Healthcare organizations continually face evolving cyber-threats that put patient safety at risk and expose protected health information (PHI) that can lead to substantial financial costs from restoring hospital systems, recovering patient data and reduce the integrity of healthcare organizations.
And although healthcare is a highly regulated industry, it has experienced 300 data breaches in the first half of 2023* and the most costly security breaches for the last 13 years; more than double of any other industry.**
A contributing factor to this issue is that most healthcare organizations allocate less than six percent of their IT budget for cybersecurity, lack of resources, and inventory of data assets***, along with the fact that many healthcare organizations operate using legacy IT systems and require data to be openly shareable.
In 2020 the OCR settled multiple HIPAA cases, resulting in penalties ranging from $10,000 to $6.85M, with settlements totalling over $13M.*
“Healthcare data is of high value. Most people know that, but far too many don’t truly understand what it takes to protect it.” – Tab Bradshaw, Chief Operating Officer, Redpoint Cybersecurity |
Despite these frightening numbers, there’s a lot you can do to keep your protected health information safe. Awareness and the right cybersecurity team are your secrets to tight security.
*Health-IASC 2023 State of Cybersecurity
** IBM Security, Cost of a Data Breach Report 2023
*** 2022 HIMSS Healthcare Cybersecurity Survey
Why Do Hackers Target The Healthcare Industry?
Healthcare organizations are specifically targeted by threat actors and are vulnerable because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors.
The targeted data includes patient protected health information (PHI), financial information like credit card, bank account numbers, personally identifying information (PII) such as Social Security numbers, medical research, etc., and these stolen health records can sell up to 10 times or more than stolen credit card numbers on the dark web. PHI is the costliest and most common record compromised. (2022 HIMSS Healthcare Cybersecurity Survey)
Modern healthcare relies heavily on interconnected systems and medical devices. If these systems lack adequate cybersecurity, they become entry points for intruders who can infiltrate the broader healthcare network.
When hackers pick their victims, it comes down to a balancing act of easy to infiltrate vs. high value data. Unfortunately, too many healthcare systems check both boxes.
It should be no surprise to say strong cybersecurity for healthcare is required.
The Unusual Threat of Medical Device Attacks
Researchers have observed a 59% Spike in Medical Device Security Vulnerabilities over the last 5 years (Health-IASC 2023 State of Cybersecurity), and in October 2023, the Food and Drug Administration (FDA) requires cybersecurity adherence in medical device designs before they can be approved for market.
Life-sustaining medical devices such as pacemakers, insulin pumps, and even hearing aids are now potential entry points for bad actors. While such incidents are rare, the fact that it’s possible prompted the FDA to take action.
What’s more common is for hackers to use someone’s personal medical device as their entryway into your healthcare organization’s network. According to the FBI’s 2022 Internal Crime Report, one concerning aspect on the targeting of healthcare are the recent attacks of surgical navigation technologies that are widely utilized by surgeons in operation rooms. A threat-actor can exploit the software and then infiltrate your healthcare IT infrastructure.
The consequences of these attacks can be devastating since they have the potential to prevent critical procedures from taking place. (FBI Internal Crime Report 2022)
What Else Should Business Owners Know About Cybersecurity? |
Healthcare Cybersecurity Best Practices
There is still a lot a healthcare provider can do to improve cybersecurity at their institution. Following HIPAA guidelines for electronic health records must, of course, be your minimum. Although, you certainly can introduce practices that exceed minimum HIPAA requirements.
Here are some proactive steps that the healthcare industry must adopt beyond HIPAA requirements to better ensure the confidentiality, integrity and availability of PHI and intellectual property.
Implement Regular Penetration Testing
This identifies vulnerabilities in the attack surface that can be remediated to mitigate risks.
Prioritize Patching Based Upon Known Risks
Tracking the current vulnerabilities and applying pertinent patches on a regular basis can significantly reduce the possibility of a successful cyber attack.
Develop Robust Third-Party Management
Ensure that vendors meet your organization’s security requirements, including the adoption of the FDA’s recommendation of following Security by Design methodology. Solutions from vendors that have adopted this methodology greatly improves the resiliency and security of the medical devices and applications.
Leverage Binary Analysis Tools
This enables the generation of Software Bill of Materials, which can be leveraged for penetration testing to uncover unknown vulnerabilities.
Zero-Trust Architecture
Zero-trust architecture is a security model that requires strict identity verification for every person and device trying to access resources in a private network, regardless of whether they are sitting within or outside of the network perimeter.
This model minimizes the risk of internal and external breaches by limiting access only to strictly authenticated personnel.
Endpoint Detection & Response (EDR)
Endpoint detection & response (EDR) involves a powerful tool that scans all connected endpoints and responds to any threats if found.
Threat Hunting & Dark Web Monitoring
Threat hunting and dark web monitoring aren’t the same thing. However, there is some crossover between their functions. Both practices proactively seek threats before they can cause much damage.
Threat hunting involves actively seeking possible threats within a network. Dark web monitoring involves scanning known dark websites to detect compromised information. Here is a quick overview of how and why healthcare organizations can benefit from both.
Threat Hunting | Dark Web Monitoring | |
Objective | Identify and mitigate potential threats within the healthcare network. | Identify and alert on healthcare data being traded or sold on the dark web. |
Methodology | Utilizes advanced analytics and AI to scan network activities and detect anomalies that may indicate a threat. | Scours dark web forums, marketplaces, and other platforms for mentions of the healthcare organization or data related to it. |
Primary Benefits |
|
|
Use Cases |
|
|
Risk Mitigation |
|
|
Deception Technology
Deception technology is a type of cybersecurity that uses decoys to prevent or mitigate attacks and to gather information about the attacker. It involves the use of deceiving tech, such as honeypots, to divert attackers from valuable data and into a trap.
Machine Learning (ML)
Machine learning (ML) is an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed. NGAV (Next Generation Antivirus) machine learning is particularly relevant to cybersecurity.
NGAV uses what it learns from past threats to adapt to new ones. This system is much more powerful than traditional antivirus software that merely compares malware algorithms to a database of known threats.
Why Healthcare Organizations Should Consider a Managed Cybersecurity Partner
Many of the sophisticated practices listed above require assistance from a Managed Security Service Provider (MSSP). A good MSSP will come equipped with advanced threat intelligence. Having experts who know how to stay ahead of hackers will help you pivot your cybersecurity practices to stay ahead of emerging threats.
Not All Cybersecurity Companies Are Up-to-the-Task of Managing Healthcare – Here’s One That Is
Most managed cybersecurity service providers will say they can handle high-stakes healthcare data. However, saying it and doing it aren’t always the same thing. Your healthcare business can’t take that risk. You need to work with someone who can prove they can protect precious patient data, not just say they can.
The Redpoint Cybersecurity team includes over 30 security experts with an average of 22 years of military cybersecurity experience. If the US government can trust us with classified data, you can be sure we’re up to the task of protecting your healthcare organization.
We’re also happy to provide HIPAA compliance consulting services, backed by our cutting-edge AI-powered assessment tool ACE (Assurance Compliance Engine).
Contact us today. Let’s talk about how we can secure your healthcare network.