Introduction
Attacks on hospitals continue to increase in number and severity: over the past five years, six of the top 25 breaches have affected hospitals. The problem is only getting worse, for three reasons. First, healthcare is a rich target. Breached information such as contact details, Social Security Numbers, medical history, and other data paints a comprehensive picture of an individual. Once stolen, this information can be used to perpetrate frauds, order prescription drugs, or make fraudulent claims to providers.
Second, healthcare is an easy target: Electronic Health Records systems, telemedicine, the complex interrelationship of insurance companies, practitioners, specialists, patients, and others, all expose weak spots in the security fabric. Because keeping systems up and running is a matter of life and death, hospitals are easy targets for devastating attacks such as ransomware which cannot be ignored.
Third, healthcare is a vulnerable target, spending less than half as much on cybersecurity as other industries. In addition, COVID caused many hospitals to deemphasize data protection measures, leading to an increase in cyberattacks. Investments in security solutions are spread across multiple unconnected products that do not communicate. A barrage of alerts and false positives makes it hard for the security team to detect real threats. While spending time and money in the wrong places, breaches are carried out in the background. The cost to discover, mitigate and report attacks, and recover from reputational damage is the highest of any industry: an average cost per breached record of $408, with many breaches involving thousands of records. It makes sense to understand the top risks, why they matter, and how to deal with them.
Top Cybersecurity Threats Affecting Hospitals
Threat 1: Inadequate Security Practices
Many practices open the door to attacks, but poor identity security tops the list. Weak passwords, credentials changed too infrequently, and passwords reused for multiple sites and applications provide a beachhead for cyberattacks. A close second is the failure to ensure that employees, contractors, and other partners are trained in how to spot and avoid phishing attacks.
Hospitals that fall victim to an attack via a stolen password or a phishing attack often find themselves facing the threat of ransomware. In fact, the Department of Health and Human Services recently issued a warning to hospitals about prevalent ransomware including PYSA, considered one of the most dangerous ransomware variants targeting the healthcare industry in recent years.
Threat 2: Vulnerable Medical Devices
Hospitals rely heavily on medical devices, yet more than half of all Internet-connected devices commonly found in hospitals are vulnerable to cyberattacks. While such devices offer convenience and timeliness, they can create risk. More than 73% of infusion pumps have vulnerabilities that could be exploited to allow attackers to gain access to sensitive data. Moreover, a vulnerability in dozens of GE Healthcare radiological devices could have allowed access to sensitive data and even make the devices unavailable. Vulnerable devices provide an on-ramp into a hospital system and could allow criminals to lock up the digital network while demanding a ransom. Healthcare cybersecurity calls for protecting these devices via firewalls, anti-malware, intrusion detection systems, and identity management solutions.
Threat 3: Shadow IT
Shadow IT—devices or software that are used without the IT team’s awareness or control—can present a type of insider threat. Often installed or acquired by employees who are searching for a quicker, easier way to do their jobs, these devices and applications can leave the hospital open to data loss, exposure to exploitable vulnerabilities, and serious compliance issues. Many lack sufficient access control or fail to encrypt data at rest and in transit, allowing patient data to be intercepted, viewed, and stolen at any point in its journey.
Threat 4: Exploitable Vulnerabilities
Known vulnerabilities are easy to find: the National Vulnerability Database provides detailed information on security flaws in operating systems, software, and firmware, and their potential impact. To ensure healthcare cybersecurity, your IT team can apply patches or upgrade to more recent versions. The problem is that it is impossible to patch all vulnerabilities–and not all pose an immediate, critical threat. Your team needs to triage vulnerabilities, determining which are most likely to impact your hospital, and if so, which would be most damaging. By focusing on the most important, impactful systems and vulnerabilities, you can avoid becoming a real-world healthcare cybersecurity breach like Baptist Medical Center, where the private data of more than 1.2 million people was exposed when a website exploit allowed a cybercriminal to access their network.
Threat 5: Inadequate Risk Assessment
Many hospitals fail to conduct an annual risk assessment or risk quantification study, and are thus unable to detect and close gaps. A risk assessment must take into consideration threats from everywhere: the perimeter, inside the organization, and the supply chain. It should determine the real risk of ransomware, data leaks, phishing attacks, malware, and other threats, categorizing risk based on how vulnerable your systems are, the likelihood of your organization being attacked, and the damage that could result from a breach.
Conclusion
A thorough analysis of threat sources will show which of the above will most likely impact your organization, and which systems and data are the most vulnerable. Because not all vulnerabilities can or should be mitigated, your focus can be on those that are most likely to do actual harm if exploited. This analysis can translate abstract technical risks into the actual business risk to your organization. Armed with this information, you can be prepared for an eventual breach.
Plan today for how you will cost-effectively mitigate in the event of a security breach. Beef up identity management, carefully vet medical devices to ensure they can be updated and patched, discover and secure Shadow IT, patch vulnerabilities in critical systems, and institute annual risk assessments. As in every aspect of life, preparedness is key.
To learn how your organization can assess, quantify, and cost-effectively mitigate cyberthreats, contact CYE for a demo.