At the end of October 2020, the FBI and two other federal agencies released a joint statement saying they had, “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” In this article we look at ways the healthcare industry can protect itself from cybercriminals.
In recent years, technological approaches to medical diagnosis and treatment, alongside the storage and retrieval of health data, have become a vital component in healthcare systems around the world. While this trend did not start as a response to COVID-19, the impact of the pandemic has certainly hastened its acceptance by the general populace. The need to physically distance has led to a rise in telemedicine and, with the majority of healthcare organizations now relying on cloud storage solutions, it is predicted that within five years many users will be accessing their health data via mobile devices.
While this increasing reliance on internet-based solutions has several positives, not least greater efficiencies for both consumers and medical professionals, it has opened the way for cyber criminals to attack systems that contain some of our most valuable data.
Before the internet, medical data was often handwritten and physically locked away from malicious eyes. This information is now stored online, making it a potential target for cyber criminals operating in any part of the world.
It is predicted healthcare will suffer two or three times more cyberattacks than any other industry in the coming years. At the same time, the cost of these data breaches is also far higher than any other other industry. A study by IBM has shown the average cost per incident is USD 7.13 million, a 10% increase over 2019 figures.
The goal of many of these attacks is extortion. Cybercriminals plan to lock up hospital information systems, thereby damaging patient care. The attacks often involve ransomware that scrambles the data held by the medical facility, making it impossible to read. The criminals then demand payment in exchange for a software key that will unlock the system. This approach has extra menace at a time when COVID-19 is spiking.
Studies have shown that the highest risk for healthcare providers is malicious network traffic, which affects around 72% of all organizations. The second and third highest risks are phishing (56%) and out-of-date or vulnerable operating systems (48%).
Digitalization has also significantly increased the number of potential attack vectors. A wide number of third-party actors are now involved, supporting healthcare professionals in a variety of ways. A popular attack route for cybercriminals is to exploit a third-party’s access rights to gain entry to a central database. Once inside, the cybercriminal has free rein to do whatever damage they like.
There are a number of reasons why the healthcare industry is a particularly popular target for criminals. Firstly, the data they can access is high value because it is sensitive and relates to an individual’s health. Secondly, for an organization to lose control over its data is not only embarrassing, and therefore potentially financially costly, but it can also be catastrophic in terms of patient care. In 2020, a German woman was declared the first person to be killed by ransomware, when her ambulance was rerouted to a more distant hospital because her closest treatment center was in the midst of a cyberattack.
This is not a new problem. The healthcare sector has been dealing with similar security issues for many years. As the industry adopts more and more new technologies, it has increased its vulnerability to external attack. There are many reasons for this, including:
A survey by IBM found that 95% of all security breaches are the result of human error. The first line of defense must therefore be training. The people who use the systems need to learn to identify potential threats and the correct procedures for maintaining cybersecurity.
Healthcare providers also need to ensure their systems have the correct levels of protection, meaning the use of appropriate encryption and key management to protect sensitive data. Security measures must be incorporated into their devices and systems from conception, and staff have to be trained appropriately to ensure these remain effective.
There are various options open to healthcare organizations to help them assess the security of their systems. Firstly, they can employ the services of cybersecurity specialists to assess their level of protection and uncover any gaps. Secondly, they can also undertake a penetration test, also known as ‘pen test’ or ‘ethical hacking’, where a cybersecurity professional will seek to access the system in the same way as a hacker. They will try to exploit vulnerabilities in appliances, operating systems, services, employees, and applications, to identify where weaknesses exist. The advantage is for the healthcare provider is there is no ransom demand at the end.
The issue of cybersecurity in the healthcare industry is not going to go away. As healthcare systems increasingly embrace the use of this technology, so the risk of cyber disruption and its impact on patient safety will increase. The sector therefore needs to consider data protection as one of its highest priorities.
SGS offers a range of services to help healthcare providers protect their organizations. These include ISO 27001 – Information Security Management Systems – certification and training to ensure individuals have the right knowledge to help protect their systems.
Learn about SGS ISO 27001 services.
Learn about SGS Cyber Security Training and Personal Certification.