Cyber Security Epidemic in Healthcare Industry
“The health sector is in desperate need of a cyber hygiene injection” - James Scott, Senior Fellow, Institute for Critical Infrastructure Technology
With booming development in technology and fast-paced information distribution, the healthcare industry has rapidly evolved from a paper-based to a digitally advanced sector.
Don’t get us wrong: digitalization has helped companies to provide a comprehensive and accurate view on the client health history, faster diagnosis and treatment.
But that’s just part of the story…
At the same time, the introduction of digitalization has questioned the cyber means when it comes to protecting sensitive data.
Believe it or not, according to TechJury statistics, approximately 13 million records leaked in 2018 in the healthcare industry – a twofold increase comparing to a year before. And hospitals, in turn, accounted for 30% of all large data breaches.
What could that mean?
This may mean that healthcare industry is not keeping pace with cyber security advancements and needs to focus on the protection of patient’s privacy and medical information.
Here’s a real-life example:
In 2016, NewKirk Products – an insurance organization issuing ID cards – declared a data breach which leaked 3.47 million patients’ profiles. The affected information included ID numbers, names, mailing addresses, date of birth, invoice information, etc.
Here is an interesting fact: among the victims was Blue Cross Blue Shield, the largest health insurance company in the United States.
“Approximately 13 million records leaked in 2018 in the healthcare industry. Hospitals account for 30% of all large data breaches”
It is becoming more obvious that cyber security should be addressed as a top priority within all organizations, given the rapid evolution of cyber attacks.
Newkirk Products is just one of the cases that captivated the audience’s attention. It is clear there is a cyber security epidemic in healthcare industry.
It demonstrates that medical organizations working with patient personal data are constantly exposed to a great deal of cyber risk. With so much data circulating throughout the cyber space there is an essential need to deliberately manage data protection at all stages of data life cycle.
After all, here is something we all can agree on – cyber security is healthcare’s Achilles heel.
State of Cyber Security in Healthcare
You may ask why we think that there is a cyber security epidemic in healthcare industry.
Well, it all boils down to this: expansion of the networks in quantity vs. quality (in this case meaning adequate level of security). This provides an enormous opportunity for hackers to experiment with cyber methods used to gain unauthorized access to systems and compromise sensitive data.
In fact, the total cost of data breaches in healthcare has reached approximately $5.6 billion every year, according to Becker’s Hospital Review.
The data leakage continues to skyrocket these days and here are the main reasons why:
Internet of Things (IoT)
Here’s the good news: the Internet of Things (IoT) has gained a wide popularity within medical companies. And the best part of IoT is the opportunity to automatically collect data and make decisions quicker based on a broader information.
But there’s a catch: while optimizing the productivity through managing IoT devices, organizations may forgo cyber security protection of patients’ personal information.
“Total cost of data breaches in healthcare reaches approximately $5.6 billion every year”
According to one CynergisTek’s survey, over 50% of respondents claim that IoT has become one of the most emerging threat areas, and approximately one third stated IoT is one of the top five treats facing the healthcare.
Human Factor
It’s not surprising that the lack of cyber awareness is considered one of the main cyber security risks for organizations. And the healthcare industry is not an exception.
Employees tend to open phishing links or inadvertently send Personal Health Information (PHI) though insecure channels (or even to wrong recipients!) which provides hackers with an access to the organizational databases.
Hard to believe, but 88% of healthcare workers open phishing emails according to TechJury statistics.
This definitely highlights the lack of cyber awareness among medical personnel.
Resources
And as if that’s not enough, lack of resources plays a significant role in the cyber security posture of healthcare organizations.
This should not be surprising because companies are faced with this obstacle regardless of industry.
According to The Rampant Growth of Cybercrime in Healthcare report, “chronic underinvestment in cybersecurity has left many so exposed that they are unable to detect cyberattacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained, and defensive resources are deployed to prevent the same attack from happening again.”
Cyber Security Risks in Healthcare
As time passes, the attacks are becoming harder to detect, avoid and mitigate. Driven by financial gains, hackers never stop implementing new techniques to breach systems within organizations and steal sensitive data.
Here are the most popular types of cyber attacks contributing to the cyber security epidemic in healthcare industry:
[By the way, check out our previous post on Top 5 Cyber Security Risks For Your Business].
Phishing attacks:
Phishing has become the preferred attack method for cyber criminals. With this technique, an attacker sends the target a “legitimate” email to “phish” and nudge for sensitive information, such as credentials. The attacker may also persuade the target to click on a link to the file which will automatically install malware (malicious software) on the target’s machine.
Believe it or not, it only takes one click to cause an entire organization to fall victim to the criminals’ attack!
Malware:
Think about it: cyber criminals can install malicious programs (or malware) through the phishing email scams.
But that’s just part of story…
In fact, malware can be installed through online downloads (even when downloading legitimate software from legitimate sources) in an attempt to infect the machine and eventually spread to other systems.
Ransomware (a type of malware) is the most popular attack targeting the healthcare sector. It is referred to as “cyber epidemic” since it rapidly contaminates the organization’s networks and systems.
“Believe it or not, it only takes one click to cause an entire organization to fall victim to the criminals’ attack!”
Once executed, the program encrypts local hard drive and data preventing the organization from accessing critical information unless the company follows the criminal’s instructions and pays hackers to gain access to files (which is never guaranteed).
Believe it or not, 88% of all ransomware attacks on U.S. companies in 2016 were aimed at the healthcare industry. Sounds scary, doesn’t it?
Cloud attacks:
We won’t surprise you by saying that more and more entities are gravitating towards cloud over on-premises solutions. And there’s nothing wrong with this per se.
Even on a personal level, most of us use cloud-based platforms daily as it is a convenient way to access the information from anywhere and at any time.
For organizations, it can improve resource utilization, productivity and efficiency. Healthcare entities are not an exception.
“61% of surveyed organizations are moving/planning to move to the cloud due to confidence in its security”
Here’s what was found by SADA Systems survey:
Approximately 89% of surveyed hospitals transferred their systems to cloud. They claim that the introduction of this IT opportunity has increased the performance, improved patient satisfaction and led to more accurate treatment.
Given these benefits, it is believed that more medical entities will be switching to cloud platforms in the near future.
Here is an interesting fact from the same survey: 61% of surveyed organizations are moving/planning to move to the cloud due to confidence in its security.
At the same time, storage of a large volume of sensitive information (patient/medical records) coupled with a lack of a security controls make healthcare organizations a desired target for cybercriminals.
Supply Chain Attacks:
According to the CrowdStrike survey, approximately 84% of healthcare respondents believe “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry”.
Indeed, the cyber threat can also come from the suppliers, service providers, partners, or business associates working with medical companies – any third party with access to networks/systems. Surprisingly enough, biotechnology and pharmaceutical sectors are the most vulnerable ones as they have a direct contact with suppliers.
You might wonder how suppliers would jeopardize their partners.
The hackers would typically try to infiltrate (e.g. through phishing techniques) a third-party’s system or network and use it to break into their partners’ IT infrastructure.
Possible risks?
According to the same CrowdStrike survey: “Knowledge gaps and the lack of established standards to prevent complex supply chain attacks are putting organizations at risk from a financial, reputational, and operational perspective.”
Strategies for improving cyber security
You might be wondering: how do I steer clear of the cyber security epidemic in healthcare industry?
Based on our experience with clients from healthcare industry, we have come up with recommendations that are fundamental to a sustainable and well-functioning cyber security framework.
Nail these recommendations and you will significantly reduce your risk of being compromised.
Establish a culture of cyber security:
Cyber security should be “baked” into all the parts of the organization including staff: e.g. safeguarding information and reporting of incidents.
One of the most critical elements here is investing not only in technology, but also into personnel. Developing a cyber awareness framework and conducting regular cyber awareness training internally can be a significant effort, one which in turn yields significant results.
But there’s a catch: the culture of cyber security must align with the overall organizational strategy and objectives. This way it will be easier to explain the purpose and benefits of this approach to staff. It becomes less of a burden and more of a necessity.
Ensure protection of IoT devices:
One of the key factors of such a rapid digitalization of healthcare organizations is an adoption of IoT devices.
On one hand, there are few obvious benefits: quick diagnoses and better treatment.
On the other hand (and often overlooked), many IoT devices lack in-built security thus having numerous vulnerabilities, potentially opening their doors to hackers.
Here is a simple (and fundamental) thing you should do to significantly improve IoT security: change the default password on all connected devices or set up one if there is none. Believe it or not, but 15% of IoT devices owners don’t bother changing the default password according to Positive Technologies.
In our experience, each organization should also identify, track and manage all IoT devices along with all other connected devices (switches, firewalls, workstations, etc.) to its network(s). Simply stated: network visibility leads to better security.
Introduce a firewall system:
Although as of late, even the firewall has come under fire (no pun intended), the firewall is one of the most important aspects of any organization’s cyber security posture. Thus, deploying a firewall (or multiple firewalls depending on security requirements) is an important first step to take and here’s why:
Firewall works as a shield between trusted internal network and untrusted external one (for example, the Internet).
“Cyber security should be “baked” into all the parts of the organization including staff: e.g. safeguarding information and reporting of any incidents”
Simply put, a basic firewall monitors and filters inbound and outbound traffic on the organization’s network although most advanced firewalls offer a much broader degree of protection.
Introduce endpoint protection software:
We won’t be wrong if we say that deployment of endpoint protection software on all end-user devices is complementary to introducing a firewall for network security.
Here is why: endpoint protection helps with prevention, detection/monitoring and in many cases elimination of the malware threat on the endpoints and consequently on the network.
However, the deployment alone is not enough to protect the system. It is essential for an organization to keep the endpoint protection up to date to ensure the protection at all times.
Strong Passwords and 2nd Factor Authentication:
There is no doubt about using strong passwords – this is true not only for organizations, but also in general for individuals.
However, many organizations often forget about this critical element of system security. In fact, weak passwords are considered one of the main reasons for data breaches. According to Verizon report, 63% of data leakage involved default or stolen passwords.
Here is what you could do to not be a part of the cyber security epidemic in healthcare industry.
As a general guideline, it is important for a company to have a Password Standard outlining the minimum length of the passwords, characters required to be used and how frequent those must be changed.
Although this is a great start, in our experience, having strong passwords is not enough. Organizations should also consider implementing a 2nd Factor Authentication (2FA) which helps with securing accounts in case of a password compromise.
Control physical access:
Believe it or not, but physical security is just as important as cyber security.
Here’s why: a data breach can happen through the physical theft of the device containing sensitive data, or through the direct access to the critical IT equipment (network or server racks for example).
As a result, an organization should have sufficient physical security controls in place. For instance, servers, switches, firewalls and other vital components of critical IT infrastructure should be kept under the lock in secure areas to which only authorized personnel has an access.
Conclusion
While there are obvious reasons that cause cyber security epidemic in healthcare industry (such as limited resources and rapid adoption of IoT devices amongst others), organizations should realize the importance of cyber security and lead the charge from within.
This includes mitigating the human factor via a culture of cyber security, controlling physical and logical access to IT infrastructure and ensuring the visibility of the networks and systems.
The development of the cyber security framework and proper protection means requires cooperation from everyone: from doctors to IT professionals.
Again, it only takes one click, one infected machine to cripple an organization, in the health industry the consequences are easy to measure.
Start today to be prepared for tomorrow!