Cybersecurity for healthcare providers: it’s an issue that just keeps getting more important. It’s simple; as the world in general continues to ‘go digital’, the responsibility on providers of those digital services to offer cybersecurity increases.
From routine check-ups, to major surgeries, to emergency room visits, few fields have such profound impact on so many lives, and handle such Personal Identifiable Information (PII). This, of course, places a heavy cybersecurity and privacy challenge upon the healthcare provider that generates, handles, shares, and holds that data. And yet, many healthcare providers – from allied health practitioners, to GP clinics, to major hospitals – have significant vulnerabilities across systems, software, and staff security awareness. And the bar might be surprisingly low. Verizon research has even found that nearly two-thirds of data breaches in the US healthcare sector could have been prevented through minor improvements to password procedures.
What’s more, not only is the privacy of patients at risk, the providers themselves also shoulder reputational risk, business risks, and legal risks should a breach occur. This isn’t even to mention the spectre of “medical device hijack” where cybercriminals can take control of medical equipment (such as CT scanners) and even medical devices implanted into patients, such as insulin pumps and pacemakers.
If these are the sorts of issues that are keeping you awake … or will be keeping you up now that you’ve read this far … know that you can do something about them. The key point here is that a lot of cybersecurity is about mitigation of threats; continually adapting so that you’re a comparatively tough target. As the Data Breach Investigations Report from Verizon found, cybercriminals are motivated by money and take the easiest routes to obtain the information they need to extract that money. In practice, this means that most “hackers” are fast-moving and opportunistic, so being proactive & agile is the most effective countermeasure.
In the rest of this article we’ll explore a little more about the kinds of cybercrime risks healthcare providers face and how you can put your healthcare organisation into the too-hard basket when hackers come looking.
What Does Cybersecurity In Healthcare Mean?
When we talk about “cybersecurity” we really mean two closely related topics. First, “cybersecurity posture” – how secure your systems are; second, “cybersecurity practices” – what you’re actually doing towards making them secure. In other words, you can have a good cybersecurity posture through employing good cybersecurity practices. This is an important insight when so much else of what comprises “good” cybersecurity is so fluid.
Of late, the COVID-19 pandemic has had far-reaching operational ramifications across every sector, healthcare especially. There has been a rise in telehealth and emergency coordination of all manner of previously siloed organisations of varying scale and sophistication; new vistas of healthcare capability have been opened … and the cyber vulnerabilities have expanded in line.
The information at play here is more than commercially and legally sensitive, it is often a matter of life-and-death in the most literal sense. What’s more, it has become increasingly clear that healthcare organisations are struggling to cope. Reports on the effect of cybercrime in the healthcare sector in the USA as an illustration, put the cost at billions of dollars per year – and rising. In Australia during 2021, the majority of incidents in the first half of the year targeted healthcare organisations. Moreover, there are broadscale fears that attacks are becoming both more frequent and sophisticated, and thus, harder to detect, stop and manage.
Against this backdrop, efforts to secure the data and networks of healthcare providers have many characteristic challenges; devices are often running legacy software, lack of staff training on cyber matters, insecure practices generally, and a poor segmentation of networked systems. Let’s have a look at these factors more closely.
The Main Cybersecurity Threats For Healthcare Organisations
In Australia, the healthcare sector is vast and complex. Providers that have a cybersecurity responsibility range from solo allied health practitioners who drive from housecall to housecall, right up to massive hospitals that treat over 100,000 patients per year.
As already mentioned, cybercriminals are generally motivated by easy money. Against the context of Australia’s healthcare sector, this means that at the low end, they tend to target smaller operators that have never had good systems; and, at the larger end, they go for operations that have vulnerabilities in the configuration and interface between systems. Regardless of type, the kinds of threats are similar. Here are five of the most concerning:
- Malware: Short for “malicious software”, these are harmful computer programs that try to gain access to, disable, or hijack devices and networks, or otherwise cause issues
Ransomware: Software that compromises a system or data storage , and encrypts the contents. The usual ultimatum is “Pay us, and we’ll decrypt it” an unenviable situation for healthcare
Cloud threats: With ever-more health information stored in the cloud and shared between remote locations, the breaches are becoming increasingly remote, rather than about the vulnerabilities of on-premise systems
Phishing and spoofing: Two related practices wherein criminals seek to have sensitive information sent to them, either by sending out mass communications from a seemingly reputable source or setting up fake websites that look and function similarly to a legitimate one
The human factor: The people manning a system are often its biggest source of vulnerability; from being “socially engineered” by a hacker working as a digital conman, right through to poor compliance, insufficient training, or even simple human error.
The Healthcare Industry Is Already Under Cyber Attack
The cyber-attack-on-healthcare-provider scenario is so scary because of how sudden and unpredictable it will be. It can be as simple as an email arriving in your inbox. Completely anonymous and virtually untraceable, the sender simply tells you that they now control your entire system and are willing to destroy it … unless you pay their ransom. Time is against you and your choices are distressing…
Do you pay the ransom? Do you call the police? What happens if you don’t pay up? Will you get your data back even if you do pay? Will the threat actor hide backdoors in that data so they can get back in later? What could you have done to prevent this from happening?
This scenario (and others like it) is something that hospitals and other healthcare facilities around the world are going through with increasing frequency. It’s been noted that healthcare organisations are an “appealing target to attackers” not just because the data is so valuable, but because of the sheer duress they face should the downtime hinder patient care. Remember, cybercriminals like exploiting vulnerabilities, and the prospect of patients/taxpayers suffering – even dying – is heavy collateral to hold over a clinic, hospital or government health department. Quite a vulnerability.
The ultimatum the cybercriminals thus pose is morally outrageous, yet compliance – paying a ransom in order to recover systems to save lives – is often the only option a healthcare organisation may have. Because this is such a heinous act, the world’s police agencies are hard at work on the issue. Interpol monitors the issue closely and often releases bulletins. One such warning from April 2020, in which Interpol announced it had detected an increase in attacks, triggered industry research that undercovered that US healthcare organisations had suffered 41 “successful” ransomware attacks in the first half of that year alone.
One of the most famous examples dates from 12 May 2017, when a broad event dubbed “WannaCry” hit 150 countries. WannaCry compromised and “temporarily crippled” parts of the UK’s internally renowned National Health Service. More than 80 UK hospitals were affected, and thousands of surgeries and appointments had to be cancelled. Even ambulances on their way to critical incidents had to be rerouted.
When it comes to healthcare cybersecurity, managing the risks can be a life-and-death matter. As a healthcare organisation, it’s not just about protecting your own reputation, cashflow, and records, it’s about your patients. They have entrusted you with their PII, and indeed their very lives. In healthcare, cybersecurity must be at the forefront of every decision made by those involved in providing digital services. This blog post is just an introduction to this critical and complex field that barely scratches the surface to the threats the industry now faces every day.
To find out more, you can turn to Internet 2.0. Their team of ex-military and ex-intelligence cybersecurity experts can discuss the issues with you and help you maintain the cybersecurity posture your patients deserve. Find out more; contact Internet 2.0 today.