The healthcare industry is hardly alone in facing serious cybersecurity risks, but it is unique in the consequences it faces for failing to prevent attacks from internet-based criminals. One of the most important of these relates to the Health Insurance Portability and Accountability Act (HIPAA), which demands that organizations in this field implement strict security measures to safeguard patient data. In addition, the vital services provided by healthcare organizations make them attractive targets to hackers, who understand that cyber threats can be especially disruptive to this industry.
For professionals in the healthcare field, preventing security breaches to information systems requires a multi-pronged approach. Cyber-attacks can come from a number of sources, from both inside and outside the organization. The key to optimizing your healthcare cybersecurity efforts is knowledge—you must be aware of the threats out there. Keep reading for an overview of the top healthcare cybersecurity issues that you need to be able to grapple with effectively.
Ransomware
Of all the cyber threats faced by modern healthcare organizations, ransomware may be the most dangerous. It is deviously simple. The attacker infects the organization’s operating systems with malware that encrypts electronic health records and other data, rendering it impossible to access. The only way to regain access is to pay the attacker via wire transfer, Bitcoin, or a similarly difficult-to-trace method. Even after access has been recovered, organizations can never be fully sure the data hasn’t been duplicated.
Such victimized organizations aren’t left paying trivial amounts of money, either. In 2020, the average ransom paid by U.S. organizations from ransomware attacks was $847,344, but reached figures as astronomical as $10 million. These numbers don’t even take into consideration the subsequent threats of extortion.
Ransomware attacks are usually caused by trojan viruses that infect the computer via a phishing email when the user clicks on a link or downloads an attachment. That’s why it’s extremely important to train healthcare employees on safe email and internet usage. Many successful ransomware attacks would have been avoided had an employee simply clicked delete.
The COVID-19 era has brought a new twist to this threat. Many ransomware emails are disguised as health advisories from a government agency or another reputable organization about the virus.
Ransomware cyber threats are particularly troublesome for healthcare organizations due to the potential catastrophe of an operational slowdown after an attack. If hospitals, insurance companies, and other healthcare organizations are unable to access patient information when needed, it can result in lethal consequences. Hackers are well aware of this, which is why, sadly, healthcare providers are often targeted for these kinds of attacks. It further emphasizes the importance of proper backup strategies to ensure that in the event of a ransomware attack, vital information will still be accessible so that, at least, patients immediate healthcare needs won’t be an additional factor.
Ransomware is not a new phenomenon, but it has become increasingly dangerous in recent years with the rise of Ransomware as a Service (RaaS). This makes ransomware tools within easy reach of enterprising criminals who lack technical expertise, and provides an explanation for the rise in ransomware attacks over the last few years.
Data Breaches
The black market for protected health information (PHI) remains quite active. PHI refers to the full range of personally identifiable data associated with a patient, including diagnoses, test results, and prescriptions, as well as contact information and Social Security numbers.
This data is particularly appealing to hackers because unlike stolen credit card numbers, patients’ personal histories cannot simply be deleted or locked. Once hackers have seized this information, they can use it to obtain loans, purchase medication, file an insurance claim, or set up credit lines—all under other people’s identities.
Under the HIPAA Security Rule, healthcare organizations are required to observe adequate data security practices in the storage and transmission of PHI, but in actuality, many lack the resources needed to stay ahead of the game with up-to-date protocols, security measures, and fully staffed IT departments. Rather, healthcare organizations tend to devote the constrained resources they have disproportionately on patient care rather than computer systems even though the potential consequences to those same patients from a cyber-attack are also devastating.
Healthcare organizations must ensure that data is backed up properly and protected by strong encryption and up-to-date software. It’s also important to use anomaly detection tools that can uncover the intrusions of data thieves in the early stages, before any damage can be done.
Insider Sabotage
Many cybersecurity incidents can be traced to negligence on the part of a single employee or the organization as a whole, although some cases are not accidents at all. Sometimes an employee at a healthcare organization decides to exploit the black-market demand for PHI—such as a disgruntled worker simply vandalizing a company’s computer system out of spite.
This threat is another reason why data encryption is vital. If a company stores sensitive information in plain text, it can be easily stolen by an employee.
It’s also wise to implement a Zero-Trust Access (ZTA) strategy in which employees are assigned different levels of data access appropriate to their job duties. Simply put, if an employee doesn’t need to enter a particular database or system, they shouldn’t be able to access it. These areas should have dedicated passwords or be accessible only to those employees with special account settings. Data logs should be implemented to track who has accessed databases where this information is stored.
Distributed Denial-of-Service (DDoS) Attacks
A DDoS attack is simply an attempt to overwhelm a website or network with internet traffic in order to disrupt its functionality. They are usually executed with the aid of botnets, a large network of hacked computers—sometimes literally millions of them—that send a massive amount of data that the targeted entity cannot manage properly. In some instances, DDoS attacks are performed in conjunction with a ransomware attempt. And, like standard ransomware, DDoS attacks can be especially harmful to healthcare organizations that cannot afford extended downtime periods.
This is another threat that has been around a while (the first recorded DDoS attack happened back in 1999), and it’s only become more sophisticated and powerful with time. As a result, many cyber companies have begun offering DDoS mitigation services that provide defenses against these attacks.
Ciphertex® offers world-class HIPAA-compliant data security solutions that address the operational requirements of the modern healthcare organization. To learn more, feel free to contact us at 818-773-8989.