Photo credit: Depositphotos
With this year likely to break records for the volume of data stolen by threat actors, data breaches are a problem for every sector. However, nowhere is this problem as pressing and urgent as in the healthcare industry. Since November 2020, cyberattacks against healthcare organizations have increased by almost 50%, according to Check Point, with researchers at Fortified Health Security noting that the healthcare industry accounted for the vast majority of reported data breaches that occurred in the first 10 months of 2020.
While the healthcare sector has always been vulnerable to cyberattacks, the COVID-19 pandemic dramatically widened existing vulnerabilities. In the midst of rapid digitization, more healthcare staff began working remotely (often on their own devices) while fluctuating public health environments forced many to shift priorities from administrative functions to patient care. In this often chaotic atmosphere, hackers spotted a golden opportunity — and took advantage of it. From leaking the personal information of 2.1 million patients in the US to blackmailing psychotherapy patients directly in Finland, cybercriminals have demonstrated during the past 18 months that a successful healthcare data breach can result in immense real-world damage.
Why Healthcare Organizations Are Uniquely Hard Hit by Data Breaches
Healthcare providers may not seem like obvious targets for cybercriminals but, for the vast majority of profit-motivated threat actors, healthcare organizations present an incredibly lucrative target. Patient information is incredibly valuable and, according to Trustwave, can go for as much as $250 per record on the black market. Compare that to the next highest-value record, a payment card, which will only fetch threat actors $5.40 (but you may also be able to get it for as little as 25 cents). The reason for such a dramatic difference in price for the two is simple: the lifespan of a health record is much longer, with malicious individuals in possession of a health record able to create an entire human persona around it.
However, hackers don’t just rely on black market sales to make a profit from a data breach. Many data breaches also combine ransomware with data exfiltration. Cybercriminals can therefore extort healthcare organizations twice: once for a decryptor and once in return for not exposing personal patient information online. Sometimes, they may also threaten the patients directly. Unsurprisingly, most hospitals and other healthcare providers pay the ransom demanded from them. Just last month, for example, a hospital in Massachusetts admitted to meeting cybercriminals’ demands to recover patient data. Whether the hackers actually destroyed the data they stole after receiving payment is another story.
Aside from the monetary value of patient data, healthcare institutions are attractive targets for other reasons too. Financially motivated hackers tend to go for targets that are the easiest to infiltrate, and despite the sensitive information that healthcare holds and the critical function that hospitals have within our society, healthcare lags woefully in cybersecurity when compared to other industries. In a recent survey by Healthcare Information and Management Systems Society (HIMMS), almost three-quarters of cybersecurity decision-makers employed in the healthcare sector in the US said their organization needs to increase funding to remain secure. Crucially, less than half said their organization would be able to make the financial investment necessary.
Throw in the fact that recently there’s been an increase in the use of IoT in healthcare and that most organizations within the sector still run on legacy systems, and the reason why healthcare is a popular target is clear.
Pending Legislation Will Worsen the Impact of Data-Related Security Incidents
While data breaches can already be devastating for patient trust and provider reputation, they may also soon come with a regulatory sting. Nationwide, a suite of privacy legislation is currently in various stages of development at the state level across the United States. However, leading the pack among what soon may be a checkerboard of privacy legislation is the California Consumer Privacy Rights Act (CPRA). Having passed the ballot last November, the CPRA is due to come into force in 2023. Not unlike its preexisting European equivalent, the GDPR, the CPRA will extend a variety of protections to consumers regarding how their data is used, shared, and protected from data breaches. For companies that fall under its remit, namely those above a certain revenue threshold or holding personal information from more than 100,000 California residents, failing to protect customer data can entail receiving harsh financial penalties.
While provisions carried over from the preexisting CCPA mean the CPRA does not apply to protected health information (PHI) maintained or created by a covered entity such as a healthcare provider, other personal data may still be covered. Organizations holding information such as data purchased from consumer reporting agencies or marketing and community engagement data are likely to become subject to the CPRA laws. As a result, it’s vital for healthcare providers to remember that not all the information they hold is PHI.
Information such as health data collected from an app, employment records, or PHI information used to create models or data sets that are not themselves PHI may be subject to the CPRA. With other states likely to use CPRA as a model, healthcare organizations can not necessarily assume that they will be immune from data protection legislation.
Employees Are the Most Vulnerable Vector of Attack
Against an increasingly hostile threat landscape, healthcare providers need to understand how major attacks gain access to their networks. Research by Stanford University and the security firm Tessian found that nine out of ten data breaches are caused by workers’ mistakes. Almost half of all employees in the study admitted to having done something that may have compromised their organization’s cybersecurity, with 25% saying that they clicked on a phishing email while at work.
In health care settings, the human attack vector is even more acute. In 2019, for example, in a Journal of the American Medical Association study, researchers were successful in getting one in seven healthcare workers to click on phishing emails with subject lines as varied as “Someone sent you a Halloween e-card” and “Mandatory online workplace safety training.” Naturally, emails that are relevant tend to see a higher open rate because they arouse less suspicion. In June 2020, for example, an email about COVID-19 benefits packages from the “Department of Health” tried to trick healthcare employees into clicking on a malicious link. Crucially, benefits packages for healthcare staff do exist. Had the actual Department of Health not put out a warning, the email blast could have caused a lot of damage.
Phishing emails that are relevant and customized are the hardest to spot because they seem like they come from a legitimate entity, be it a government department or employer. In the Stanford University and Tessian study mentioned above, about half of workers that said they fell for a phishing scam blamed it on the fact that it looked “legitimate” or like it came from a senior executive. This is made possible by cybercriminals scouring online sources such as social media and data broker sites to gather personal information.
How to Devise an Effective Anti-Breach Strategy
With their employee ultimately the biggest threat to their cybersecurity posture, to minimize the risk of a data breach, healthcare organizations should draw up an anti-breach strategy that includes at least the following steps:
1Create in-depth password policies
Whether they get them through phishing emails or some other means, compromised passwords are typically one of the main ways cybercriminals break into an organization. The Verizon 2021 Data Breach Investigations Report attributed more than half (61%) of all data breaches to credentials. When compromised passwords belong to users with privileged access to organizational networks, there is usually no way to stop an attack.
While every healthcare organization needs to comply with HIPAA, HIPAA’S password recommendations are purposefully vague to allow flexibility in policies and procedures between different healthcare providers. For this reason, more than half of healthcare organizations use the National Institute of Standards and Technology (NIST) framework when it comes to password protection.
2Use multi-factor authentication
According to Microsoft, multi-factor authentication (MFA) can protect employees against 99.9% of account compromise attacks. As long as healthcare staff enables MFA, their accounts should remain safe, even if their passwords are not.
3Implement zero-trust security
MFA is not a silver bullet, which is why healthcare organizations should also implement zero-trust security. Based on the idea that organizations should not trust anyone, regardless of whether they are inside or outside the organization’s perimeters, but rather continuously verify the user’s identity, introducing and adhering to zero trust can make it easier for healthcare organizations to avoid falling prey to a data breach.
4Train your employees for phishing and other cyber incidents
Going back to the Stanford and Tessian study, a third of workers say they rarely or ever think about cybersecurity while at work. Taking the time to train employees on the latest cyberattack methods used by threat actors, including trending phishing scams and audio deepfakes, can therefore go a long way in helping them recognize a scam before it’s too late.
The American Medical Association study found that the more healthcare workers are exposed to phishing emails, the less likely they are to click on them. The first five simulations at hospitals saw a 25.1% median click rate. Ten simulations later, the median click rate decreased to 13.4%.
5Remove employee information from online sources
No matter how much training they undergo, it is likely that some employees will still click on phishing emails. The best thing healthcare organizations can do here is ensure cybercriminals don’t have access to the information necessary to personalize these emails.
Providers should caution healthcare workers against oversharing on social media and other online sources and encourage them to remove their names from data brokers and people search sites. However, with healthcare staff already overworked and overburdened, expecting them to spend their spare time doing a digital audit may not be realistic. Instead, privacy-forward medical institutions should consider investing in a data removal tool for their employees that will remove their names from these sites on their behalf.
Due to a combination of factors, healthcare organizations are already more vulnerable to cyberattacks than most other industries. Pending privacy legislation is likely to only make cybersecurity within this sector even more complicated. However, data breach prevention is still possible.
With most cyberattacks the direct result of employee mistakes, putting into place an effective anti-breach strategy that focuses on in-depth password policies, MFA, zero-trust security, employee training, and data broker removal can help healthcare organizations better protect themselves in the ever-evolving threat landscape.