Hard to believe that it is only January of 2018, what with the flood of hacking headlines already coming in by the day. Less surprising than the deluge is the primary target of so many of those breaches and ransomware incidents: healthcare.
Hospitals and healthcare organizations have seen no respite from digital malice this year. Electronic health recorder (EHP) provider Allscripts was hit by a devastating ransomware attack last week— one they may not have recovered from at time of writing. Florida’s Agency for Health Care Administration reported that they may have experienced a hack that compromised 30,000 Medicaid patients’ data. Hancock Health in Indiana also suffered from their data being held for ransom—a $50,000 ransom they were forced to pay. On the other side of the Atlantic, a hack on a Norwegian health care provider might have resulted in nearly half the population’s data being compromised.
Perhaps these attacks aren’t so surprising; healthcare providers have been a target of choice for hackers for years, and experts predicted that 2018 would see an even greater increase in similar attacks. It’s already cost the healthcare industry billions of dollars and affected nearly 80% of healthcare institutions.
But why is healthcare proving so lucrative? And what can you do to protect your healthcare enterprise?
Healthcare Means Big Targets…And Little Security
Healthcare providers and record keepers have invested huge amounts of time and money into collecting and analyzing copious amounts of patient data. On the one hand, this has resulted in faster and more accurate diagnoses, better coordination in treatment and care, and greater access to vital information. On the other hand, it has not been matched with an investment into safeguarding that data.
The problem lies with healthcare enterprises’ cybersecurity budgets—or more accurately the lack thereof. 40% of healthcare professionals spend only 1%-2% of their budgets on cybersecurity. Another 32% said they only spend as much as 6% on digital safety. One-fifth didn’t know their cybersecurity budget at all.
Furthermore, healthcare data is both detailed and valuable, as it specifically contains the information bad actors want. A medical chart can sell for as much as $50 on the darkweb black market. For comparison’s sake, a credit card number or social security number will only sell for $1 apiece.
Vast Array Vulnerabilities and Security Holes in Healthcare
Compounding the budgetary issues in healthcare cybersecurity are the numerous entryways for attackers to access patient’s medical data. The bring-your-own-devices (BYOD) revolution has affected the medical world as well, with an estimated 81% of healthcare enterprises allowing doctors and other professionals to use their own mobile devices to access patient data. However, nearly half of healthcare organizations aren’t even attempting to secure those devices—leaving hackers more potential means of ingress than they could ask for. With the prevalence of hacking tools and programs available out-of-the-box from darkweb markets, even an inexperienced hacker can find a way in through a single exposed endpoint.
In a statement to Dark Reading, CEO and President of Cryptonite Mike Simon said “Healthcare networks are highly interconnected and this provides a substantial opportunity for cyberattackers to penetrate multiple high-value targets. Healthcare networks’ architectures typically have a relative high number of known vulnerabilities [with] missing patches and updates, embedded and exposed processors in medical devices, a large number of internet of things (IoT) devices and more.”
Another issue is that many healthcare enterprises assume that staying in compliance with HIPAA and HITECH indicates they are doing all they can for their cybersecurity needs. However, these compliance mandates don’t reflect the changes in either IT or cybersecurity as cloud and mobile innovations take greater precedence and more attacks are aimed at those areas.
Small Practices Are Particularly Vulnerable
While many large healthcare enterprises have been hit hard by the continual wave of attacks, small-to-medium healthcare providers and businesses have suffered even more. They are often dependent on the services on larger electronic records and other outsourced medical resources. Without suitable backup plans or security strategies in the wake of a vendor’s attack, small-to-medium businesses will have to wait out a vendor crash. This could leave them without resources for a significant period of time—and clogging up patient care as a result.
What Can Healthcare Enterprises Do to Keep Themselves Safe?
First, if you do not have one, you need to establish an incident response plan within your enterprise or practice for if and when the worst happens in the digital world. It is essential to make sure your employees know what to do if they cannot access their records due to a hack, how to contact in the event of a hack, and who will take charge during these events.
For small-to-medium sized practices, consider your backup and recovery strategies for your patient data in the event of a breach. If you completely outsource your data to a third party, you need to have a plan for what happens if that third party goes down.
Above all, cybersecurity in healthcare requires proactive involvement and consideration. Whether you increase your security budget, find a cybersecurity or backup solution, or hire a Chief Information Security Officer (if your practice can afford one), your enterprise needs to take your data security into your own hands. If you do pick a solution, make sure it is implemented and managed properly. Know where your data is stored and how it is accessed.
Cybersecurity is an investment, but the amount in time and money you will save in the long run will make it far worth it.
- The Best Cybersecurity Certification Courses on Udemy to Consider - May 19, 2022
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021