While cybersecurity threats continue to increase in healthcare, the sheer volume of attacks only represents one part of the challenge. Cybercriminals are applying their creative skills to devise novel ways to breach defenses through increasingly targeted and sophisticated attacks.
The rise of security incidents, such as the notorious ransomware WannaCry or the recent proliferation of cryptocurrency coin miners, are a timely reminder that not only is the volume of attacks increasing, their diversity is expanding, as well — and so is the risk of them disrupting care delivery.
For the healthcare industry, this shines a light on the larger transformation that's occurring as organizations shift from a narrower, compliance- and HIPAA-focused approach to a more comprehensive and security-centric strategy.
Healthcare Attack Vectors Continue to Expand
Exploiting the software supply chain is a new tactic favored by cybercriminals — and one that is particularly dangerous for healthcare organizations, as this industry has a high degree of reliance on a network of partners. Attackers may choose a supply-chain-based attack when they are unable to breach the actual target organization, or when they want to target the larger industry via one of its key suppliers.
This type of backdoor attack is a significant threat for healthcare organizations, as hackers have a much broader base of possible breach points with which to work. Also, supply chain attacks may be able to stay under the radar as they come in via a trusted channel. These attacks typically take one of three forms:
- A hacker may hijack a supplier’s domain and direct traffic to another, infected domain.
- An attacker may attempt to directly compromise the software of a supplier. This is a particularly difficult attack to defend against, as once the software is infected it is signed with the manufacturer's certificate, meaning any receiving systems checking for valid certificates may become exposed.
- Attackers may also choose to target third-party hosting services. Websites associated with the host may become infected and spread that infection to other organizations along the supply chain.
Because healthcare has such high exposure to third-party services and business partnerships, it faces a high degree of exposure to these kinds of attacks.
Healthcare Industry Breach Trends in 2018
The U.S. Department of Health and Human Services requires that security breaches involving the data of more than 500 people be reported within 60 days of discovery. HHS investigates these breaches and posts them on the HHS OCR Breach Portal, providing useful data that can be analyzed to understand security trends in healthcare. According to the data, in 2017, the overall number of security breaches within the healthcare space rose by about 10 percent, which is largely in line with historic trends. The number of actual records breached, however, dropped significantly.
In terms of where these breaches are occurring, 90 percent of breached records were attributed to healthcare providers — meaning that, even though the absolute number of breaches has decreased, the proportion of breaches reported by providers is growing relative to health plans and business associates.
The industry’s approach to security is changing, though. A study conducted by HIMSS Analytics and Symantec revealed that:
- Eighty-two percent of participating healthcare organizations said that cybersecurity policies are discussed at the boardroom level, yet only 40 percent said cybersecurity is a regularly scheduled item.
- The top three drivers for cybersecurity investment among healthcare organizations are risk assessments, HIPAA compliance and security or financial audits.
- Seventy-five percent of healthcare organizations are still spending six percent or less of their IT budgets on cybersecurity — a lower number than more security-mature industries, such as banking and finance.
- Budget, staffing and skill set were the three most significant barriers preventing healthcare firms from achieving a higher level of security.
These results indicate that, while cybersecurity concerns are now being viewed as a strategic organizational priority, implementation is still being done in something of an ad hoc fashion. Healthcare organizations are increasingly understanding that cybersecurity must extend beyond mere HIPAA compliance. A strong security program should be nimble, but also broadly focused — a realization that is beginning to take root within the healthcare industry.
Medical Devices Pose Notable Security Risks
Medical devices are increasingly understood as an emerging cybersecurity risk, which makes them one of the more interesting security topics in the healthcare field. According to a recent Ponemon Institute study, 80 percent of device-makers and healthcare delivery organizations rate the level of difficulty in securing medical devices as very high. Meanwhile, 67 percent of device manufacturers and 56 percent of healthcare organizations are expecting a security breach of a device over the next 12 months.
The prospect of hackers taking control of medical devices or impacting their functionality is a frightening proposition. Malware infections from software installed on these devices could lead to inappropriate therapies or treatments being delivered to patients.
In addition to compromising patient safety, malware on medical devices can result in interruptions of care delivery, additional infections to the larger security network or other issues that could seriously impact the business of care delivery. Though the complexity of many medical devices and device networks makes cybersecurity an even greater challenge, the potential for serious risk to patient safety should make this an area of keen emphasis moving forward.
Healthcare Security Best Practices for Providers
The presence of skilled and highly active groups of malicious actors is a threat that must be taken seriously. Hospitals, prominent corporations and even city governments have fallen victim to sophisticated ransomware attacks in recent years. Instead of focusing primarily on HIPAA compliance, healthcare organizations must now confront pressing threats from organized collectives of cybercriminals, hackers for hire, and, possibly, nation states.
To help meet these significant challenges, healthcare organizations should:
- View cybersecurity as a business risk rather than just a technical challenge.
- Address security at the board level and do so on a regular basis.
- Educate employees across the organization to be cyber aware and provide training according to their roles and responsibilities.
- Focus on hiring and retaining qualified staff.
- Create new roles, such as Medical Security Officer or Medical Device Security Specialist, to address specific security challenges.
- Consider security implications when purchasing equipment.
- Implement and test cybersecurity incident response protocols.
Organizations that incorporate steps such as these into their overall cybersecurity frameworks will be best positioned to successfully navigate the challenges that await.
With security threats increasing and becoming more diverse and dangerous in nature, cybersecurity has never been more challenging — or more critically important. In order to keep pace, healthcare organizations should focus on the steps outlined above. These practices will ultimately help develop a nimble, comprehensive and effective cybersecurity posture for the healthcare community.