HIPAA rules for privacy and security have mandated the protection of US patient data in various forms since 2003. And yet, data breaches in the medical industry have been increasing year by year. In 2023, there were a record 739 breaches, which affected more than 136 million individual records.
It is clear that whatever measures the healthcare industry takes, they haven’t effectively addressed the issue.
The Healthcare Industry Is Vulnerable by Nature
The healthcare industry handles massive amounts of data. It includes electronic health records (EHRs), payment details, personally identifiable information (PII), and even medical devices. This data’s sheer volume and diversity make the industry a prime target for cybercriminals.
An attacker can expose or steal the data at any point in storage, or during digital transit.
The danger isn’t from hoody-wearing old-school hackers mashing their keyboards in dark basements to crack your system. The modern scenario is far scarier because it only takes a few youngsters with a criminal bent and a modest allowance.
Welcome to the World of MaaS
MaaS (Malware-As-A-Service) platforms provide attackers with rented software, hardware, and botnet services. The goals are to compromise or corrupt the target and/or steal valuable data. Threat actors pay a membership fee to use the platform’s features, including secure technical customer service. From here, they can launch a range of attacks, for example:
- Phishing. The attackers send seemingly benign emails. Recipients are your friendly receptionist, nurse, laboratory assistant, or medical specialist. Attackers hope to convince the victim to click a malicious link, visit a credential-scraping website, or trigger a virus.
- A ransomware attack may follow. The attackers leverage the entry points they obtained by phishing to inject malware into a network. The malware can wipe or encrypt sensitive data unless the business pays a ransom. Attackers know how critical it is for care facilities to keep operating, and that urgency increases the chances of a ransom payment.
- DDoS (distributed denial-of-service) attacks are another way of taking healthcare service systems offline and forcing companies to comply with criminals’ demands. DDoS can create a lot of confusion for the system users, which is the perfect storm for a ransomware attack.
How Can Healthcare Organizations Improve Their Security Posture?
The industry has many exposure points. Threat actors can launch major attacks via even tiny cracks in the system with little effort. Therefore, securing the system and focusing on protecting operations is essential.
- Stop password sharing among staff and enforce the use of strong passwords. Implement Multi-Factor Authentication (MFA). It’s a simple, effective security control that can prevent most cyber attacks.
- Use secure messaging platforms for all communication between healthcare workers. Encrypt all correspondence and guard access to the platforms with authentication rules.
- Implement data access controls. Both healthcare professionals and support staff need access to patient records and systems. However, they don’t all need the same level of access. Clarify functions and access levels and only allow people to access the data they need to do their jobs.
- People are vulnerable because they can make mistakes. Staff at all levels are in the first line of attack. Improve their ability to spot social engineering and phishing attacks. Cyber awareness training should not be a one-off event.
- Manage network access points rigorously. Audit all internet-capable machines, tools, and gadgets and ensure they are encrypted. IoT equipment’s connection security standards are notoriously lax. An older or poorly secured device, such as a wireless printer, could cause a major cybersecurity incident.
- Add a VPN software solution to every single device (smartphone, IoT system, laptop) that can access any data in the network. The meaning of a VPN is a Virtual Private Network—or a network that creates an encrypted tunnel for data traveling via the Internet. It prevents hackers from intercepting your information, like sending patient files between specialists. Look for a HIPAA-compliant VPN provider with a verified no-logs policy for the best security standards.
Special Mention: The Dangers of Third-Party Integrations
Data breaches often occur at data storage facilities. Medical insurance partners and third-party supplementary vendors and services are also prime targets. It’s easy to overlook that their systems interface directly with primary healthcare providers. The danger of interlocked systems is that when a support or peripheral service goes down, they can take down entire systems.
In August 2023, the Prospect Medical Holdings incident brought down medical facilities in several states. Surgeries, outpatient appointments, and other services had to be halted. In February 2023, cybercriminals breached Change Healthcare, an insurance billing company. The hack cut off healthcare providers from billions of dollars of revenue. It brought pharmacies across the US to a standstill.
The same scenario is currently playing out in London, where a Russian hacker gang leveraged access to a blood transfusion service. As a result, they’ve brought the acute and specialist care of 2 million people to a shuddering months-long stop. Seven hospitals and their support services, surgeries, blood tests, and transfusions are out of action. Critically ill and injured people cannot get the care they need.
Is It Time for Collective Action?
Digitization and automation in the healthcare industry are increasing the risk of cyberattacks. It’s a collective risk that calls for collective action. The healthcare industry has the opportunity to strengthen measures for all healthcare roleplayers. Steps may include security ratings earned via even more stringent risk assessments than the current standards.
The industry safeguards the privacy and well-being of the patients it serves. Their duty is to ensure the uninterrupted delivery of critical healthcare services. Whatever the steps forward, it must find better ways to mitigate the risks posed by cyber threats.
