When hackers lay their eyes on the sort of sensitive personal data collected and protected by hospitals and other healthcare organizations, they see dollar signs.
On the black market, a single credit card number might only fetch a price of 50 cents because there’s a short window of time in which to exploit the compromised data before a financial institution recognizes the breach, invalidates the account and issues the victimized customer a new payment card.
Hospitals, however, collect information that can’t be changed: Social Security numbers, birthdates, current and past addresses, next of kin. Because of its permanent nature, criminals can continue to exploit such compromised data for years, using the information to steal victims’ identities for financial gain.
Consequently, a single stolen record can command a price approaching $100. For obvious reasons, those circumstances mean that hospitals are a hugely attractive target for hackers.
The Immense Price of a Healthcare Data Breach
According to the 2018 Healthcare Information and Management Systems Society (HIMSS) Cybersecurity Survey, 76 percent of healthcare organizations surveyed experienced a “significant security incident” in the 12 months prior — attacks that resulted from a wide variety of attack methods and motivations.
The plurality of those incidents (38 percent) stemmed from online scam artists engaging in activities such as phishing and spear phishing. Negligent insiders — well-meaning personnel with trusted access who inadvertently trigger a data breach — accounted for 21 percent of incidents.
Healthcare organizations face fines for breaches that don’t involve external actors. Most hospital breaches result from healthcare insiders looking up information about family members, friends, neighbors and acquaintances without authorization. Meanwhile, hackers were responsible for 20 percent of breaches, and nation state actors, hacktivists, social engineers and malicious insiders each accounted for between 2 and 5 percent of breaches. By a wide margin, email was the most common initial point of compromise for these incidents, with 62 percent of breaches resulting from a phishing email or similar attack.
Attacks are also launched via organizational or third-party websites, hardware and software preloaded with malware, infected mobile or medical devices, and compromised cloud providers — but none of those attack vectors triggered more than 3.2 percent of the total number of breaches.
Nearly half (47 percent) of those attacks were caught within a day, while another 21 percent were sniffed out within a week. Still, roughly 4 percent of attacks took between a week and a month to catch, while 5 percent took between one and three months to detect. A handful of attacks weren’t caught for four, seven or even 12 months.
Somewhat worryingly, only 41 percent of attacks were caught by organizations’ internal security teams. Most were caught by other team members and third-party vendors, and 3 percent were discovered and reported by patients themselves.
Ransomware Skyrockets for Hospitals and Care Organizations
Cyberattacks are such a problem for healthcare providers that the ECRI Institute ranks ransomware and other cybersecurity threats No. 1 in its “Top 10 Health Technology Hazards for 2018,” above issues such as missed alarms, improper cleaning of equipment and radiation exposure from imaging tools.
“In a healthcare environment, a malware attack can significantly impact care delivery by rendering health IT systems unusable, by preventing access to patient data and records, and by affecting the functionality of networked medical devices,” the report states. “Further, such attacks can disable third-party services, disrupt the supply chain for drugs and supplies, and affect building and infrastructure systems.”
It is with good reason that the report calls out ransomware. Some experts say such attacks rose by roughly 89 percent in 2017, while other reports say it accounts for 85 percent of all malware in the healthcare industry.
According to CDW’s Cybersecurity Insight Report, last year’s WannaCry virus, a “virulent strain of ransomware,” spread across organizations’ networks by exploiting vulnerabilities in Windows computers, causing billions of dollars in damages and “crippling” healthcare facilities throughout Britain.
Devices and Efficiency Make Healthcare a Prime Target for Hackers
Part of the reason healthcare organizations are such frequent targets is because many medical devices use older technologies that are more vulnerable to attacks. In 2017, one publication even dubbed medical devices “the next security nightmare.”
A report on cybercrime in healthcare, also published in 2017, takes an in-depth look at the factors contributing to the prevalence of attacks in the industry. It notes that hospitals and other healthcare organizations often prioritize operations and efficiency over cybersecurity, leading to a lack of safeguards protecting digital assets.
Many organizations, the authors say, simply lack the proper staff to handle digital threats and implement basic protection measures, such as two-factor authentication and encryption. When digital healthcare assets such as electronic health records are attainable, they prove to be irresistible to hackers due to the range of profit-making activities they enable.
Criminals can use data stolen from EHR systems, the report notes, to not only procure prescription drugs, create fake identities and obtain medical insurance, but also to create birth certificates and file fraudulent tax returns. HIPAA standards and other data safety regulations exist to help ensure organizations take steps to protect sensitive data against this growing array of cyberthreats.
However, mere compliance is often not enough to keep patient data safe. Those standards and safety regulations should be seen as the bare minimum. To rise to the challenge of today’s threat environment, healthcare providers must evolve and mature their security postures beyond what is required by external regulators.
Learn how to best prepare your healthcare organization for looming cyberthreats by reading the CDW white paper “Ensuring the Security of Patient Data.”