Modern healthcare delivery has evolved into a digitized, automated, and interconnected ecosystem. In 2022, an American Medical Association survey revealed around 93% of physicians consider digital health tools an advantage for patient care.
These advancements have greatly improved hospital management and medical service.
But as the digital age improves efficiency in health systems, these developments have placed patients and healthcare organizations at greater risk of cyber attacks. In 2021, healthcare was the sixth most targeted industry by cyber terrorists.
Medical organizations are lucrative targets for their wealth of patients’ protected health information (PHI)—a high-demand item on the black market.
Duc D. Lai CISM, CISSP, CEH, MBA, Vice President, Chief Information Security Officer at the University of Maryland Medical System tells TWIDH: “Healthcare is also more vulnerable than other industries due to older technology, Biomed devices, and historically lower investment in cybersecurity–although this is changing.”
Over the last few years, operations across diverse healthcare sectors: including dental offices, health insurance companies, ENT centers, hospitals, and more, have come under repeated cyber threats. In 2017, Accenture reported one in four American consumers has suffered from a healthcare data breach.
The value and vulnerability of information technology (IT) systems in healthcare make security a high priority in the industry. The appropriate measures are necessary to protect patients and healthcare organizations from internal and external attacks.
Issues Faced in Healthcare Cybersecurity
The current healthcare landscape is an interconnected network of digital systems. From electronic health records (EHRs) and intelligent heating, ventilation, and air conditioning (HVAC) structures to medical internet of things (IoT) like virtual wards, wearable biosensors, connected inhalers, and others—health organizations have become increasingly smarter through IT adoption.
Chasserae Coyne, Technical Product Manager at Reciprocity, a cyber risk management organization, speaks on the current healthcare climate: “As more organizations begin to offer telemedicine, they also need to recognize that there is a certain amount of risk associated with these types of services…such as adopting new systems and technologies…This added complexity can increase the risk of human error.”
She adds: “We’re (also) seeing an increase in third-party risk as more healthcare organizations explore cloud-based solutions.”
As custodians of sensitive patient information—health organizations are attacked for medical data, billing, and other valuable details.
Duc explains: “Because healthcare’s mission to provide patient care requires its systems to be up all the time, ransomware actors believe they have more leverage to get healthcare organizations to pay.”
Recognizing the potential danger to human life and medical operations, the Health Insurance Portability and Accountability Act (HIPAA) contains the Privacy Rule, which mandates physicians to protect patients’ protected health information.
This rule requires health entities to assess potential security risks and implement administrative, technical, and physical safeguards against attack.
Types of Healthcare Cyber Attacks
As providers rely more on digital technology, the primary concern is securing digital and operational assets against cyber threats.
Speaking broadly on cyber insecurity in healthcare, Chasserae tells TWIDH: “The digitization of healthcare has caused a significant uptick in ransomware, business email compromise (BEC) attacks, cloud compromises, medical device attacks, and supply chain attacks, according to research from the Ponemon institute.”
Cyber terrorists prey on poor security systems and shortcomings in data storage processes to carry out the following attacks:
Phishing
Phishing attacks target valued information like passwords, medical data, and billing information. This occurs by encouraging unwitting subjects to click a link shared via email, malicious websites, or other messaging systems.
When a target clicks on an infected link, the attacker can take over the computer or other parts of the interconnected network of a healthcare system. Typically, these attackers deny users access to the network by encrypting files until a ransom is paid.
Several industries have fallen victim to these attacks, with healthcare on the rise as a common hit. In 2021, Tessian, a security startup, ranked healthcare information as the third most compromised data during phishing attacks.
Highlighting the worrying boom in cyber attacks, the Department of Health and Human Services revealed only 4% of security breaches occurred via email in 2012. However, by 2020, that number had risen to 42%.
Ransomware
Healthcare infrastructure is a frequent target for ransomware attacks. A study by the University of Minnesota public researchers found that ransomware attacks on healthcare organizations increased from 43 to 91 cases between 2016 and 2021.
Hackers carry out this assault by gaining access to a computer system and encrypting files for ransom.
As organizations that require time-sensitive access to patient data, files, and machinery— hospitals and other health entities are more inclined to meet demands to resume regular activity.
More than two-thirds of hospitals in the United States have experienced a malware attack. Malicious software has led to system downtimes, ambulance diversions from affected emergency centers, and several care delivery disruptions.
DDoS Attacks
A Distributed Denial of Service (DDoS) attack is a targeted hit to overwhelm a network system.
A common occurrence in the post-pandemic world, attackers capitalize on the mass adoption of digital systems in healthcare to carry out these assaults. In 2022, the world saw a 90% increase in said attacks from 2019. Additionally, DDoS cyber assaults can render a network system or application inoperable by forcing it offline.
These attacks pose grim consequences for healthcare operations which can become forcibly grounded.
Patients are prevented from scheduling online appointments, with potentially graver outcomes for data loss.
DDoS attacks may bar providers from accessing emails, important patient records, prescriptions, and other information necessary for treatment.
Data Breaches
Data breaches occur with alarming frequency in the healthcare sector. HIPAA defines a data breach as: “the procurement, access, use or exposure of confidential health information illegitimately, which compromises the privacy or security of that confidential health information.”
These attacks come at an expensive financial and operational cost for care delivery. According to the HIPAA Journal, in 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported daily.
IBM Security estimates the average cost of a healthcare data breach was around $10.1 million per incident in 2021.
These breaches may be internal, where a member of staff unintentionally or deliberately shares confidential information with a malicious third party. External assaults occur when an outside agent adopts hacking or other forms of attack to source health data for illicit use.
Measures to safeguard healthcare information
As frequent targets of cyber assaults, hospitals, and healthcare entities are hyperaware of the need to plan against malicious interference.
When mapping out security structures to protect against attack, Chasserae Coyne advises:
“Understanding what measures should be in place starts with understanding the threats and risks to your organization specific to connected healthcare systems—how does it increase your exposure and impact your risk tolerance levels?”
By properly assessing exposed points, organizations are better positioned to decide the firewalls, authentication procedures, staff training, and other measures to adopt against threats.
Emphasizing the importance of information security among staff and management, Duc Lai shares with TWIDH:
“You need to understand the sensitivity of the data being transferred, whether it will be encrypted in transit and storage. You must ensure that the people and systems that access the data are vetted and only access what they need. Systems and accounts should be properly monitored and maintained.”
Healthcare entities also limit the threat environment by securing operating systems and keeping these structures up to date. To manage the element of surprise, organizations should have a clearly defined game plan in the event of an attack.
The Bottom Line
Giving last recommendations on the future of cyber safety in healthcare, Duc D. Lai says: “investment in people, processes, and technology are critical to improving cybersecurity in healthcare. There is a lot of technical debt that needs to be overcome while at the same time keeping up with a dynamic and sophisticated threat environment. The challenge is prioritizing risks and focusing efforts to shore up defenses where the enemy is most likely to attack.”
Hi, Beth here! I’m dedicated to supporting healthcare and agritech companies as they connect with customers. Since 2020, I’ve set my law degree aside to help organizations effectively communicate with their audience.
