In today’s hyper-electronic world, cybersecurity is vital to businesses of all sizes, no matter what industry you’re in. However, one industry that appears particularly vulnerable to cyberattacks is healthcare.
Since the start of 2023, more than 395 data breaches have been reported, according to the July 2023 HIPAA Journal Healthcare Data Breach Report—and 59,569,604 health records have been exposed or stolen.
Cybercriminals may target healthcare organizations looking for high-value data such as financial information, patients' protected health information (PHI), personal information like social security numbers, and valuable medical research.
In addition to the data stored within healthcare facilities, the sheer number of systems and services these organizations use puts them at heightened risk. As beneficial as they are, tools like e-prescribing systems, patient management support systems, and radiology information systems can increase the likelihood of an attack, especially if not configured correctly or running an outdated version.
Because of the staggering statistics and valuable information, healthcare professionals from all sorts of organizations, whether private practice, large hospitals, medical product manufacturing facilities, or labs, need to be proactive about protecting sensitive patient information.
In this blog, we will first identify the common types of healthcare cyberattacks to be aware of and then give you five steps to achieve stronger cybersecurity in a healthcare setting.
Healthcare cybersecurity risks
First, let’s look at some of the common reasons cybersecurity attacks are a significant threat to the healthcare industry:
- The high value of health records
- Ransomware is increasingly common
- Increasing costs of cyberattacks
- Lack of preparedness
- Reputational damage and legal risk
Healthcare cyberattacks are on the rise. Ransomware, malware, and phishing are common types of attacks that occur in healthcare, and on average, a successful attack can cost an organization $10.93 million—quite a bit more than the average cost for breaches among all industries of $4.45 million.
Ransomware in healthcare
Ransomware is a type of cyberattack where malicious software blocks access to a computer system until a ransom is paid. At 61%, healthcare organizations are more likely than other types of businesses to actually pay a ransom to regain access to their data. As patients need care and time is often of the essence, cybercriminals use this to their advantage.
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center HHS (HC3) recently warned of a triple-extortion ransomware threat group first observed in May 2023. The warning states that the health sector is likely in the crosshairs of NoEscape, a ransomware-as-a-service group that's been targeting a range of industries.
An example of a notable healthcare ransomware attack occurred at Medibank in 2022. Russian-based hackers stole the personal information of 9.7 million customers, including names, birthdates, and social security numbers. The hackers demanded $10 million in ransom.
In this case, Medibank refused to pay, promising they could prevent the publication of patient data.
Phishing in healthcare
With more than 500 million phishing attacks reported in 2022, phishing is an extremely common cyberattack method where individuals are targeted by criminals who send fraudulent emails or other messages. These messages will include links to dangerous sources or ask for a response with personal or private information.
Phishing is the leading cause of healthcare data breaches, and attacks are increasing among all industries. According to the 2022 IBM X-Force Threat Intelligence Index, phishing in 2021 accounted for four in 10 cyberattacks across all sectors.
Phishing affects businesses when an employee falls victim to a fraudulent message. For example, back in 2014, hackers sent a phishing email to a Premera Blue Cross employee that included a link to download a document that contained malware. Premera Blue Cross had to pay $74 million to settle a class-action lawsuit that resulted from the data breach of more than 10.6 million records.
Now that you understand the risks and threats of healthcare cyberattacks, here are five steps to achieve better cybersecurity.
1. Train employees and implement policies
A 2023 data threat report found that human error is one of the leading causes of cybersecurity breaches—55% of responding businesses that recently reported a breach said that human error was the primary cause. As cybercriminals become increasingly stealthy, your workforce needs to be proactive by training each employee on the types of cyberattacks they could encounter.
Employees are your first line of defense when it comes to cybersecurity. Here are six steps to take when training and preparing employees:
- Identify clear protocols and make following them a priority.
- Have policies in place that keep sensitive data safe.
- Regularly teach employees about cyber threats, specifically email phishing scams.
- Require backup of all critical data.
- Only issue devices to authorized individuals.
- Prohibit unauthorized software downloads.
Topics for employee cybersecurity training
Social engineering attacks
Training should start with one of the biggest cyber risks. Many cyberattacks use social engineering techniques to fool employees—such as physicians, assistants, and administrative staff—into clicking on malicious links or sharing credentials. If successful, attackers may then:
- Compromise private patient data, including medical records
- Intercept financial or medical insurance payments
- Shut down systems and demand ransom to restore access
Employees should be aware that phishing emails often intentionally use typos to evade spam filters or isolate easier targets. Emails may include aggressive or intimidating language to further coax the victim into responding or malicious attachments that, once clicked, download malware onto the system.
Choosing the right passwords
Passwords are the first—and sometimes only—line of defense stopping attackers from accessing accounts and compromising sensitive patient data. Far too many users rely on weak credentials, such as “password”, “123456”, and “qwerty.”
Yes, simple passwords are easy to remember but also easy for attackers to guess.
Instead, employees should know how to create a strong password. Passwords should be long and complex, mixing upper and lowercase letters, numbers, and symbols. Every additional character makes it more challenging and time-consuming for an attacker to crack. Something like “A$fkLLffm39@zldeG” would be strong.
We also recommend using passphrases—strings of words that make sense to the user and no one else—as these are naturally longer and harder to guess. “Green-wall-window-blind-33” is an example of a great passphrase.
Bonus tip: A password manager makes creating, securely storing, and retrieving unique and complex credentials easy. Look for a password manager with a strong reputation among clients and a clear commitment to security, fair pricing, and support for the platforms you use (such as iOS and Linux).
Other cyber security training topics to consider
Every healthcare organization is unique, with different training needs and priorities. Regardless of what your organization’s areas of concern are, you may also want to conduct training about:
- Data privacy regulations and their impact on operations—for example, what are your responsibilities for data breach notification, both to authorities and affected clients?
- How to physically secure IT assets—ensure everyone within the organization has auto-lock turned on for their company devices and never leaves them unattended.
- How to respond to a cyber security incident—should employees forward suspicious email messages they receive? If yes, when and to whom?
2. Put the right technology in place
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a popular tool to protect email, accounts, and other cloud-based logins. It adds a defensive layer by requiring two or more authentication factors to confirm user identity.
A common form of MFA is SMS (text) or email codes. While MFA is always a good idea, experts say traditional forms are no longer enough in 2023. Both the National Institute of Science and Technology (NIST) and the EU Cybersecurity Agency (ENISA) have called SMS the least secure authentication method.
Because of the increased cyber risks, it’s advised to use more secure methods of MFA and even consider working with a trusted MFA partner to manage the authentication of your accounts.
Use a virtual private network (VPN)
Accessing data over a shared internet connection can introduce added cyber risk. While convenient, public hotspots typically have minimal security measures, making them relatively easy targets.
If employees must use public Wi-Fi, a virtual private network (VPN) can help secure their connection. VPNs work by masking the user’s internet protocol (IP) address to defend against attack techniques that target weak infrastructure.
There are several instances when a healthcare worker would want to use a VPN, for example:
- When using public Wi-Fi at a conference or café
- When travelling (especially at an airport or hotel)
- When accessing the organization’s network remotely
Choose a VPN based in a country with solid data protection laws and nearby servers for a more reliable connection. Remember that, unlike certain firewalls, VPNs can’t stop users from clicking on malicious websites or links.
The Cybersecurity Handbook for Healthcare
Learn what our experts say about cybersecurity in the healthcare industry, including top tips to protect your practice.
3. Patch and update regularly
The healthcare industry has made significant technological advances in recent years. Small and large institutions have brought in smart devices, electronic patient databases, and more.
Cybercriminals may look for unpatched assets to access an IT environment. When developers provide software updates, they may address performance issues, fix bugs, or resolve vulnerabilities. Installing these new updates is critical for removing security loopholes that attackers can exploit.
Another thing to consider is whether your healthcare organization has any legacy systems, those that are no longer supported by the developer. Legacy systems can be expensive to replace, which is why many larger organizations continue to use them despite the added risk.
4. Have a recovery plan
The unfortunate reality of cyberattacks is that they can still happen no matter how many measures you put in place. Attackers can be persistent—given enough time, they can find their way into your systems.
This is why disaster recovery plans are essential—especially for the healthcare industry where “life-or-death” is a very real possibility. Should an incident occur and limit access to critical patient files, your teams need a plan to ensure critical systems stay up and running.
Ensure you regularly back up critical data as part of your recovery plan. Backups make it easy to retrieve essential files and resume operations quickly after an attack.
Every backup solution has its advantages and disadvantages. Take the time to select an approach based on your organization’s unique needs. For example, saving business-critical data to an external hard drive might not make sense for telehealth providers.
5. Continuously monitor for cyber threats
The best way to keep your data secure is to monitor your network, cloud-based services (e.g., electronic medical records systems), endpoints (e.g., workstations), and Internet of things (IoT) devices (e.g., wearable devices) for threats.
Unfortunately, an in-depth assessment conducted by PwC found that many healthcare organizations lack proper internal monitoring. The firm simulated real-world cyberattack techniques and was able to compromise sensitive data in a “surprising number of cases.”
Among the five steps that PwC suggests to strengthen cybersecurity readiness? Actively monitor systems.
Having the right solution in place makes it easy to spot cyber threats in even the most complex IT environments. A holistic threat monitoring, detection, and response platform provides the end-to-end visibility needed to find and stop attacks early before they can cause too much damage.
Securing your healthcare organization
Healthcare cyberattacks are incredibly costly. In fact, the cost to remediate a data breach in the healthcare industry is almost three times that of other sectors—it averages about $408 per stolen healthcare record.
With vital patient care data, private medical research, IoT devices, and potential lawsuits on the line, it’s time to ensure your healthcare organization is secure.
Download The Cybersecurity Handbook for Healthcare to find more great information about securing your healthcare organization. In it, you'll dive deeper into topics like:
- Who’s targeting you, how they’ll attack, and what they want
- The major consequences of experiencing a security incident
- Best practices proven to strengthen your defense