Striving to increase the quality of patient care, develop new therapeutic devices, and improve operational efficiencies, the healthcare industry has undergone a radical digital transformation in recent years. Fortunately, many healthcare organizations have continued to digitize patient records, utilize smart therapeutic devices, and leverage research data in new ways and are even using artificial intelligence-driven diagnostic assistance. Unfortunately, the prioritization of cybersecurity technologies, training, and processes are generally not keeping pace.
Given the legacy, newly created vulnerabilities, and the vast amounts of highly valuable data being generated, it is no surprise that cybercriminals are targeting the healthcare sector with increased focus and precision.
Healthcare Cybersecurity by the Numbers
More than 41.1 million patient records were breached in 20191 as a result of 572 incidents in which 500 or more records were stolen. This 2019 activity represented an astounding 215 percent increase in stolen records and a 63 percent increase in incidents compared to 2018.2
Thankfully, so far, in 2020 the healthcare breach activity and record theft have reverted back to 2018 levels, but experts monitoring the healthcare space are adamantly warning that the sector should not be lulled into a false sense of security.
The fact remains that despite measures to increase cybersecurity in a manner that meets regulatory compliance requirements by protecting patient data and protecting the operations of healthcare facilities, the industry continues to be threatened by increasingly sophisticated, determined, and organized cybercriminals.
Healthcare Is a Prime Target for Cybercriminals
Among the stolen data on the black market, a healthcare record3 is worth more than forty-six times the value of a payment card record—$250 per record compared to $5.40. Healthcare records are worth more because they typically include more comprehensive identifiable information compared to the more limited data points acquired in breach of most financial services.
For instance, healthcare records usually contain social security numbers, date of birth, credit card information, e-mail addresses, employment information, and detailed medical records. Cybercriminals are using this stolen data to launch highly targeted spearphishing attacks, steal medical identities, fraudulently acquire government benefits like Medicare or Medicaid, and other illegal activity.
What Makes Healthcare Organizations So Vulnerable to Cyberattack?
The healthcare industry has unique weaknesses that must be addressed by cybersecurity control. Some of these issues include vulnerability to ransomware attacks, enormous quantities of data-rich electronic health records (EHR), and a growing number of connected medical devices.
High stakes—ripe for ransomware
Ransomware attacks are pointless if no one is willing to pay the ransom. However, given the life or death situations that hospitals and other medical professionals are managing, cybercriminals tend to have more leverage.
In 2019, healthcare facilities and their IT vendors experienced a surge of ransomware attacks, disrupting service at hundreds of dental offices, nursing facilities, hospitals, and other healthcare entities.4 While 2019 was a particularly bad year for these attacks, the trendline is clear—the healthcare sector needs to become better at protecting itself and their patients. But why are healthcare facilities so vulnerable?
Ultimately, much of the healthcare industry is simply behind other market sectors in the maturity of their cybersecurity programs. For instance, many healthcare entities struggle with e-mail security. Eighty-six percent of healthcare entities fail to use e-mail platform scanning and filtering tools4. Hospitals do utilize e-mail scanning and filtering tools at higher rates; however, even with the pressing need to avoid operational and patient care disruptions, only 25 percent of hospitals are utilizing e-mail scanning and filtering technology. Given that phishing incidents are responsible for 91 percent of ransomware attacks, it is easy to see how important e-mail security is for securing the healthcare industry’s digital ecosystem.4
Yet another factor that leaves hospitals more vulnerable to ransomware and other cyberattacks is that hospitals are six times more likely to internally host their own servers instead of contracting with a third-party vendor who specializes in network security. These decisions, too often, lead to out-of-date server configurations and greatly increased vulnerability.
Increased use of electronic health records (EHR) systems
To improve the efficiency and quality of patient care, many healthcare organizations have rightly adopted EHR systems. In fact, providers have become so dependent on these systems and digital processes that a comprised EHR system can halt hospital or provider operations and potentially put patients’ lives at risk.
As mentioned previously, EHRs are highly valuable because of the comprehensive information contained within them. The use of EHRs is critical for progress and innovation within the healthcare industry. However, the ever-increasing use of patient file digitization, coupled with the value of these files, demands that cybersecurity be dramatically elevated in priority.
Connected medical devices growing in number, importance, and sophistication
The therapeutic progress and promise of ever-increasingly sophisticated IoT-enabled medical devices is incredibly exciting. IoT-enabled pacemakers, remote EKG tests, insulin monitoring, and sophisticated pain management—the list of applications for connected healthcare technology is extensive. It is not surprising that MarketsAndMarkets anticipates a compound annual growth rate (CAGR) of 21 percent for healthcare IoT devices from 2020 to 2025.
While these medical device advancements represent much progress, this level of connectivity leaves healthcare providers and patients open to well-orchestrated and seditious cyberattacks.
The budgets of healthcare facilities are often tight, and if there’s an opportunity to purchase a new diagnostic machine or make additional cybersecurity investments, the investment in the diagnostic machine often wins. While this dynamic is understandable, the healthcare industry must secure itself for the sake of its patients and regulatory compliance and to reduce the costs of security damage to their operations.
Thankfully, there is a solution. Managed security services, managed detection and response, and e-mail protection solutions offered by SilverSky allow healthcare organizations to leverage extremely expensive technology and expertise at affordable prices. Contact us if we can help.
- “Over 41.4M Patient Records Breached in 2019, as Hacking Jumped 49%,” Jessica Davis, Health IT Security, February 19, 2020
- “Largest Healthcare Data Breaches of 2018,” HIPAA Journal, December 27, 2018
- 2019 Trustwave Global Security Report, Trustwave 2019
- “Ransomware Attacks on Healthcare Providers Rose 350% in Q4 2019,” Jessica Davis, Health IT Security, March 09, 2020
- “IoT in Healthcare Market worth $188.2 billion by 2025,” IoT in Healthcare Market by Component (Medical Device, Systems & Software, Services, and Connectivity Technology), Application (Telemedicine, Connected Imaging, and Inpatient Monitoring), End User, and Region – Global Forecast to 2025, MarketsandMarkets