By Nissim Ben-Saadon, Director of Innovation, CYREBRO
In today’s digital era, the healthcare industry stands at the forefront of technological adoption, heavily relying on digital systems such as Electronic Health Records (EHRs) to enhance patient care and operational efficiency. This rapid digitization has also escalated the industry’s vulnerability to cyber threats, posing significant risks to patient privacy, data security, and overall healthcare delivery.
The Attractiveness of Healthcare Data to Cybercriminals
Healthcare organizations are treasure troves of sensitive data, including patient records, medical histories, and financial information. This makes them ideal targets for cybercriminals who exploit vulnerabilities to gain unauthorized access, often holding this valuable data for ransom. The consequences of a successful cyberattack in healthcare are multifaceted, ranging from compromised patient care and damaged reputations to financial losses and legal repercussions.
In 2023, the healthcare sector experienced a significant escalation in cyberattacks. Since the start of the year, 327 data breaches have been reported to the US Department of Health and Human Services’ Office for Civil Rights. That figure is up more than 104% from 160 breaches as of mid-2022 and shows “no signs of abating,” according to a report from Fortified Health Security.
The breach of Fortra’s GoAnywhere secure file transfer software in February 2023 was particularly severe, affecting over 5 million healthcare records. Additionally, healthcare business associates, who play a vital role in the healthcare ecosystem, have also become increasingly targeted, with reported breaches jumping from 22 to 82, a 273% increase compared to the previous year.
HIPAA and GDPR: A Shield Yet Insufficient
To counter these risks, the U.S. healthcare industry adheres to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which governs the security of electronically protected health information (ePHI). HIPAA’s key components include the Security Rule, the Privacy Rule, and the Breach Notification Rule. The European healthcare industry is protected by GDPR which provides safeguards for personal health data.
Despite these rigorous regulations, the healthcare sector has witnessed an increase in cyberattacks. The dependence on interconnected systems and IoT devices, alongside the critical nature of healthcare services, makes these institutions particularly vulnerable. The NIS2 Directive in Europe, which is set to take effect in October 2024, will mandate that healthcare organizations protect patient data from cyber threats to help address these issues. This includes implementing cyber risk management measures, establishing a clear incident-reporting process and securing patient data with proper storage and handling practices.
The Rising Menace of Ransomware Attacks
Ransomware attacks in particular, where cybercriminals encrypt critical data and systems, have become increasingly common and devastating in healthcare. In 2022, a survey by the Ponemon Institute revealed that 45% of healthcare IT professionals reported ransomware attacks impacting patient care. A striking example of the vulnerability of healthcare systems to cyber threats occurred in 2023, when Prospect Medical Holdings, a healthcare system operating 16 hospitals and over 165 clinics and outpatient centers across Connecticut, Pennsylvania, Rhode Island, and Southern California, fell victim to a ransomware attack. This cyberattack forced the closure of some facilities and left others relying on paper records, significantly disrupting healthcare services.
Proactive Measures for Enhanced Cybersecurity
Given these challenges, healthcare organizations need to take a proactive and comprehensive approach to cybersecurity. Despite huge advances in medical technology, limited budgets and a hesitancy to learn new systems means that not every aspect of the healthcare industry has kept pace. It’s critical for hospitals using techniques that still release system updates to keep all software equipped with the most recent version. This measure keeps systems reasonably secure but eventually vendors will stop providing updates as the software moves into “end-of-life” status.
Cyberattacks can be better minimized by adding extra layers of security. If a system is compromised, a multi-factor authentication (MFA) solution can help limit the lateral movement of an attacker through the network since they can’t log in to other protected systems. Other key strategies include disconnecting legacy systems from the internet, and implementing advanced security solutions like Endpoint Detection and Response (EDR). Additionally, healthcare providers should conduct regular risk assessments to identify and address vulnerabilities in their systems and networks. Employee training and awareness programs are also crucial, as human error can often lead to security breaches. Educating staff on recognizing phishing attempts and safe data handling practices can significantly reduce the risk of a successful cyberattack.
Building a Resilient Cyber Defense Infrastructure
Healthcare organizations can further strengthen their cyber defenses by establishing strict access controls and ensuring that only authorized personnel have access to sensitive data. Implementing a strong password policy and using encryption for data at rest and in transit are essential steps in protecting patient information. Regularly backing up critical data and having a robust disaster recovery plan can ensure continuity of operations in the event of an attack. In addition, collaborating with cybersecurity experts and investing in state-of-the-art security technologies can provide healthcare organizations with the tools and insights needed to stay ahead of evolving cyber threats.
A Call to Action for Robust Cyber Defense
As the healthcare sector continues to embrace digital solutions, the importance of robust cybersecurity measures cannot be overstated. The industry must prioritize investment in cybersecurity to protect against the evolving threat landscape. By implementing comprehensive security strategies, healthcare organizations can safeguard sensitive patient data, ensure operational resilience, and maintain the trust of those they serve. This commitment to cybersecurity is not just a regulatory compliance issue but a fundamental aspect of providing safe and reliable healthcare in the digital age.
About the Author
Nissim has over 10 years’ experience serving in a variety of cybersecurity functions including being a CISO, and providing DFIR, malware analysis and SIEM professional services for private companies, military organizations and government. He also occasionally creates and teaches cybersecurity courses for professionals. He currently serves as CYREBRO's Director of Innovation. Nissim can be reach via LinkedIn at https://www.linkedin.com/in/nissim-ben-saadon-0ba173bb/ and at CYREBRO via www.cyrebro.io.
