The healthcare sector continues to work on improving treatment and care for patients while introducing more technology to keep up. All of those changes don’t come without certain risks and threats. Much like in 2019, in 2020 the healthcare industry has been the main target for cyber attacks. The COVID-19 pandemic placed an enormous strain on the healthcare sector’s entire infrastructure, including the online one.
Why are healthcare practices targeted by cybercriminals?
The volume and type of confidential data makes healthcare practices a prime target for cyber criminals, with healthcare being the most targeted industry, making up a third of all US data breaches. Patient records with medical details, financial information, patents and clinical trials, all of this data can bring a lot of money to cyber criminals.
Medical information and research data has a high price on the black market — up to $1000 per record. Compare that to credit card details that are only around $100.
Great financial gain for the attackers, but equally as great is the financial loss to affected healthcare practices.
A stolen record costs healthcare practices an average of $429 per record, making it the industry with costliest data breaches.
All healthcare organizations are at risk from cyber attacks — whether you are a large hospital or a small practice. In the US, cyber criminals find the most success attacking mid-sized and smaller healthcare organizations. While large organizations have a larger volume of enticing data, smaller healthcare practices often have weaker cyber defenses, making them an easy backdoor to a larger target.
However, due to the heavy penalties incurred by HIPAA violations, most healthcare practices are expanding their security efforts in order to remain compliant. Safeguarding patient and client sensitive data is at the core of HIPAA and while it’s important to be compliant, further cybersecurity measures and practices should be followed.
Biggest Cybersecurity Threats for Healthcare Practices
Being in charge of such sensitive patient data, effective cybersecurity best practices become an imperative for healthcare businesses of all sizes. Cyber threats can cause disruption of operations, leading to potentially lethal situations or lead to theft and corruption of confidential data. Being knowledgeable on the tactics and methods cyber criminals use is the crucial first step for keeping the integrity of your systems and privacy of your patients.
It’s impossible to ignore the devastating ransomware attacks that have targeted the healthcare sector during 2020.
In that year alone, 560 healthcare providers fell victim to a ransomware attack with the one on Universal Health Services being the most significant. More than 400 hospitals and care facilities across the US were impacted by the attack, with ambulances being rerouted, radiation treatments for cancer patients delayed and many medical records permanently lost.
A ransomware attack typically starts with a phishing email appearing to be from a legitimate source. It will contain a malicious attachment or a link that the recipient is enticed to click on. After the user clicks on the link or downloads the attachment, it can plant malware into their system or lead to a website that appears legitimate and where they would input their credentials. Attackers can then gain access to that user’s account, and from there, spread across the entire network. Once they have access, they will encrypt and block access to data or the entire system until a ransom is paid.
Decryption or paying the ransom often remain as the only options. Healthcare practices impacted by ransomware can suffer to operate properly like we’ve seen in the example above. Additionally, permanent loss of data can cause HIPAA violations and other financial losses.
Business email compromise
Email has always been a prevalent way for cyber criminals to launch attacks, with healthcare practices being one of the main targets. Business email compromise (BEC) involves scammers tricking recipients into sharing confidential and financial information. They achieve this by pretending to be someone from the inside or close to the organization.
Attackers can gain access to an employee’s email account via, for example, phishing and then mimic the employee to communicate with others in the organization. They can also impersonate an external partner and set up lookalike emails to solicit information.
In 2019, VillageCare Rehabilitation and Nursing Center in New York received an email that appeared to come from a senior level employee requesting patient information. The recipient trusted this was a legitimate email and the attacker was able to obtain information on 674 patients.
BEC attacks are so successful because they are highly targeted — attackers conduct plenty of research prior to their attacks. They will discover how to bypass any email protection measures and impersonate the targeted individual quite effectively.
Internal Threats to Healthcare
While many attacks are caused by outside threats, healthcare practices shouldn’t neglect watching out what happens on the inside. Former employees wanting to sell confidential data for profit, working with cyber criminals to exfiltrate data, or even just a careless employee clicking on a wrong link — insider threats are highly probable and equality as dangerous.
What makes insider threats so dangerous is the fact that the threat actor is someone who already has access to the target’s systems, circumventing any cybersecurity defenses. The healthcare sector is particularly vulnerable. Insider threats were topping the lists as healthcare’s biggest cybersecurity risk in previous years.
Even if it’s a simple case of a negligent employee, all it takes is one careless email incident to lead to a serious HIPAA breach.
While most other threats are concerned with stealing confidential patient and financial data, distributed denial-of service attacks — DDoS, can lead to inoperability of the entire network. For healthcare practices this can mean inability to conduct online communication, provide patient care, issue prescriptions and other critical actions, to the point of disrupting the entire practice. In a nutshell, a DDoS attack involves threat actors coordinating an attack to flood a healthcare network with so much traffic that it renders it inoperable.
DDoS attacks are difficult to catch as they can resemble other technical problems and are generally hard to protect against, no matter how strong your cybersecurity defenses are. In March of 2020, the U.S. Health and Human Services (HHS) suffered a DDoS attack that was orchestrated to interrupt COVID-19 pandemic response. But this doesn’t mean that smaller healthcare organizations and practices are not at risk of DDoS attacks — smaller networks are much easier to hit and overwhelm. Your practice doesn’t even have to be strictly targeted either — opportunistic DDoS attacks aren’t that rare.
Cybersecurity Best Practices for Healthcare
While healthcare practices are under a myriad of cybersecurity threats, there are still best practices to follow to ensure they are not only HIPAA compliant but are also equipped to handle any incidents that come their way.
Enforce A Strong Password Policy In Your Practice
We’ve seen that many cybersecurity threats to healthcare practices come in the form of emails and similar ways in which attackers obtain access to employees’ accounts. In order to mitigate this threat and stop attackers from spreading further through the network, having a proper password policy is a must.
A strong password policy will entail high complexity of passwords, each account having a unique password and a periodic change of all passwords. Add a multi-factor authentication to each account in a form of an SMS code or similar, and all accounts on your network will be efficiently protected.
Always Use An Anti-virus Solution
In the case of an employee actually clicking on a malicious attachment and downloading malware onto their computer, it’s important to have an anti-virus solution installed on the network. This way, the virus or malware will be detected, quarantined and stopped from spreading further.
While anti-virus and anti-malware is commonly used, healthcare providers should focus on deploying advanced software to keep up with all malware strains out there. Additional protection is offered at the network level. You can place a firewall with anti-virus software on your network to further protect your sensitive data.
In ransomware attacks, your data is locked up and held under ransom. In that scenario data is usually corrupted or stolen. Regular backups need to be a routine practice for healthcare practices and should be enforced from the get-go. This is where it’s important to think proactively and adopt the mindset of “it’s not a question if an attack will occur, but when will it occur”.
Special attention needs to be brought to sensitive and confidential data such as medical records, financial information and patents so they can be easily restored if an attack does happen. Consider offsite backups and ensure strong data encryption.
Frequent updates and patch management
All of this software and solutions are great cybersecurity defenses but in order for them to effectively protect your system, they need to be updated regularly. Certain vulnerabilities and security holes that can be exploited by cyber criminals can pop-up in popular software.
While vendors are diligent in providing patches for them, it’s up to you to install them. Having a patch management strategy in place for making sure all software, OS and applications will make it easy to stay up-to-date and not have your healthcare practice vulnerable to cybersecurity threats.
Maintain security awareness
Last, but not least, is the human element of cybersecurity. A lot of the cybersecurity threats we talked about today involved an employee as a catalyst behind an attack. Your employees are the first line of defense but can also be your biggest weakness when it comes to cybersecurity.
Working in healthcare is a highly rewarding but strenuous career and your employees might not have the time or resources to dedicate to cybersecurity awareness video presentations and courses. Culture of awareness on cybersecurity is created and nurtured through ongoing, engaging and clear training. Enhanced physical security measures can also help secure your healthcare practice. Installing proper access controls in your practice and putting up security cameras offer and extra level of deterrence and protection.
Every employee should have an understanding of proper security procedures and practices to follow which will ensure your first line of defense is a substantial one.
Proactive Security Is The Best Security
When it comes to healthcare practices, much is on the line if being a victim of a cyber attack. Making smart cybersecurity decisions and following the best practices that go beyond what is dictated by HIPAA and similar regulations, can go far in making sure your patients’ data and integrity of your practice is preserved. Predictions for 2021 aren’t showing any signs of cyber attacks slowing down, and the best we can do is to be prepared.