Healthcare ransomware attacks have become more common in recent years, and in many cases, caused considerable damage. At least 148 U.S. healthcare organizations fell victim to a ransomware attack in 2021, the most attacked industry, according to a March 2022 HIPAA Journal report.
With increasing threats from overseas, growing cybercriminal organizations, and the COVID-19 pandemic, it’s no surprise a sharp rise in breaches and healthcare ransomware attacks has occurred across the healthcare ecosystem.
As the situation grows more volatile, it’s vital to understand why threats like breaches and healthcare ransomware attacks exist and ways ambulatory practices can work to reduce cybersecurity risks.
The Most Valuable Record
It’s not just because the patient health information (PHI) the record contains that makes it valuable to cybercriminals, but the other information that accompanies PHI, such as addresses, birth dates, social security numbers, and even more obscure data such as insurance policy numbers, all of which someone can use to impersonate patients and commit identity theft.
With this stolen information, a cybercriminal can more easily steal someone’s identity because they now know important information no one else does. It’s what makes health records so valuable — not always the record itself, but what can be done with the information.
The average healthcare industry breach is so expensive because of the costs of remediation, recovery legal actions, and regulatory fines. In 2021, the average cost of a healthcare breach was $9.23 million, up 29.5% from $7.13 million the previous year, according to IBM Cost of a Data Breach Report 2021.
Taking it a step further, by failing to keep patient records private, an ambulatory practice could face substantial penalties under HIPAA’s Privacy and Security Rules, cause potential harm to its reputation, and patient safety can be severely impacted. A hacker’s access to private patient data not only opens the door to steal information but they can possibly even alter the data — severely impacting patient health and outcomes.
Many cyber gangs list ‘medical organizations’ as non-targets. But, that hasn’t stopped them from executing attacks on hospitals, health delivery organizations, pharmaceutical companies, and other entities in the sector.
Since 2020, the health sector has seen a rapid rise in cyberattacks. Ransomware has been the main form of attack.
Cybercriminals have claimed that healthcare providers have only been collateral victims. Yet, some have deliberately targeted hospitals to obtain classified medical records, transactions, and other sensitive patient data. This article will uncover the main cybersecurity challenges facing the healthcare industry, as well as some solutions to the main threats.
Top Cybersecurity Challenges for Healthcare Organizations
Ransomware gangs have stepped up their attacks on critical national infrastructure, including healthcare.
A survey from 2021 interviewed 597 health delivery organizations. 42% of them reported being victims of at least two ransomware attacks in previous years.
Ransomware is usually distributed through phishing emails containing trojan viruses. The attackers disguise the virus as a link or attachment. When a user clicks the link or downloads the attachment, the trojan is ready to strike.
By Dirk Schrader, resident CISO (EMEA) and vice president of security research, Netwrix.
Ransomware is steadily increasing each and every year, with the healthcare and hospital industries suffering among the most. In 2021, we saw that “The healthcare sector is seeing the highest volumes of ransomware attempts, averaging 109 attempts per entity, every week.”
Why is this sector being targeted specifically? They hold extremely sensitive patient data and information. Hackers are working more diligently than ever to find data, threaten hospitals and providers, and even extort individuals themselves. With such a high amount of cybercrime, how can this sector protect itself and its patients? To start, by learning about security trends and working to implement them where they can.
Here are five security trends we’ll see more of in 2022:
Cybercriminals will be increasingly greedy.
In 2022 attackers will search for new ways to monetize the access to large data troves. This may lead to changes in the tactics, techniques and procedures of threat actors. They will begin to extort individuals rather than the infiltrated companies themselves. The healthcare industry is especially prone to this trend. The data generated and held by a healthcare sector is life-changing for many people and can easily be misused.
Consider this possible scenario: by extracting and aggregating personal data about hundreds of thousands of diabetic patients (34.2 million people alone are diabetic in the US), threat actors might try to ‘offer’ cheaper drugs to the individual patients, extracting money from a highly vulnerable group. If such a scheme can trick, let’s say, ten thousand victims to pay $500 for Insulin (instead of about $1,000 on average), the amount of money on the table is substantial.
Medical device IoT will create more security gaps.
More and more medical devices are being connected using vulnerable IP stacks or old webserver packages which cannot be easily patched as it would jeopardize the devices certification for medical use. In 2017, around 10 billion medical devices were connected to the internet, with an expected jump to 50 billion by 2027. While this connectivity has created so much opportunity for advances in the medical field, it has also created a new set of vulnerabilities.
Frequently, the task of configuring a medical device is considered done when it operates within the parameters of the medical process it is supposed to support or enable. Any additional security aspects are overlooked and often neglected. As long as these medical and IoT devices remain unmanaged, unmonitored and improperly updated, this exposure risk will continue to be exploited by threat actors throughout 2022 and beyond.
With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
Cybersecurity has been a major concern facing many digitalized businesses. Hackers have developed more sophisticated ways to breach security systems and steal essential data from businesses. Such security issues may cause significant financial loss and bring a business down to its knees.
Healthcare is one of the sectors that has been hard hit by cybercrime. This is due to the sector’s adaptation of technological advancement used in areas like storing patients’ data. Unfortunately, while the technology has positively impacted the provision of services, it’s also created an opportunity for hackers to attack and steal information. As a result, healthcare becomes an easy target for cybercriminals due to the nature of their information system.
Reasons For Cyberattacks On Healthcare
As stated, the healthcare sector isn’t immune to cyberattacks and other forms of security breaches from criminals. These attacks are being targeted due to the many loopholes that the sector has.
Here are some of the reasons why healthcare is targeted:
The Password Problem
One of the major concerns affecting healthcare is the lack of good passwords. An explanation of the password problem is when healthcare workers don’t set strong passwords on their devices for fear of forgetting them. In turn, they end up using weak passwords, such as their phone numbers or names.
This makes it easy for attackers to breach security and steal important information. In addition, colleagues can guess simple passwords, and they can use them to access your accounts. The password problem affects many businesses, as well as individuals. You should, therefore, be creative with your password and make it unique.
Lucrative Medical Records
Medical records always contain important information that could be lucrative to hackers when they sell them. Such information includes names, contact information, and credit card numbers when patients pay bills through bank cards. The attackers can then use these pieces of information to directly attack the patients or sell them to other people.
Because some medical facilities aren’t well-protected from security breaches, the patients’ data aren’t safe. Therefore, attackers use these loopholes to launch attacks on people.
With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
Response from Sarah Johnson, RN and the health ambassador, Family Assets.
I’m an RN and the health ambassador for Family Assets, an eldercare and senior living resource for older adults and caregivers.
Working in eldercare and watching how telehealth technology has radically reshaped geriatric care during the pandemic, I think the most important question healthcare technology professionals should be asking themselves right now is: given that hospitals and healthcare facilities have been prime targets for cybercriminals, largely because of aging infrastructure, what needs to be done to make the rapidly expanding healthcare tech industry more secure?
I think the obvious answer to this is the development of much more robust digital security protocols at individual institutions and a massive educational initiative for healthcare providers and workers. This should include, among other things, scheduled stress testing that probes for cybersecurity vulnerabilities.
Too many organizations, within and outside of healthcare, are completely unprepared for the cyberthreats they face and are not diligent enough when it comes to monitoring and probing for weaknesses.
All healthcare technology professionals should have this issue front and center
While cybersecurity is an issue constantly addressed by the media and something small and large businesses alike are consistently focusing on, one of the biggest digital dilemmas comes from the healthcare system. This may be unsurprising, given that financial records and personal data are all stored within patient care files. Hackers are fully aware of the value of this data, and it’s about time that the medical industry shows that it does as well.
Sadly, one in four consumers have had their
healthcare data breached. This calls for swift action by the players in the
field. Some experts think that the answer can be found in blockchain. That’s
right — the same technology that secures Bitcoin and other cryptocurrencies
could soon become the key to protecting patient records.
While there have been ongoing discussion among
government and finance officials about the actual risks of cryptocurrency, it’s
generally agreed upon by tech experts that blockchain is one of the most secure
ways to go. Will the world see this technology implemented into its healthcare
systems soon, though? It’s very possible that the answer is “yes.”
The Security of Blockchain Makes
It the Best Ledger for Healthcare Networks
The reason that blockchain technology a
regular part of public discussion and being normalized in new industries so
frequently is its transparency and security measures. It’s garnered public,
private, criminal, and government interest due to this, and it’s doubtful that
its popularity will stop anytime soon. But what is it about the ledger that
makes it so safe?
Primarily, it’s the unique approach it takes
to security keys. There wouldn’t be a way for someone to modify or corrupt
information within a blockchain system without the relevant key. At one point
it was even believed that the technology was unhackable.
While there is still debate over what it means to hack blockchain networks and
whether or not it’s even been done, that debate still points to the safety of
those networks at large. Without a doubt, it is the most secure ledger for
protecting personal data — and hospitals may need it the most.
Making It Official
The lengths at which blockchain is being
adapted cannot be understated. Government officials are starting to explore the
technology, and the big four investment firms are even beginning to pay attention to it. But what
does this mean for the healthcare industry?
Well right now, blockchain still is not the
norm. Currently, if a hospital or healthcare organization wants to adopt it,
they are probably making the best move in terms of security.
While there are downsides to this kind of mass
adoption (discussed at further length below), it also calls for advancements to
be made, which could better these systems as a whole. It should be noted that
with something as new as blockchain technology hitting the greater market,
there are a lot of changes bound to happen that cannot be accurately predicted
The Adaptation of Blockchain in
Culture May Challenge Security
Granted, it is very important to recognize
that blockchain’s mass acceptance could adulterate the technology. With
businesses at large implementing it into their operations and the parallel use
of mobile money tools in modern society, people are going to start looking for
loopholes. Hackers are going to make it their duty to try and disrupt it.
For this reason, there needs to be external precautions set up for security. A good example is business insurance — something necessary for every hospital, even with blockchain implementation. The loss of mass amounts of data is bound to occur, so hospitals need to be protected, even when their systems seem foolproof.
Right now, hospitals and organizations at
large need to understand that blockchain is a very important technology to the
future of healthcare. But it cannot be solely depended on, either. Other
precautions need to be taken to protect patient data by the healthcare
industry. Blockchain may be the best option healthcare networks have for data
It is not uncommon, in today’s age, to do large amounts of personal business online. This includes discussing or sharing medical records. You may think that any place that shares your medical records online would invest in intense digital security, but you would be surprised.
It takes just a small mistake on the part of the health organization working with your records and your data can be breached. In fact, there have been multiple examples of large medical organizations allowing thousands of patient’s information to be leaked.
In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records. A Temple University doctor had his laptop stolen which contained the private medical files of nearly 4,000 patients. These are just two of way too many examples.
Part of the problem is that these records are being protected by individual not properly trained in digital security. Medical professionals all know about HIPAA (Health Insurance Portability and Accountability Act) — a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
They know that you don’t share medical information to anyone that isn’t approved of in writing by the patient. But even that standard is often broken by some medical professionals. So, if some people in the medical industry are willingly leaking information, just imagine how often information is leaked accidentally.
So, what can you do? As with most instances of digital security, it is best to take matters into your own hands. The only person who will always, 100 percent of the time, advocate for you – is you. It is vital that you do everything you can to protect yourself and your data when going online. This can prevent others from ascertaining your location, medical data, personal data, and much more.
Let’s take a look at a few ways that you can protect yourself in the digital realm:
Be aware with whom you are communicating
It might be obvious that you shouldn’t send personal information to strange email contacts or social media profiles, but not everyone considers the authenticity of medical websites. Often times people will look up medical advice and find themselves sharing personal details with any random website that offer to let you chat with a “real” medical professional.
These websites can not only put your medical information at risk but also your credit card information since we guarantee you won’t get to chat with anybody without coughing up your card number.
Beyond that, it is also important to consider the applications your medical facility is using to share your information. Before agreeing to access your data digitally, look into the software they are using to ensure it is considered respectable and safe.
The implementation of electronic health record (EHR) is not a new thing in the industry. The digital wave has completely transformed the way medical records were maintaining before and now. With increased demand for efficiency and faster solutions, more and more medical practices are embracing EHR to simplify and organize their data storage process. Initially, many providers were reluctant and hesitant to use EHR. However, with Medicare and Medicaid incentive programs, providers are encouraged to adopt EHR. As a result, since the time EHR implementation began in 2009, around 73 percent of providers have registered for the EHR incentive program.
However, still, some challenges hinder EHR adoption and slow down the process for many. The initial implementation may be easy, but the user experience was not a good one for many.
Here are some of the obstacles that medical practices, healthcare professionals and others from the healthcare industry face while leveraging EHR: