IoT devices in the healthcare setting has created headaches in terms of inventorying and securing growing fleets of equipment. Health care equipment and service companies, working to be at the forefront of medical technology, may not put sufficient emphasis on the importance of information security – putting healthcare data at risk.
Pace of technology transformation: As e-health initiatives progress, cloud implementations expand, and telehealth/remote work solutions become standard parts of healthcare delivery, some providers have found it challenging to keep pace with the changing cybersecurity landscape and expanded “threat surface” created by these new technologies.
Scarcity of resources: By no means an issue exclusive to the healthcare sector, the lack of experienced cybersecurity staff has created challenges in keeping pace with increasingly pervasive and sophisticated attacks. Fierce competition for scarce resources has driven up costs, and has made attracting and retaining top talent a difficult proposition for healthcare facilities already facing budgetary pressures.
Success rate: Let’s face it, cybercriminals read the papers too. The increasingly common “double extortion” approach of exfiltrating data and deploying ransomware has compelled some victims to pay ransoms to get operations running again. This track record of success against victims in healthcare has put others in the sector at risk, with attackers perceiving hospitals, healthcare facilities, and research organizations as attractive, lucrative targets.
How can healthcare organizations protect themselves?
The IBM 2020 report suggests that half of all cyber incidents at healthcare facilities were due to a malicious attack. And the Tenable report suggests that ransomware, email compromise, and/or phishing attacks represented the root cause of over 75% of the cyber breaches recorded in 2020. What strategies should healthcare facilities adopt to reduce these risks?
Employee awareness: It is a truism that employees form the last line of defense against intrusion. Robust training is essential to heighten staff vigilance against attempted cyber attack. Phishing scams remain the largest first point of access for attackers, so savvy staff can save the day. You cannot be hurt by a bad link that is never clicked; you cannot be compromised by an infected document that is never opened.
Multi-factor authentication: Of course you need complex passwords, but stolen user credentials are another common way in for hackers. Even just implementing two-factor authentication can significantly reduce the risk created by employees using compromised credentials, shared passwords, or being victimized by key loggers. Multi-factor or biometric authentication reduce the odds of compromise even further.
Patch, patch, patch: It is essential to stay current on system patches. Even if malware is launched through a phishing attack or other compromise, many threat vectors can be neutralized by ensuring that the latest patches are deployed in your environment. This goes beyond just updating your anti-virus and patching Windows: all hardware and software solutions in the enterprise must be inventoried and monitored for software patches and fixes. Subscribe to vendor bulletins and central patch reporting services in order to keep on top of things. Zero-day vulnerabilities are still being found regularly. You do not have the luxury of delaying software fixes.
Logging, tracking, and audit: Access reviews must be conducted regularly to ensure that staff have no more access than they need to do their jobs, and that their use of corporate data and resources is appropriate for their work. Any anomalous activity may be an indicator of compromise.
Tested backups: It’s not enough just to run your backups – you must test-restore your systems from virtual, cloud, or tape backups regularly. Create archive versions of your data and systems as frequently as is practical, and be sure to keep them isolated from your production systems. In the event of a ransomware attack that locks or destroys your data, a tested, segregated backup could be invaluable in helping you recover.
These are only the basics. You must review your cybersecurity practices and readiness to ensure you are well-positioned to be able to offer patient care when and where it’s needed, and to protect the data entrusted to your organization.
If you are concerned about the health of your cybersecurity program, or just want to chat about the latest in securing healthcare systems and data, ISA Cybersecurity can help. We have a proven track record of working with healthcare facilities, and we offer a full range of cybersecurity services that can help your organization protect patient data. Contact us today to learn more. You’ll discover that we deliver cybersecurity services and people you can trust.