No industry was more affected by the COVID-19 pandemic than the healthcare industry. While stories of frontline worker heroics and employee shortages took center stage, another important story has been brewing over the last few years — the significant increase in cybersecurity attacks in the healthcare space.
With stay-at-home orders and social distancing requirements in place throughout 2020, many healthcare systems were forced to rapidly adopt healthcare technology that allowed for telemedicine and the remote monitoring of patients. The way patients received care dramatically shifted with 46% of patients taking advantage of telehealth in 2020. That means a significant amount of patient data became accessible digitally. Because hospitals and healthcare systems needed to quickly get this new technology up and running, security was often not prioritized. The result has been an increase in successful cyberattacks across the healthcare industry.
In 2020, 34% of healthcare organizations were hit with ransomware. This isn’t a recent uptick in attacks either. Between 2016 and 2021, the number of ransomware attacks on hospitals more than doubled and by 2022, healthcare organizations around the world were hit with an average of 1,463 cyberattacks per week, up 74% compared to 2021. Overall, more than 40 million Americans' medical records were stolen or exposed in 2022 due to security vulnerabilities in electronic healthcare systems according to USA Today.
Healthcare continues to be one of the most vulnerable industries when it comes to data breaches, with phishing and ransomware remaining some of the most popular types of attacks. This is largely because adversaries don’t discriminate. The criminals aren’t just focusing on large enterprise healthcare companies. The lean security budgets and small IT departments at mid-sized hospitals and clinics make them enticing targets.
Fortunately, there are a number of low-lift, cost-efficient ways smaller healthcare operations can enhance their security posture. Step one is understanding what makes them so vulnerable.
Why the healthcare industry is under attack
Though cyberattacks are increasing across all industries, there are several factors that make healthcare particularly susceptible, starting with the lack of resources needed to set up appropriate defense systems.
- Minimal resources: Understandably, the majority of hospitals’ budgets are dedicated to overhead, medical staff, and the medical equipment needed to provide patients with quality care. But that means very little is left for IT and cybersecurity. In fact, the healthcare industry as a whole invests less than 6% of its budget on cybersecurity. Attackers know that healthcare systems lack the expertise, budget, and staff to defend themselves.
- Outdated software: Many of the leading hospitals and healthcare systems are operating on outdated software. One study found that 83% of medical imaging devices are running on unsupported operating systems. Making things worse, the sophisticated IoT devices used by hospitals, which house massive amounts of data, are running on these outdated, unpatched systems, leaving them open to attack.
- IoT devices and telehealth: When hospitals were forced to resort to telemedicine and IoT devices to remotely monitor patients during the pandemic, it opened the door for new attacks. According to Cynerio’s State of Healthcare IoT Device Security 2022 report, 53% of connected devices are at risk of a cybersecurity attack with IV pumps (38% of a hospital’s IoT footprint) and VoIP systems (50%) being the most vulnerable.
- Valuable data: Obvious vulnerabilities are only half of the equation. Bad actors are also looking for something valuable to steal or hold ransom, and that’s where hospitals can really deliver. Healthcare systems are the perfect target for ransomware attacks because patients’ lives depend on hospitals having access to their personal health information and keeping systems operational. According to the Identity Theft Resource Center 2022 Data Breach Report, patients’ personal information (including their social security numbers) and medical history, condition, treatment, and diagnosis information were the most compromised data in 2022 cyberattacks. Their bank account numbers, medical insurance account numbers, and medical provider accounts were also acquired.
The unexpected costs of a breach
Regardless of the size of your operation, the financial costs of a security breach can be devastating. According to the National Cyber Security Alliance, 60% of companies that have experienced a data breach go out of business within six months. A 2022 report by IBM Security estimates that the cost of the average healthcare breach comes in at $10.1 million. A good chunk of those costs is attributed to system shutdowns.
Healthcare organizations also need to comply with HIPAA requirements and could face hefty fines if a breach occurs, even if it’s due to the lax security of a third-party business partner. The Department of Justice and Federal Trade Commission recently imposed a $1.5 million penalty on telemedicine and prescription drug discount provider GoodRx for leveraging third-party tracking pixels that gathered sensitive data and used it for advertising purposes.
Finally, cyberattacks can have serious repercussions when it comes to reputational damage and lost business. Beyond the frustration patients may feel toward the invasion of privacy, a data breach may compromise the quality of care a provider can offer. A 2022 study conducted by the Ponemon Institute found that cyberattacks often delayed tests and procedures that resulted in negative patient outcomes, including an increase in the severity of an illness (according to 54% of respondents), longer hospital stays (51%), and an increase in mortality rate (23%).
What small and mid-sized healthcare businesses can do to improve cybersecurity
Step one for hospitals, clinics, and others in the healthcare space is acknowledging that they are vulnerable to attack. It’s not a matter of if an attack happens, but when. That means they need to be ready to defend themselves when the attack comes. And that starts with investing in the cybersecurity basics.
- Foundational coverage: At a minimum, every company needs to invest in email protection, endpoint protection, endpoint detection and response, and privilege account abuse detection. Companies should also invest in cyber insurance and an incident response retainer to ensure they get back online as quickly as possible.
- Data encryption: Because IoT and telehealth devices are storing massive amounts of data, including personal and financial information, photos, patient vitals, and health history records, it’s essential to protect that data and ensure it’s encrypted both in transit and at rest.
- Backup availability: Healthcare systems and hospitals cannot afford to be offline for even a minute. So it’s essential to regularly back up data and have a data recovery system in place to ensure providers have access to patient data and that the facility can continue to operate even in the case of a ransomware attack.
- Two-factor authentication: Today, two-factor or multi-factor authentication is a must-have regardless of business size or industry. In an ideal world, both hospital staff and patients would need to sign into their accounts via MFA that’s beyond just passwords.
- HIPAA Business Associate Agreements (BAA): Almost all hospitals and healthcare systems are using outside vendors to support their technology, which includes everything from IoT devices to email. Those third-party vendors have access to all the data that passes through the technology. In order to meet HIPAA requirements, hospitals must obtain “satisfactory assurances” from their business associates that they will appropriately safeguard the PHI they receive or create on behalf of the covered entity (HHS, 2017). That “satisfactory assurance” must be in writing, which is where a BAA comes in.
- Education: Most security breaches are a result of human error, so even the best technology won’t provide complete protection. According to a Kaspersky study, only 32% of IT respondents in healthcare said that they are aware of their organization’s cybersecurity policy and have read it only once. It’s essential to host regular cybersecurity training that covers topics like password security and how to use multi-factor authentication.
Unless you have a robust in-house cybersecurity team, you’ll need to outsource at least some of your security efforts to an outside vendor. When patients’ lives depend on your systems being operational 24/7, you need a partner who can provide that same amount of monitoring and response services. In an ideal world, that partner would also provide the necessary tools and technology needed to secure your organization and review your cybersecurity plan to make sure it’s airtight.
While it’s rare to find such a partner, SolCyber is up to the challenge. Our Foundational Coverage ensures small businesses in the healthcare sector have everything they need and nothing they don’t. And we can get you up and running in days!
Ready to become cyber resilient? Reach out to the experts in cybersecurity to see how we can help.
Follow us on the following social platforms!