The first reported cyberattack on a hospital system was detected as recently as five years ago; however, these attacks have swiftly inundated the industry. Today, “significant security incidents are a near universal experience in U.S. healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets,” notes the 2019 HIMSS Cybersecurity Survey.
Certainly, significant data breaches among retailers, websites, credit bureaus and other enterprises draw a lot of attention, but hackers have realized that healthcare providers also hold troves of information — much of which moves around from group to group in the process of delivering care — and the cybercriminals are taking action to obtain it.
Hackers Want Your Data — All of It
The 2014 attack against Franklin, Tenn.-based Community Health Systems reportedly began as a raid on intellectual property but soon shifted into a large-scale theft of patient data. Although no medical or financial data was stolen, hackers were able to access large amounts of personally identifiable information such as names, birthdates and Social Security numbers.
Just as cyberthreats continue to grow in number, they also advance in sophistication. Hackers are endlessly exploring methods, new and old alike, to take more data, causing turmoil for healthcare organizations and patients.
In its most recent study, HIMSS found that 74 percent of healthcare information security respondents reported experiencing a significant security incident in the previous 12 months — that number jumps to 82 percent when it comes to security incidents in hospitals specifically.
And while healthcare providers still face attacks from hackers seeking to infiltrate their IT systems, email has become the most common point of entry, according to HIMSS. This shift in entry points isn’t isolated to healthcare, though; it’s being witnessed across all sectors of enterprise IT.
In its 2019 State of the Phish Report, security company Proofpoint states that “cyber attackers are increasingly focusing their attention on people, not technical defenses.” In fact, 96 percent of the information security professionals Proofpoint surveyed said the rate of phishing attacks “increased or stayed consistent” compared with the prior year. The biggest jump was in spear phishing attacks — fraudulent emails sent to specific people with the goal of accessing information. Sixty-four percent of respondents experienced spear phishing, up from 53 percent the year before.
In healthcare, the primary targets of these phishing schemes are often nurse practitioners. Most of the time, the phishing attacks against nurse practitioners sought to install malware or gain credentials. Proofpoint found that hackers target nurse practitioners roughly three times as often as they target their second-most popular objective: the general communications inbox.
Look to Users to Protect Your Organization
In CDW’s latest Cybersecurity Insight Report, the company suggests that with users on the front lines when it comes to this new generation of cyberattacks, organizations need to educate them about the risks, creating a security layer on top of technology.
“Almost all attacks are going to involve a user at some point. It’s going to involve a user’s lack of understanding, lack of applying security rules … It’s unfortunate, but we’re all human,” said Gabriel Whalen, CDW Principal Field Solution Architect, at the CDW Protect SummIT in Philadelphia. “It’s up to us to be proactive and watch for those threats.”
In healthcare, where according to HIMSS, security incidents are detected by regular staff at almost the same rate they’re detected by an organization’s security team, it’s especially important that workers receive more security awareness training. It’s also important for healthcare organizations to use the tools at their disposal so they can better understand the threats.