The healthcare sector is the top target for hackers and cybercriminals with hospitals accounting for almost a third of all major data breaches. Many of these relate to the theft of patient data—data which can be sold illegally or used for blackmail with an alarming rise in the use of ransomware.
Cyber-attacks (considered ‘missile attacks’) cause significant damage and it is incredibly challenging to either track down the perpetrators or prevent future attacks. It’s not just an inconvenience: cybersecurity attacks against the healthcare industry have cost the sector $25 billion over the past two years – and of course, healthcare is one of the industries most affected by disruption, with the lives of patients and vulnerable people at risk.
But why is healthcare such a big target, and what can be done to mitigate the threat?
Healthcare: An Attractive Target for Cyber-Criminals
Health Insurer Anthem experienced a data breach in 2015 that saw the medical records of around 80 million people compromised. This gives some impression of the size of prize that healthcare represents to criminals (and equally, the scale of the threat that cybersecurity poses to the industry). Information from private patients can be worth huge sums to attackers.
However, healthcare is not just attractive because of the amount of data available but because of the ease at which systems can be penetrated. Although healthcare companies and providers aim to be the pinnacle of innovation when it comes to treatments, equipment, and therapies, they often use outdated technology for their administrative systems. As systems reach end-of-life, any support (in terms of updates and patches) is likely to be withdrawn.
In addition, medical devices can be an easy point of entry for hackers. Unlike PCs, laptops, or even cell phones, medical devices are not built with security in mind—they have one primary purpose which relates to the treatment or monitoring of patients. If attackers are able to move laterally through the network, these devices can act like an open back door.
The Wide-Ranging Impact of Cyber-Attacks on Healthcare
Alongside water, electricity and transport, the healthcare sector is considered critical national infrastructure. For malicious hackers whose only aim is to cause chaos—for example, a hostile foreign power—this makes it an especially attractive target.
The most obvious effect of a cyber-attack is the disruption of patient care. The loss of health records (or even temporary loss of access to them) can mean healthcare professionals are unable to effectively provide appropriate medicine or care to those in need.
More frighteningly, attackers can potentially move laterally through the network, spreading malware across interconnected medical devices or equipment. This can include lasers, ventilators, x-ray machines and much more. The possibilities for direct harm to patients is alarming to consider.
Investing in Cybersecurity Can Prevent Future Attacks on the Healthcare Industry
Investing in healthcare is about supporting patient care and therefore industry leaders will be keen for any financial outlay to be patient centered. Supporting patients, however, means investing in cybersecurity—the fact of which the industry is becoming more aware. The sector is predicted to have spent a staggering $125 billion on cybersecurity between 2020 and 2025. Driving this is an increase in remote care—a development accelerated by the COVID-19 pandemic, which has seen more consultations taking place over the phone or online with some patients even sent home with devices to monitor their conditions.
There are a number of steps that the healthcare industry can take to mitigate the risk of cyber-attacks, with a huge opportunity to invest in AI, tech, and software to increase security. Healthcare organizations need to be overhauling their outdated IT systems and employing techniques like seamless backup, offline storage and restoration. It’s also vital that they regularly perform updates to any security software or patches—replacing obsolete systems—and periodically strength test the whole IT infrastructure—using vulnerability assessments and penetration testing.
One of the simplest and yet most effective measures in preventing a data breach is the introduction of Multi-Factor Authentication (MFA). MFA is a method of authenticating users as they access a system and often involves a one-time access code being sent to a mobile phone or other device—some of us may be familiar with this from online banking. It’s important to introduce MFA across multiple systems to prevent a hacker moving laterally across systems and devices to cause maximum damage.
Investing in healthcare also means thinking about staff. Healthcare staff need to be trained in cybersecurity—an industry well known for already having some of the most overstretched members of the workforce. They may have limited time or inclination to be learning new systems and processes. Therefore, any solutions need to be straightforward to integrate.
A Difficult Challenge That Must Be Surmounted
Dealing with the healthcare cybersecurity challenge is not going to be easy. It’s impossible to control what every single healthcare worker does—and after all, it only requires one staff member to click on the wrong link or neglect to follow a certain protocol to potentially disrupt the whole system. Recent research indicates that 88% of healthcare workers have inadvertently opened a ‘phishing’ email.
The problem must be tackled. Organizations across the sector need to consider how they can encourage investment in new healthcare-based technologies which increase cybersecurity. Equally, investors should consider cybersecurity issues when considering new potential portfolio companies. This can include checking in house cybersecurity at medical facilities or doing due diligence on software protocols and protection of a healthcare tech startup.
These breaches are more than just cyber-attacks; they put lives at risk by compromising patient care. As an industry known for rapid development and technological advances, it is time for a total upgrade.
Matthew Eitner serves as Chief Executive Officer of Laidlaw & Company UK; a New York-based healthcare-focused investment bank. Through his expertise in equity training, Eitner successfully expands equity positions in the healthcare sector. Prior to his position at Laidlaw, Eitner served as vice president of Casimir Capital and managing director of Aegis Capital Corp.