While cybersecurity is one of the gravest threats faced by all business sectors, hospitals are especially vulnerable. According to the Herjavec Group, the healthcare industry withstood three times more cyberattacks than the average amount suffered by other industries in 2019. Similarly, ransomware attacks on healthcare organisations quadrupled between 2017 and 2020 according to CyberVentures. In the same time, HIPAA Journal reported a 473% increase in healthcare email fraud attacks.
The unfortunate truth is that the sector is a hugely attractive targets to cyber criminals, because of the kind of sensitive information its stores. Moreover, according to BlackBook Research, 2020 will be the worse year ever for cyberattacks. Getting healthcare cybersecurity is becoming a must.
Cyberattacks are not only devastating to an organisation’s privacy. They cause significant damage to an institution’s reputation as well. The American Journal of Managed Care reported that healthcare organisations saw advertising costs increase by 64% annually for two years following a cyber-attack, in order to manage public perception and recuperate trust.
With medical devices on average having 6.2 vulnerabilities each, coupled with the fact that 60% of medical devices are at the end-of-life stage in their operation – meaning they have no new upgrades or patches available – healthcare organisations are particularly at risk. During highly abnormal periods, such as the Covid-19 pandemic, where healthcare professionals are stretched thin and supporting business ecosystems are not operating at normal pace or strength, this concern is especially true.
Why target healthcare?
The main reason today’s cyberthieves target healthcare is for the same reason the infamous bank robber gave for holding up banks: “That’s where the money is.” In our hyper-connected world, stolen healthcare records are worth a fortune. The going rate for a stolen credit card number with CVV is about $1. For a username and password on Amazon or Uber its $2 to $4. For a stolen medical record? $20 to $50, according to a 2017 report from Aite Group/Trend Micro. Premium prices for premium value.
Consider the lucrative opportunities latent in the stolen file of an accident victim who ends up hospitalised. There is the potential for identity theft from the patient’s personal information and the opportunity to fraudulently obtain medical services and prescription drugs. But the real goldmine in healthcare records theft is insurance payments fraud. Clearly identified in that file are dozens of people who deal with that patient – and will be entitled to payment (some very large) from the insurance company or other payor: EMTs, ambulance drivers, all the emergency room personnel, the operating room personnel, the attending physician, the floor nurse and the anaesthetist.
All told, there is easily more than 50 different people in that one medical “supply chain” – 50 different points for cyberthieves to make money. The number of intrusion points can significantly increase during times of pandemics, when a medical supply chain can be enlarged and disrupted to meet the needs of an emerging health crisis. They bide their time, knowing when to enter the payment stream, then impersonate that individual, claim payment, receive payment and go on to the next person and next record. The thieves have learned that along with current claims, like a normal hospitalisation, there are additional earning opportunities in ongoing claims for long-term ailments.
That is not the only reason for targeting the healthcare industry. It is an unfortunate fact that most healthcare institutions remain lax or lagging in their cybersecurity. Unlike, say, the financial industry, which has always made security a priority. As the industry moved online, cybersecurity was made a priority. The same is true for online retailers, which built security into their digital solutions from the start. The healthcare industry has not had the same security culture to draw on as they were thrust into the age of the internet. According to Healthcare Finance, health organisations on average only contribute 4-7% of their IT budget towards cybersecurity, compared to the average 15% in other industries.
In 2008, only about 10% of hospitals were using basic, electronic record systems, according to US News. By 2014, that number had increased to nearly 97%. Many of the industry’s Healthcare organisations often do not have the institutional preparation to adopt new information technologies over short periods of time. In fact, many small to medium-sized organisations view cybersecurity, not as a key tenant of their industry, but rather a mandate forced on them by larger hospitals or governments. This is precisely why roughly 90% of healthcare organisations have experienced a data breach within the last three years, with roughly 60% having experienced five or more attacks, according to BlackBook Research.
Cybersecurity maturity is a long way off for too many Healthcare organisations and the reality is that far too great a number of those institutions are highly vulnerable to cyber-attacks, especially during tumultuous periods like the covid-19 crisis. When Healthcare institution’s private sector partners are no longer operating at full capacity, the challengers are even greater. Pandemics are ideal times for cyber criminals to strike precisely because of the increased confusion and decreased efficiency that they bring.
“He’s calling from inside the house.”
Perhaps the greatest threat is actually internal breaches, where trusted employees have broad access to a vast amount of private and valuable data. Like Ed Snowden smuggling out classified NSA documents on a thumb drive, they can exploit their access for nefarious purposes. The money to be made from stolen records can turn once-honest employees into thieves, either by stealing records at the behest of cyber-fences or coughing up access credentials to permit direct access. It encourages dishonest individuals to become employees or contractors. Similarly, accountability from fellow employees is difficult to rely upon when nearly a quarter of all U.S. heath employees have never received any cybersecurity awareness training, according to Health IT Security.
And while the hospital’s cybersecurity experts are busy building up the security perimeter and securing the networks against external hackers, under their nose, these trusted employees and contractors can operate undetected, doing untold harm. Just like in the horror movies, “He’s calling from inside your house!”
At least three priorities should drive the next cybersecurity steps for healthcare:
HyTrust claims, “The most important and fundamental control to protect privileged accounts is strong authentication, which means two-factor authentication so that borrowing or stealing a password isn’t enough to gain access to privileged accounts.” Yet according to Healthcare Information and Management Systems Society, only 60 percent of US healthcare organisations have implemented two-factor authentication.
Too many healthcare executives, who thought they were protecting the enterprise, have been dismayed to discover that their investments only gave them the dangerous illusion of security. Sometimes it is because they purchased good but one-off components that let cyberthieves exploit the gaps between the components. But increasingly it’s because the market is flooded with “solutions” of dubious quality.
As a sudden downpour in a big city floods the sidewalks with vendors of shoddy umbrellas, so has the cybersecurity field attracted newcomers who might have previously been developing social apps or games until the cybersecurity demand attracted. Organisations need solutions developed by experts with cybersecurity and healthcare experience.
To avoid wasting investments and suffering intrusions, healthcare institutions need to look for the Health Information Trust “seal of approval.” The HITRUST Alliance, a non-profit, offers the independent standard for assessing how well security solutions protect sensitive information. Its healthcare module is particularly robust, certifying systems for compliance with the mountain of state and national healthcare security and privacy regulations.
- Behavioural analytics
By far the most important protection against internal cybertheft is behavioural analytics. Hospitals need a systematic way of learning employees’ behavioural patterns. From such data they can set parameters accordingly, monitor in real time, get alerts about unusual activity or deviations and slam the door shut on access if judged appropriate.
Instead of focusing on breach and crisis control, behavioural analytics provides the intuitive ability to circumvent a breach before harm is done. This type of system learns fast, and steadily produces better information and fewer false alerts. Has an employee begun accessing systems they didn’t use before? Are they logging on at odd hours? Have they begun printing documents they used to download? Or saving them to a thumb drive? Behavioural analytics would have caught Ed Snowden red-handed.
Now that your healthcare institution is vulnerable to those who would profit, while ruining your reputation and exposing your patients to harm, are you prepared to defend against them? Attacks on healthcare institutions will only increase unless protection is strengthened. And future attacks might not just be costly but matters of life and death.
The horrible potential reality is that more and more of your tools will become smart devices connected to the internet: it is no longer difficult to imagine cyberthieves hacking in at any point and demanding ransom before you can treat your patients.
Just like with a viral pandemic, the sooner Healthcare organisations can understand the cyber security threats they are dealing with, take the right precautions to prepare, and implement the right solutions to eradicate the threat, the better.