The Ultimate Guide to Cybersecurity in the Healthcare Industry

The healthcare industry continues to lag behind on cybersecurity, even as it is increasingly targeted by cybercriminals.
Why is that, and what can you do to better protect your organization in 2020?

The True Cost of Healthcare Cybersecurity Breaches

When most of us think of organizations being hacked or breached, we think of sensitive data being leaked, causing profits to plummet, or vital documents being held hostage until a ransom is paid. However, when it comes to the healthcare industry, often the true cost of an attack is much more than just money.

The Cost to Patients

Ultimate Guide to Cybersecurity in the Healthcare Industry
The inability to access medical records, lost productivity as systems are down, and money paid to cybercriminals all have a real impact on the health and wellbeing of patients. One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records and affect backups. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.
A breach can also damage the relationship between the patient and their doctor, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information. These emotional consequences can seriously damage the health and wellbeing of patients and make it more difficult for doctors to rebuild patient trust and ensure their patients are getting the care they need.

The Cost to Medical Science

Depending on the nature of the breach, valuable research data and intellectual property may be damaged or lost, which can delay research into life-saving treatments. That sort of research is invaluable, and its loss can have devastating consequences for the health and wellbeing of potentially millions of people.

The Unique Challenges of Healthcare-Focused Cybersecurity

Research has shown that the healthcare industry is a prime target for medical information theft at least in part because it lags behind other industries in securing its vital data. So why does this industry, whose assets are crucial to human health and wellbeing, lag so far behind?
To begin with, so much of what hospitals do relies on the internet, from patient test results and medical records to the various machines and technologies used to provide patient care. While this interconnectedness is excellent for data integration, patient engagement, and clinical support it also means that a ransomware or other attack can spread quickly between vital systems, accessing patient data and other highly sensitive information, hijacking medical equipment to mine cryptocurrencies, or shutting down entire hospitals or hospital networks until a ransom is paid.

Not All Software Can be Patched

One of the unique challenges of healthcare is that there is a wide mix of equipment. While some equipment is cutting edge, many pieces of healthcare technology still in use were made by companies that are no longer in business or run on old software that has gaping security holes that can’t be patched. That means that even if vulnerabilities are known to exist (which isn’t always the case), there may not be a way to fix them.
The obvious answer would be to move away from outdated software and equipment with known vulnerabilities, but that is easier said than done. While a small or even medium-sized business could handle a temporary shutdown to migrate the entire network over, hospitals and other healthcare facilities don’t have that luxury: the entire system needs to be running 24/7/365.
Shutting down older equipment and transferring all of the data stored on the network can also be incredibly costly. The ability to patch and update software both extends the lifespan of current equipment and reduces costs.

Human Error Can Expose Patient Data

On the data privacy side of things, recent research from the JAMA found that most breaches in medical settings were triggered by unauthorized disclosures or employee error. When multiple shift doctors, nurses, and specialists need to be able to quickly and easily access sensitive employee data, it increases the odds of one person making a mistake that could leave this data vulnerable.

The Biggest Cybersecurity Threats to be Concerned About in 2020

Ultimate Guide to Cybersecurity in the Healthcare Industry
There are a few threats that healthcare providers should be particularly concerned about in 2020. If you are unsure what steps you can take to improve your organization’s cybersecurity posture, please speak to your MSSP (Managed Security Services Provider).

Ransomware

Ransomware was a huge problem in 2019, particularly for healthcare providers, and it is likely only going to get worse. Unlike some other businesses, healthcare providers aren’t able to pause operations to try and get their files unencrypted to avoid paying the ransom. And while some businesses can carry on even if they are unable to recover a few encrypted files, sometimes even a single unrecoverable file, such as a patient’s electronic file or test results, can have disastrous consequences for the health and wellbeing of patients.

Unsecured Medical Devices

Businesses in a variety of industries, including the healthcare industry, have enthusiastically adopted a wide variety of Internet of Things (IoT) devices. In fact, some reports speculate that from 2019 and 2024, we will see a combined annual growth rate of 27.6% for healthcare IoT devices.
However, in 2019 the FDA warned that a cybersecurity firm had identified 11 vulnerabilities that could allow hackers to control medical devices remotely. That report has likely prompted many healthcare providers to take a closer look at their current cybersecurity postures. Hopefully, that focus will continue in 2020 so that these and other vulnerabilities can be addressed.

Unsecured Electronic Health Records

Electronic health records have made it significantly easier for both healthcare professionals and facilities to access patient files, though this system does come with special cybersecurity considerations.
Though there are already privacy laws in place to safeguard sensitive patient data, these laws were mostly written with people in mind, not software. That means that many of these systems remain vulnerable to exploitation by cybercriminals, since the software that many of these systems run on or interface with may have been written in a time before the IoT. Depending on when the software was written, the company may not be around to issue software updates and patches, and even if they are, the software may not be compatible with many necessary cybersecurity updates.
Hopefully, findings like the FDA report mentioned above will encourage the companies that design electronic health record systems to evaluate their software critically so that it can be modified to better safeguard patient data.

How Can Healthcare Organizations Improve their Cybersecurity Posture?

Every organization is different and has slightly different cybersecurity needs. As such, the first thing any organization should do is sit down with their MSSP to identify their cybersecurity needs and create robust yet flexible cybersecurity protocols.
Organizations should also work with their healthcare-focused MSSPs to identify credible threats and create tailored response plans to address those threats. These response plans should be designed to minimize or even eliminate damage to critical systems and help safeguard both vital infrastructure and sensitive data.
To help you get started, please review our blog post Cyber Hygiene 101: Basic Steps to Keep Your Company Secure.

The Rising Cost of Health Care Industry Data Breaches

The 2019 edition of the Cost of a Data Breach Report, sponsored by IBM and published by Ponemonis causing quite a stir in the cybersecurity world. The annual report, which draws its data from in-depth interviews with more than 500 global companies that experienced data breaches between July 2018 and April 2019, finds that not only are data breaches becoming increasingly common but that the cost of these breaches is rising and cybercriminals are shifting their target industries.
The report found that the healthcare industry, traditionally ignored by cybercriminals, experienced the highest cost per breach this past year.
Our leadership team and senior engineers have outlined their take on the report and why they think cybercriminals are targeting the healthcare industry.

Money & Personally Identifiable Information

Andrew Douthwaite (Chief Technology Officer) found it interesting that the healthcare industry had the highest cost per breach, but he was not surprised. As his colleague Garret Stanley (Senior Engineer and Attack Specialist) pointed out, healthcare is a rich cybercrime goldmine that is still relatively unguarded. Not only can cybercriminals use tactics such as ransomware to extort funds from healthcare providers and pharmaceutical companies, but healthcare organizations also hold vast stores of personal data which can be used for criminal purposes.
“Personally Identifiable Information (PII) is particularly valuable from a fraud perspective”, said Chris Storer (Senior Security Engineer). PII can be used for both prescription drug fraud and insurance fraud. Increasingly, cybercriminals are targeting PII, such as stolen insurance numbers and social security numbers. This personal information is also easier to use than credit card or bank information, as banks have increased their cybersecurity defenses in the last few years, making it more desirable and valuable.

Settling Instead of Fortifying

Settling instead of fortifying
Malware, including ransomware, is an incredibly popular tactic among cybercriminals. As Michael Murdoch (Senior Project Manager) pointed out, electrical, power, and utilities infrastructure is also being increasingly targeted, but these industries are becoming wiser and fortifying their cybersecurity.
Garrett Stanley told us healthcare and pharmaceutical companies typically spend very little on IT infrastructure and cybersecurity, as compared to their overall budget. If these vulnerable industries continue to neglect their cybersecurity practices and infrastructure, they will continue to be disproportionately targeted.
When a healthcare organizations experiences a breach, it puts the personal data of Americans at risk, exposing them to unnecessary risk and eroding consumer trust. Breaches can also allow cybercriminals (including rival companies) to access proprietary data on drug patents and other sensitive information.
Unfortunately, as Matt Rutledge (Senior Project Manager) told us, most of the big healthcare companies have their compliance departments report to their legal departments. This fosters environments where companies are more likely to settle with affected consumers when a breach happens because it is cheaper and easier than addressing their cybersecurity shortfalls and forcing full technical compliance.
In fact, it is typically smaller healthcare organizations that are the most strict about compliance, and who typically not only meet the minimum for compliance but do whatever they can to fortify their cybersecurity defenses against breaches.
Brent Taylor (Professional Services Engineer) agrees. He has done extensive consulting work for both hospitals and doctor’s offices and has found that most compliance measures focus more on reporting than on actual cybersecurity measures. This is because these guidelines are not typically written by cybersecurity or network professionals, but instead by financial analysts and lawyers. The goal of these guidelines is not protection, but reporting, so even if an organization is fully compliant, their valuable data is not actually safer from cybercriminals.

State-Sponsored Cyberattacks

The word “cybercriminal” typically conjures up an image of an angry loner in his basement, but the face of cybercrime is changing. Garrett Stanley feels that attacks on Industrial Control Systems (ICS) and Supervisory Control and Data Aquisition (SCADA) systems will increasingly be state-sponsored. This is mostly because there are far easier ways for cybercriminals to extort money from unprepared organizations, making ICS and SCADA targets less appealing to cybercriminals looking to get rich.
However, all organizations need to remain vigilant. A cybercriminal only has to get past your defenses once to cause damage and steal private information.

Defending Healthcare Organizations Against Cyberattacks

Healthcare managed IT security costs
Healthcare organizations need to be serious about their cybersecurity efforts and focus less on reporting and more on concrete defense measures. To help ensure your organization’s data is safe from breaches, you may want to consider enlisting the help of a Managed Security Services Provider (MSSP).
See also: Healthcare managed security services case study.
MSSPs are made up of teams of trained cybersecurity experts who will work with your organization to create a tailored cybersecurity solution to safeguard your company’s data against cybercriminals. A good MSSP will monitor your network 24/7/365 for suspicious or unauthorized activity, help you mitigate or even avoid damage if you experience a breach, and help train your employees to safeguard your organization’s digital assets better. They will also sit down with you after a breach has occurred and help you learn from the incident and learn from it so that you can better safeguard your valuable digital assets.