Cyberattacks are becoming a severe problem in healthcare. With hackers taking advantage of vulnerabilities in hospital systems to steal sensitive patient data and disrupt operations, cybersecurity has become a matter of life and death. To ensure the security of patient information and healthcare services, healthcare organizations must take steps to protect themselves from such attacks.
According to the HIPAA Journal, over 5,000 data breaches were reported to the Office for Civil Rights between 2009 and 2022, leaving over 314,063,186 healthcare records exposed. While health tech and healthcare advancements have come a long way, cybersecurity has room for improvement. The industry struggles to adopt new technology, infrastructure and faces an ongoing mindset of “if it works fine, don’t touch it.” Unfortunately, having a perspective such as this puts consumer data and privacy at considerable risk.
Although healthcare is a governed industry, regulatory requirements are lagging and there is a significant need for HIPAA to provide updates to keep up with the changing technology and threat landscapes.
Make Cybersecurity Essential to your Healthcare Organization
The impact of cybersecurity attacks has become far more drastic, not just in healthcare, but a point of concern for every industry and vertical. Consider the 2021 Colonial Pipeline ransomware attack, named one of the largest-scale cybersecurity incidents affecting critical infrastructure to date; the incident changed the cybersecurity landscape spurring unprecedented government action. The incident also reminded business leaders in all sectors of the fragility of their infrastructure. In the healthcare sector, incidents, breaches, and attacks on hospitals have caused outages and exposed patient information, which included names, healthcare member IDs, and information provided during health assessments.
Unfortunately, many organizations still fail to view information security as essential to their organization and mission. Often, the reason for this is that there tends to be more people from a medical background leading the organization, as opposed to those from a technologist background. There must be a healthy mix of medical and technology leaders in a modern healthcare organization to ensure understanding and buy-in. Giving IT security leaders a seat at the executive leadership table along with your medical team – especially when it comes to budgeting and planning – allows the benefits of cybersecurity defenses to be heard and understood by all key decision makers of the organization.
Potential Vulnerabilities and Blind Spots
Medical leaders still require guidance to identify and understand the potential impacts of attacks. Hospitals have gained notoriety in cyberattacks, especially as of the last couple years, with an estimated 25% of ransomware attacks aimed at the healthcare industry in 2022. Many industry leaders cite the rise in attacks to the fact that healthcare organizations are typically slower to evolve. Unfortunately, cybercriminals are not. Threat actors act fast and aggressively on weak spots where it is possible to make a quick profit.
Cybercriminals have learned that healthcare organizations are willing to pay hefty amounts to get systems back online, and have valuable patient information that they could sell, which has made healthcare organizations a profitable target. Even in 2023, many healthcare organizations are at a crossroads when considering how they will merge their legacy processes with technology. Healthcare organizations, and often private practices, are still compiling patient data into paper records, which are then converted to an electronic format. These conversions introduce significant risks and can create liabilities for specific privacy and security regulations within HIPAA.
Recent reports reveal at least 70% of healthcare providers still exchange medical information by fax, according to federal officials. When making the conversion, it is essential to understand how to safely store and protect documents, understand privacy and security rules, and adequately protect the files once they are transferred to the appropriate location.
Once healthcare organizations identify the vulnerabilities that create potential points of attack, they must work to understand how to effectively address and defend against these threats from multiple angles:
- Vulnerability testing against the current technology in place is crucial to ensuring that your systems and tools are working to prevent a cyber-attack.
- Governed by individual organizations, security awareness training is an area where there have been massive improvements.
- These trainings ensure people within the health organization are aware of the types of attacks and how to handle them properly.
- The importance of knowing how to identify phishing emails, suspicious activity, or even attempts to compromise facilities.
- This information is a significant first step for organizations that cannot spend on software and hardware changes.
- There is a need for the Office for Civil Rights to play a role in the defenses against cybercrime and data breaches.
- When it comes to penalties for violations of HIPAA compliance and data breaches, stronger stances and consequences must be created to deter cybercriminals from attacking a healthcare institution in the first place.
It is clear that healthcare organizations have been, and will remain, a top target for cybercriminals. While knowing the right technology and defenses to put in place is crucial, it starts with having the right voices in leadership to express the need for more investment in protecting against attacks and identifying and understanding the weak spots in your organization that need attention.
Jordan Mauriello is chief security officer at Critical Start, possessing a background ranging from penetration testing and malware reverse engineering to physical security, executive protection and training. His technical expertise includes security event monitoring and correlation, vulnerability research, and penetration testing. Jordan spent four years in the U.S. Navy, as well as worked at the Department of Defense, deploying in support of our current operations in the Middle East. Following his military and government positions, Jordan moved to the private sector and spent eight years at Experian Information Solutions helping to build and lead the Global Security Operations Organization.