Healthcare records contain some of the most valuable and valued personal information we have. But are those records safe, and if they’re not what does it mean? What are the disastrous potential consequences if rogue agents were to hack or get hold of these records and documents that contain some of the most intimate details of our lives? In short, these healthcare details, if accessed and misused, sold, altered, or shared with the wrong people, might compromise the health of millions of patients, in addition to creating logistical and financial fallout for the healthcare industry.
Patient information holds great monetary value. This reason and others make the healthcare sector one of the most attacked and targeted sectors in 2023.
Shawn Dickerson, writing for Security Magazine, reports that while cybercrime on a global scale will net an estimated $10.5 trillion by 2025, the average price tag of a healthcare data breach has climbed to a staggering $10 million, according to IBM Security's annual Cost of a Data Breach Report. This makes cybercrime more profitable than the international drug trade, outpacing all major economies apart from U.S. and China.
While cybercriminals worldwide send out an estimated 3.4 billion phishing emails a day in a coordinated effort to compromise systems and access crucial data, the U.S. healthcare industry is a primary target for these attempted breaches in security. A 2021 Sophos healthcare study reported that 61% of respondents to the study reported that they paid ransoms, which is a higher rate than any other sector, and that ransomware attacks increased a shocking 94% in a single year. The pandemic further complicated the situation by putting additional pressure on these already overly stressed areas; healthcare employees were under a great deal of stress, leaving networks vulnerable to hacker infiltration. In addition, Dickerson writes that cyberattacks against the systems used by both large and small-scale healthcare providers – including phishing emails – have increased an alarming 600% after COVID-19 transformed the healthcare and cybersecurity landscapes forever.
The high value of patient records – medicines required, including life-sustaining or life-saving dosages; confidential diagnoses and conditions – make them a particular target for ransomware, as the choice is often between paying the ransom or risking a patient’s life. This is a zero-sum game where the stakes couldn’t be higher. Healthcare providers – already unduly stressed before the pandemic – rely on accurate digital records to treat and serve their patients.
On the dark web, the cybercriminal playground, protected health information (PHI) is worth a staggering amount of money. To put it into perspective, the ransom for stolen patient records starts at $1,000 each, while credit card numbers sell for $5 each, with a hacked Instagram account going for $7 and Social Security numbers netting only $1. Stolen medical records allow cybercriminals to obtain medications available only by prescription (and then re-selling them), or cash in by filing fraudulent medical claims, among other nefarious activities. And while credit cards and bank accounts can be cancelled or closed, medical records are more vulnerable to hacker infiltration due to the permanence and importance of the data. In addition, it compromises patient care by service providers, which must respond to patient crises and incidents in a timely and accurate manner, or else risk compromising the quality of patient care or healthcare outcomes.
There have been several attacks in recent months, and what was called an “unprecedented attack” at that time, occurred in 2022.
USA TODAY reports that a more recent cyber incident (August 2023) at facilities operated by California-based Prospect Medical Holdings, with clinics and hospitals in California, Texas, Connecticut, Rhode Island, and Pennsylvania “disrupted hospital computer systems in several states, forcing some emergency rooms to close and ambulances to be diverted.” This was not only a logistical issue, but a life-and-death issue as well. Several primary care facilities were also shut down for several days. The company responded by enlisting the help of cybersecurity specialists and taking the systems offline.
The attack was also covered by The Guardian as well as Forbes and CBS, which reported that the “healthcare industry continues to be the top target for cyberattacks in the year ending in March (2023). For the 13th straight year, that sector reported the most expensive breaches of any field, averaging $11 million each. That's nearly double the average impact of a breach on the second-largest sector, finance, at $5.9 million each.”
According to Forbes, digital records were so compromised that the systems were required to return and revert to paper. Moving data between offline and online systems creates a greater likelihood of error as data must move back and forth between systems.
In a blog on their site, Swivel Secure detailed 9 Reasons Healthcare is the Biggest Target for Cyberattacks, stating that “high demand for patient information and often-outdated systems are among the nine reasons healthcare is now the biggest target for online attacks.”
Chief among those reasons is that private patient information is worth a lot of money to attackers for the reasons listed above. Hospitals and medical facilities are caught in a special vise, while they need to secure the information, they also need to maintain quick access to this information to maximize the delivery of healthcare services in hospitals and clinics where providers are often overtaxed and understaffed. The financial burden of paying a ransom or a fine for non-compliance with updated security requirements are heavy burdens for an already struggling industry. Multi-factor authentication (MFA) (which requires more than one piece of information to identify a user and then generate a one-time password for each login session) is a possible solution. Although it has its own problems and limitations, MFA is generally more budget friendly than the pay-out from ransomware or similar attacks and it’s currently used by universities and other large institutions.
Medical devices, were listed as one of the top nine targets as they are a potentially easy entry point for attackers. Healthcare technology is a rapidly changing landscape, with medical devices like x-rays, insulin pumps, artificial limbs, and defibrillators a normal part of modern healthcare. However, “new devices open up more entry points for attacks.” Medical devices fulfill specific purposes – like monitoring heart rates or dispensing drugs, and while security is not a concern in design -- many state-of-the-art artificial limbs contain AI knees and feet that are potentially hackable and although the devices themselves do not store patient data, attackers can leverage devices to launch an attack on a server that does hold this valuable and very specific information. “In a worst-case scenario, hackers can completely take over a medical device, preventing healthcare organizations from providing necessary life-saving treatment to patients.”
Additional risks to cybersecurity in the healthcare sector include the need for staff to work and access data remotely and collaborative, creating more loopholes for attackers as more and more people are connecting to networks from a variety of devices, which may lack adequate security. With an overburdened healthcare staff working under stressful circumstances, there may be a lack of time and/or resources to add one more task – learning online security processes – to an already heavy workload. Mitigating online threats can feel burdensome to already overworked professionals operating in a high-stress environment, while being “response for massive amounts of patient data, plus an extensive network of connected medical devices.”
For the healthcare industry, Single Sign-On (SSO) is another possible solution; it means authorized users can access multiple applications using just one set of login information – keeping their working routines quick and straightforward without compromising security. Frictionless solutions like SSO and risk-based authentication (RBA) can offer adequate protection against online threats without disrupting how people work. Otherwise, according to Swivel Secure and other industry vendors, “outdated technology means the healthcare industry is unprepared for attacks.”
Health system leaders are asking for help to fight off hackers. However, insurers sometimes won't cover damages, and there are complaints that there is not enough government or law enforcement support.
Consider this: According to a report in Politico in 2022, 60% of healthcare organizations have raised prices to cover the expense of a breach. And the regulatory compliance and legal expenses can extend for years. Those costs are spilling over to the U.S. population, already burdened with inflation.
The best way forward for healthcare organizations is to acknowledge the severe threat of the cyberwar being waged, assess their situation, and plan and implement a security strategy tailored for the sector, providing staff with the tools and resources necessary to prevent a cyberattack. We already know from several sources that the lack of secure systems leads to a decline in the quality of patient care and the disruption of delivery of crucial healthcare services.
Every healthcare organization, no matter the size or number of employees, must prioritize security. Since email is one of the most frequent entry points for data breaches, a zero-trust approach is recommended for organizations to adopt.
Healthcare providers also have a legal obligation to protect patients and their PHI, especially when sending or receiving emails. Email security strategies and solutions need to address both cybersecurity and HIPAA compliance. According to Security magazine, this requires a three-fold approach to prevent a disastrous data breach:
At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. The people who run our most sophisticated systems, the military, have continued to entrust us with training some of these specialized cyber warriors. For the military, for educators, for the private sector, we continue to evolve and develop solutions with “hands-on” training. This hands-on approach is the most effective training and is crucial to attracting and keeping the critically needed people who defend our systems. Our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote workforce. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!