Nearly 3.4 million healthcare records are compromised every month in the US. The industry is a growing target for cyber attackers — and it’s no secret why.
Between private practices, treatment centres, medical equipment manufacturers, labs, specialized clinics, and long-term care facilities, cyber criminals have many healthcare-related targets.
But the scope of opportunity isn’t the only reason why cyber attacks are more costly and common than ever.
Why are cyber criminals targeting the healthcare industry?
Four major factors make the healthcare industry an appealing target for cyber criminals.
First, healthcare providers hold personally identifiable information (PII), medical records, and the billing details of their patients. This valuable data is a hot commodity on the dark web as criminals may use it for identity theft, health insurance fraud, and other schemes. Medical research and intellectual property (IP) are valuable as well, particularly to foreign hackers.
Second, those in the industry may be more willing to oblige attacker demands to restore operations quickly and minimize consequences. While a few hours of downtime at a retailer may lead to minor repercussions, not having access to patient records could be a life-or-death situation.
Third, the industry has focused on addressing the global pandemic, affecting the time and resources they can set aside for other priorities. Many healthcare professionals have invested the bulk of their energy toward helping patients and following COVID-19 protocols, leaving little left to focus on cyber security.
Criminal groups explicitly said they would not target medical organizations during the pandemic — but that promise was short-lived. Attackers quickly took advantage of overwhelmed facilities and exhausted staff.
The final reason is that healthcare institutions are notoriously difficult to secure. Hospitals, clinics, and other treatment centres are adopting new technology quickly. Smart devices, equipment, and systems can drive efficiency and better patient outcomes but, if unsecured or outdated, can offer attackers a gateway to the rest of the network where valuable data, research, and IP live.
Why should smaller practices be concerned?
It’s easy to assume that a single-physician clinic lies below an attacker’s radar. On the contrary, recent studies show that a significant number of cyber security incidents and data breaches involve small healthcare organizations.
This may be because smaller offices are the majority. According to the American Medical Association (AMA), most physicians work in practices with fewer than ten doctors on staff. Smaller clinics and rural hospitals often face the same cyber security risks as larger organizations, but without similar funding for education, experts, or software.
With all this in mind, let’s take a closer look at the top cyber threats and risks facing the healthcare industry.
Ransomware is a type of malware that restricts access to files or systems until the victim pays ransom to the attacker.
How does it work?
These attacks may begin with a phishing email or by exploiting a vulnerability, such as a medical device running on an outdated Microsoft operating system, to gain access. In the past, victims would receive a note demanding payment in exchange for their data back. Today, instead of limiting file access, attackers often make copies and threaten to publish them.
How common are ransomware attacks on healthcare providers?
The number of ransomware attacks has been rising for years. Medical providers can’t simply pause operations because an attacker encrypted their files or systems. They need to resolve interruptions as quickly as possible, which may mean paying a ransom.
The Irish Health Service Executive (HSE) shut down its computer systems after a significant ransomware attack in May 2021. The hackers claimed to have stolen 700 GB and threatened to publish or sell the stolen data unless paid $20,000,000.
Many clinics had to cancel appointments and certain services while they worked to minimize damage. Between restoring the network and upgrading systems, HSE expects the recovery will cost at least £100 million.
Social engineering attacks
Social engineering attacks try to trick victims into giving away sensitive information (such as login credentials) or downloading malicious files that compromise their system. Social engineering attacks may include phishing, business email compromise, whaling, and more.
How do these attacks work?
Cyber criminals will often research their targets before launching their attack. If you have a website or social media account, attackers will probe those to see what insights they can collect. Are there any email addresses to target from the website? Is your clinic or organization sharing anything on social media that may be useful to include in the attack?
You, your employees, or even patients may then start receiving illegitimate emails. The attacker may pose as someone else (often a trusted individual) and ask the recipient to:
- Send patient data, research, or other sensitive files
- Open malicious hyperlinks or attachments
- Share credentials to healthcare databases or portals
Since 2020, social engineering attacks have focused largely on the COVID-19 pandemic, vaccines, and personal protective equipment (including N95 masks, face shields, hand sanitizer, and isolation gowns). In fact, the Federal Bureau of Investigation (FBI) released a notice in April 2020 warning of targeted email phishing attempts against US-based medical providers.
How common is social engineering?
Social engineering is one of the most popular cyber attack techniques because of its effectiveness. When it comes to cyber security, employees are the weakest link; studies have repeatedly shown that one of the biggest cyber security risks is employee negligence.
University of California (UC) San Diego Health, an academic health system, recently experienced a phishing attack that exposed the data of patients, employees, and students. For months, attackers had access to sensitive information such as full names, social security numbers, payment card numbers, lab results, medical conditions, and more. Unfortunately, this isn’t the first time UC San Diego Health had to inform patients about a cyber attack stemming from a third-party provider.
Outdated, unpatched, or misconfigured systems
While many attacks exploit the end-user, not all do.
Cyber criminals may look for outdated, unpatched, or misconfigured systems that connect to the internet, including computers, specialized medical equipment, software, cloud services, and more. Vulnerable infrastructure may give hackers a back door into your IT environment.
What is vulnerable infrastructure and why is it a risk in healthcare?
“Vulnerable infrastructure” is a broad term that can refer to unpatched or out-of-date software and hardware. Whether it’s a software bug or known security vulnerability, these issues may give cyber criminals a way to access your systems, allowing them to stage further attacks or otherwise compromise your IT operations.
Developers regularly provide software updates to address performance issues or improve software and will supply separate patches to address specific security vulnerabilities they’ve found. Applying these patches is vital for closing known security gaps.
Misconfigured systems pose similar risks. New hardware and software within your organization must be installed and integrated to ensure they don’t compromise security. Incorrect access permissions and weak passwords, for example, may leave your infrastructure more vulnerable to an attack.
But what happens when developers stop supporting software altogether? This leads to outdated “legacy” systems which, according to the 2020 HIMSS Cybersecurity Survey, are extremely common in the healthcare industry. Of the 168 US-based cyber security professionals who responded to the survey, 80% said their organization currently used legacy systems.
Replacing older systems can help address these concerns, but it’s a time-consuming and resource-intensive process for any-sized organization.
Sophisticated, organized cyber crime groups
Nation-state attacks launched by foreign governments, and state-sponsored attacks which involve affiliated cyber criminal groups, are two major risks to the healthcare industry. These threat actors use many of the same attack tactics — such as ransomware and phishing — as less sophisticated hackers but with more technical capability, funding, and force.
Why would nation-state groups target the healthcare industry?
Healthcare providers may be particularly vulnerable if they have information (such as groundbreaking medical data or research) that helps an attacker’s mandate or gives them a competitive edge. Unlike amateur hackers, these groups can be very skilled and persistent.
COVID-19 and associated vaccine research have made healthcare institutions an even more tempting target. According to intelligence agencies in the UK, US, and Canada, nation-state-backed hackers are trying to break into medical systems to access vaccine-related research and data.
Homewood Health, a Canadian mental health and addiction treatment provider, confirmed they had been the victim of a data breach earlier this year. A dark web marketplace, Marketo (not to be confused with the marketing tool of the same name), advertised the stolen data, which included financial details, accruals, agreements, amendments, projects, and databases. Homewood Health has blamed Hafnium, a group of state-sponsored Chinese hackers, for the attack.
The consequences of a compromise
Cyber attacks aren’t cheap. Costs add up quickly following the initial investigation, lost business from system downtime, replacing or fixing impacted systems, ransom payments, and more. One medical practice even decided to shut its doors for good following a ransomware attack.
But direct revenue losses are only one piece of the puzzle. In a recent survey, more than 90% of individuals said they would change healthcare providers if their data was exposed in a “preventable” cyber attack. Patient expectations are higher than ever — they trust your organization will keep their data secure. A data breach can cause significant reputation damage and affect your bottom line for years after the initial incident.
In some locations, data breach victims can even take legal action. Pennsylvania-based Einstein Healthcare Network is facing a class-action lawsuit following a cyber attack that compromised the data of 353,616 patients. The lawsuit claims that the healthcare organization failed to provide adequate notice of the breach and that the victims will forever face an increased risk of identity theft.
Cyber attacks on the healthcare industry affect not just the target organization but the patients it serves too. That’s why the sector has extremely stringent cyber security regulations compared to many others, including The General Data Protection Regulation and The Health Insurance Portability and Accountability Act.
What you can do
Understanding cyber risks is a great first step toward better cyber security. But it doesn’t stop there.
Organizations should have visibility to find and eliminate cyber threats. With a view of the entire IT environment — networks, cloud services, devices, remote users — you can better protect your patients, staff, and sensitive data. But this can be hard and often requires specialized skills to understand and prioritize threats.
With Field Effect’s Covalence, you get a complete cyber security solution. Purpose-built for small and mid-size businesses, Covalence allows you to identify threats across your full infrastructure, plus gain a team of experts offering 24/7 support.
Stay up to date on cyber security risks and tips, webinar invites, and more by signing up for our newsletter below.