Recent statistics showing trends in cyber security threats to the healthcare industry are a cause for concern. Because healthcare facilities are critical, they are increasingly becoming the target of cyber attacks.
In this article, I’d like to take a closer look at these statistics, and what they actually mean for anyone responsible for ensuring the integrity and confidentiality of healthcare facilities. By the end, you will have a better understanding of the current cyber attacks threatening the healthcare industry.
The State Of Cyber Security In Healthcare
- 16% of healthcare providers report having “fully functional” security programs.
- 43% say that they are either still developing security programs or have not developed one.
- 82% of surveyed healthcare organizations say that security is a top concern.
- 69% of those in the healthcare industry believe they are at risk for a data breach.
- 94% are now using some form of advanced technology to protect sensitive data.
Healthcare facilities store comprehensive personal data relating to their patients, and this makes them a lucrative target for hackers, who can sell the data on to identity thieves. In addition, since healthcare is critical to patient welfare, they are extremely likely to pay up in the event of being hit by ransomware.
Email spoofing, where patients receive payment demands purporting to come from their healthcare provider, also have a higher chance of being successful when compared to other industries since patients will not want to be denied access to critical treatment because of outstanding fees.
What Can Healthcare Providers Do To Protect Against Cyber Attacks?
The statistics show that, while most are aware that security is important, few healthcare providers are doing enough to ensure their safety from cyber attacks.
One of the reasons for this is that healthcare facilities often don’t budget enough to be able to afford the kind of expertise needed to provide comprehensive, up-to-date security protection. Security is often piecemeal, and many organizations are not even aware of exactly what assets they own and should be protecting.
Good security begins with a comprehensive vulnerability assessment of all systems on a network, including IOT (internet of things) connected devices. Many modern medical devices, such as patient monitoring equipment, infusion pumps, and CT scanners are connected to the network, where a computer is used to analyze data and to send control commands to the device.
For healthcare providers, good security is not only common sense: in most countries, it’s governed by strict laws. In the United States, providers are required to adhere to the Health Insurance Portabilty and Accountability Act (HIPAA), which specifies the standards that must be followed by all healthcare providers when dealing with patient data.
Protecting The Confidentiality Of Patient Data
- 89% of healthcare organization had patient data lost or stolen in the past two years.
- Patient health records can be sold for as much as $363 on the black market, which is more than any piece of information from other industries.
Patient data is particularly valuable to the criminal community. Electronic Health Records (EHR) contain a wealth of information about each patient: name, social security number, financial information, current and previous addresses, medical history and names of next of kin.
Hackers can sell these records, often known a Fullz because they are so comprehensive, on the Dark Web for up to $1,000 per patient record. Unlike credit card theft, this form of identity theft can remain undetected for months or years, and it may not even be possible to trace how and when the theft occurred.
Apart from this, there is also the potential for confidential medical histories to be used either for blackmail or for smear campaigns, especially where celebrities and political figures are concerned. Criminals can also use the data to benefit from fake insurance claims.
Anonymized data – or patient data from which names, social security numbers, and addresses have been removed, is often provided to pharmaceuticals and other entities for research purposes. However, even in this form, it represents a risk, as hackers can often match it back to other data, such as voters’ rolls, to obtain some of the missing information.
Healthcare providers may also be a soft target for hacking, in that medical devices such as patient monitoring equipment are often linked to a computer, and therefore potentially to the whole network. Many of these run off-the-shelf software, which is subject to the same vulnerabilities as any other device.
Manufacturers are not always security conscious when writing software for medical equipment. For example, one device had its network password hard-coded into the software, where it could potentially be discovered by hackers. Many use an insecure wireless connection, and some may send passwords and other critical data in unencrypted form.
In addition to this, staff are not always aware that the device may represent a security threat. For example, taping a password to a medical device can put an organization at serious risk. Medical devices are, in fact, a potential entry point into the system for a cyber attack.
Methods healthcare providers use to prevent hacking of patients’ data are:
- Strong Endpoint Security – Including strong passwords, locking an account after a fixed number of unsuccessful logins, and two-step authentication.
- Data Encryption – Without the encryption key it’s difficult for hackers to access the data in a readable form.
- Network Vulnerability Management – Perform routine network scans and assessments to identify vulnerabilities in systems or networks.
- Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) – Implementing IDS and IPS technologies provide an additional layer of security by detecting and preventing malicious attacks from threat actors.
- 3rd Party Software – Installing software like Protenus, which checks for unusual activity such as a user suddenly accessing a large number of records.
- Staff Training And Education – Ensuring staff are trained in good security procedures, for example not leaving unlocked computers unattended.
- Use A Reliable Vendor For Medial Devices – Ensure medical devices are sourced from reputable manufacturers, and that firmware is updated as needed. They must be configured correctly into the network and must use good endpoint security. When obsolete, they must be disposed of correctly.
Protecting Healthcare Data In The Cloud
- 93% of healthcare organizations are currently using some form of cloud services.
- 63% plan to use multiple cloud vendors.
- 25% of healthcare organizations using the public cloud report that they are not encrypting patient data.
While using the cloud for data storage and taking advantage of useful applications makes sound business sense, special consideration must be given to the security aspect. Under HIPAA guidelines, the Cloud Service Provider (CSP) is classified as a business associate who provides services. The healthcare organization must enter into a business associate agreement, and the CSP becomes liable for complying with HIPAA.
In addition to the normal access control security, there are additional considerations for data held in the cloud. The CSP must be able to guarantee data will be protected from unauthorized access, and that access to critical data will continue in the event of either hardware failure or a Denial of Service attack.
Additionally, they must guarantee that data that has been deleted cannot be accidentally disclosed. Since cloud services are often distributed over many different servers in different locations, deleted data may still appear in replications, logs and backups. Since data can still be recovered from failed hard drives, they must physically destroy any media that is beyond economical repair.
The Cloud Security Alliance provides certification of cloud services, as well as education in cloud-related security.
When selecting a cloud vendor, healthcare providers should:
- Ensure the CSP is certified by the Cloud Security Alliance
- The CSP must provide secure navigation to their resources, with a valid SSL certificate.
- Data encryption of sensitive information is essential
- The CSP and the healthcare provider must agree on who will be responsible for which aspects of security
- The health provider’s security staff must know how to access and process any network monitoring reports and tools provided by the CSP, and be vigilant in using this data. If necessary, augment this with additional monitoring procedures.
- Use strong passwords and account lockouts to protect against hackers.
Ransomware Is The #1 Cyber Security Attack In Healthcare
- Healthcare has the highest number of attacks by ransomware over any other industry.
- The healthcare industry was the victim of 88% of all ransomware attacks in US industries in 2016.
Ransomware is one of the most popular forms of cyber attacks. Malicious software encrypts a company’s files, and the perpetrators then demand a large ransom to provide the decryption keys. Well-known examples include WannaCry and SamSam.
In healthcare, this situation can have devastating effects. Hackers were able to encrypt patient files from the National Healthcare System (NHS) and then placed a ransom the files. As a result, patients had to be treated without access to their clinical history or prescription details, ambulances were rerouted, and appointment records became unavailable.
Given the critical nature of the business, healthcare providers are seen as a soft target by this type of malicious attack, since there’s a high chance they’ll pay the ransom over placing lives at risk.
As yet, there is no recorded instance of medical devices being targeted by ransomware. Nevertheless, the possibility that a facility could be held to ransom to prevent malfunction of its medical devices should have strong priority when planning security.
CT scanners could release fatal doses of radiation. Infusion pumps could deliver the wrong doses. Patient monitoring devices could fail to send the correct data.
Malware can find its way onto the network in two ways:
- Phishing emails persuade employees to either download an attachment or visit a specific website, both of which are loaded with malicious code.
- If a hacker can gain access to the network and is able to escalate their privileges then they can plant the malware on a system.
For example, SamSam uses a brute force attack on a vulnerable endpoint. Once on a single computer, it spreads itself around the network. Once enough systems are infected with the code the malware “activates” the payload to encrypt the files.
Healthcare providers can prevent ransomware attacks by:
- Implementing Security Awareness Training – Train and educate employees on the dangers of phishing emails and how to identify them.
- Preventing Personal Device Use – Prevent employees from using work computers to access the internet for personal reasons.
- Performing Comprehensive Backups – Create data backup and retention policies so that critical data can be restored in the event of an attack.
- Creating An Incident Respons Policy – Clearly define the steps that should be taken in the event of a ransomware attack and delegate roles and responsibilities.
In the event of an attack, paying the ransom is not recommended. Not only does it perpetuate the criminals’ behavior, but also there is no guarantee the information will actually be returned. While joint projects by the Netherlands police, Europol’s Cybercrime Centre, and McAfee have made considerable progress in providing a way for ransomware victims to retrieve their data, there still isn’t a reliable or cost-effective solution in place.
Email Fraud Is On The Rise
- 20% of healthcare domain emails were fraudulent in 2017.
- Healthcare organizations were targeted 473% more often in Q4 2018 vs Q1 2017.
Email fraud in the healthcare industry is on the rise. Email spoofing, where a trusted domain is used by scammers to make their emails appear more authentic, is becoming increasingly common. The phishing email will look as if it comes from an authentic domain, and recipients are much more likely to fall for the fraud.
Healthcare providers are particularly vulnerable to this type of fraud. Patients who rely on critical care are unlikely to ignore a request for payment that appears to come from their doctor or clinic, as they will not want to jeopardize their treatment plan.
In addition, healthcare staff can easily be tricked by an email that appears to come from their own organization and may be induced to supply their credentials to look-alike websites loaded with malicious code. The threat actor can then store and use these credentials to hack into the organization’s network and steal valuable data.
A spoofing attack may target your employees, your patients, or your business partners.
Healthcare providers can protect themselves against an email phishing attack by:
- Using DMarc Email Security Protocol – DMarc publishes an entry in the DNS, and email recipients’ mail client can check that any email purporting to come from you is in fact properly authenticated.
- Providing Security Awareness Training – Ensure employees are educated on the dangers of phishing attacks.
Employees Are The #1 Cyber Threat To Healthcare Providers
- 54% of healthcare business associates say their top vulnerability is tied to employee negligence in handling patient information.
- 81% of healthcare cyber security incidents are rooted in employee negligence.
- 69% of healthcare organizations cite negligent or careless employees as their top worry for security incidents, followed by cyber attacks (45%) and insecure mobile devices (30%).
Loss of data through employee negligence can happen in many ways. Careless employees can leave either documents or devices such as smartphones lying around where they can be lost, stolen or accessed by unauthorized persons. They can leave their computer unlocked and unattended so that others can access both data and the network. They can leave important papers or notepads holding passwords lying around on the desk.
The risk is much higher where employees work remotely – they could, for instance, work in a coffee shop where anyone may be watching them. They could access the network via a public wifi, which may not use proper security and encryption of messages. Their family may use their devices to access insecure sites. This risk also applies to external contractors and vendors.
To defend against internal cyber threats:
- Train employees to ensure they understand the need for security and follow procedures correctly.
- Promote awareness regularly.
- Have proper policies in place, particularly for those working off-site.
- Secure physical access to confidential information.
- Stolen or lost devices must be reported immediately.
- Ensure old hard drives are disposed of correctly.
What Are The Costs Of Cyber Attacks On Healthcare Providers?
- The average cost of a cyber attack in healthcare is $3.62 million.
- Data breaches are costing the US healthcare industry about $6.2 billion per year.
These statistics may, in fact be understated. There are many hidden costs incurred in an attack, such as reputational damage, reduced turnover and the cost of investigation and recovery.
It makes sense that companies should do a full risk analysis, and establish whether they should, in fact, be spending more on security. An analysis of healthcare providers whose security had been breached showed that the cost of recovery was significantly less for those who were able, through monitoring procedures, to detect the attack early and contain it.
- The Ultimate List Of Cyber Security Statistics For 2019
- 5 Ways To Protect Your Business From Most Cyber Attacks
- How Often Should You Perform A Network Vulnerability Scan?
- What Is A Red Team VS A Blue Team In Cyber Security?
- How Often Should You Perform A Penetration Test?