Healthcare professionals push the healthcare barrier, bringing us the latest medical advancements while keeping us all alive and healthy.
With all this responsibility, security often falls by the wayside. But why are healthcare information systems a target for security threats?
This article will explore some of the reasons, some common threats in the industry, and some defensive measures to secure your business.
Top Reasons Healthcare Information Systems Are a Target For Cyberattack
The healthcare industry is no stranger to cyberattacks, with the public healthcare system suffering from more devastating attacks in recent history.
Some reports have claimed that ransomware alone cost the industry $20 Billion in downtime in 2020.
These statistics are reaching shocking levels, but there must be some reason the healthcare industry is such a hot choice for cyber attackers, and in this section, we will explore why.
1. Valuable Sensitive Information
Without a doubt, the most apparent reason attackers seek out the healthcare industry is due to sensitive personal data.
Personal healthcare data is one of the most valuable types of data a hacker can obtain. The black market value of healthcare data can go up to $1000 per record.
In purely economic terms, the healthcare industry is worth more to attackers looking to obtain personal data than any other industry.
One of the reasons healthcare records are sought after is that one record contains a treasure trove of personal data. One document can contain:
- Name and address
- Date of birth
- Social Security Numbers
- Insurance Numbers
- Special categories of data, such as ethnicity or genetic data
- Financial data like credit cards
- Insurance plans
When you add up all these individual bits of data, it creates a lucrative portfolio regarding black market trades.
What hackers do with it when stolen is still unclear. Black market buyers may use the information for identity theft or create identities to purchase medical equipment.
Whatever the case, it’s pretty challenging to track what has happened to the data once stolen. In some cases, it might only surface years later.
2. Weak Security Infrastructure
The actual dream of a hacker looking to make a quick buck is inadequate security, and the healthcare industry lacks that department.
The industry is notorious for inadequate security. However, this is not the fault of the industry but rather a budgetary restraint. Hospitals, in particular, run quite a tight budget, especially in countries with socialized healthcare.
Every penny is accounted for, and they will often go into deficit to keep the operation running. It is no wonder that a security budget is difficult to negotiate, but it is increasingly becoming a regulatory requirement in some countries.
Even with regulators creating security policies for the healthcare industry, their IT security infrastructure is still playing catch up. Furthermore, retrospectively implementing a security architecture can be a time-consuming and costly endeavor.
Hackers know this and will easily bypass any technical, and in some cases, organizational security. However, this is not an easy fix, as we will see in the following sections.
3. Large IT Infrastructure
One of the reasons fixing the weak security infrastructure is challenging is the size of the IT infrastructure.
Many industry operators have massive information systems, with hundreds or even thousands of devices and end-points.
Each end-point or device represents a potential vulnerability. This issue is compounded by the fact that medical devices are running very complex and varied operating systems. For example, a heart rate monitor does not run the same software as an MRI scanner.
This fact creates complications when it comes to technical security implementation. The varying operating systems and devices require unique solutions for each. Corporate cybersecurity tends to be more uniform because purchasing decisions for software integration must fit the existing architecture.
But in the healthcare industry, purchasing decisions are based on patient protection, streamlining healthcare practices, etc.
4. Weak Staff Security Awareness
Imagine yourself in the shoes of a healthcare professional. The amount of stress that comes with the job tests even the most resilient people.
These professionals are focused on keeping us alive and healthy, a much-needed job in a civilized democracy. Juggling all this responsibility means they have little time for other tasks, and security is one of them.
Security awareness tends to be much lower in the healthcare industry for reasons mentioned above; it simply isn’t a priority. Unfortunately, this can end up damaging patients in other ways.
There are regulations such as the Health Insurance Portability and Accountability Act (HIPAA) putting pressure on the industry to ensure that hospital management takes care of security awareness.
However, it remains an issue that hackers easily exploit. Hackers will tend to exploit the technical illiteracy experienced by healthcare staff; they may know how to use the computer system but might be unaware of the difference between an attack and technical difficulty.
5. Outdated Technology
Coupled with the fact that healthcare is plagued by massive IT infrastructure, they also use outdated technology; this further complicates matters in cybersecurity architecture.
A lot of modern-day cybersecurity solutions will be unable to interface with older systems. Generally, you should not be using any systems or software that the vendor no longer supports.
This poses a massive security risk. If you discover a vulnerability, it will never be patched because the vendor is no longer operating. Unless you have the technical know-how to fix it yourself, attackers will eventually find it.
And healthcare businesses are full of old tech, mainly in the form of devices. Hospitals operate on the principle of “if it ain’t broke, don’t fix it.” A heart rate monitor from the ‘90s still monitors your heart rate; it does a pretty good job of it too.
But if it interfaces with a network infrastructure from the ’90s, it’s like using paper to protect yourself against fire.
Again this is a budgetary issue more than anything else. Buying expensive modern tech is reserved chiefly for life persevering tools, like good MRIs, and rightly so. But it is a toss-up between security and penny-pinching (Ironically, penny-pinching will cost you more in the long-term).
6. Healthcare Data Portability and Similar Conveniences
The healthcare industry is reliant on data sharing. For doctors and the broader third-party network to be effective at their jobs, they need data to be easily accessible.
This speed and accessibility allow the industry to get the needed medication or care to the patient quickly. Unfortunately, you will have to sacrifice some convenience in the name of security.
There are good ways to do it that are not too cumbersome. But the current state leaves the industry open to attack. Data has three states that require protection those being:
- Data at rest
- Data in transit
- Data in use
All three states have different requirements; encryption can fulfill that role nicely. Data portability is the ability for users to transfer data from one system to another (data in transit), and hackers can hijack communication channels, intercept data, and steal it.
7. Remote Data Access
Healthcare professionals need to have the ability to access records at any time. This requirement could be the difference between life or death, meaning remote data access is a must.
However, with remote data access comes more potential vulnerabilities; more access points means more potential backdoors.
Common Cyber Threats Experienced By The Healthcare Industry
It’s no wonder attackers are attracted to the healthcare industry like bears to honey for all these reasons.
Understanding the motivations of attack is a way to protect your industry from potential breaches, but knowing the kind of tactics attackers employ will help you defend yourself better.
Below you will find some common threats in the healthcare industry.
One of the most common types of attacks you will find in the industry is ransomware. Ransomware is a type of malware that infects computer systems with a lockout program.
When victims open a payload on a terminal connected to the information system, all terminals connected to that infrastructure will be presented with a lockout screen, meaning staff can no longer access the system.
Usually, attackers will add a condition to unlock the computers, like payment.
WanaCry was one of the most infamous ransomware attacks in recent history, occurring in May 2017, and it affected the public healthcare system in the UK, the National Health Service (NHS).
The virus encrypted all data on the information system and demanded a bitcoin payment to unlock the system.
The attack was estimated to cost the NHS around £92 Million ( $126 million) in disruption and IT infrastructure upgrades. However, this attack did not only affect the UK but was a worldwide attack reaching the United States in June 2017.
Because the industry suffers from low-security awareness, social engineering is a significant threat to businesses within the sector.
In short social engineering is when attackers manipulate human psychology to gain access to systems or to get victims to give up sensitive data. Be sure to read this post to learn more about social engineering and how you can recognize it.
Attackers will use various social engineering techniques, such as phishing and impersonation, to access personal health records.
You should note that the healthcare industry is just as susceptible to any type of security threat as any other industry. Still, the two mentioned here seem to be a recurring theme within the sector.
In the next section, we will examine defensive measures you can begin to employ to reduce the chance of a successful cyberattack.
Cyber Defense for the Healthcare Industry
If we look at the healthcare industry’s common threats, then cyber defense tactics become more apparent. There is no point in using a hammer to saw a table, and cybersecurity tools are similar.
Covering all bases might be a waste of resources and is a costly process. A tailored approach is the best method for implementing a cybersecurity architecture, which holds for healthcare businesses.
Combining the reasons and threats into one package will generate a good foundation for your cyber defense.
Staff Awareness Training
If you were to spend the resources on one thing, staff awareness training might just get you the biggest bang for your buck.
Like some industries, healthcare’s biggest asset is its people. But in the cases of security, they can be a liability.
Strengthening your weakest link raises the bar across the board and will have the most significant impact on your overall security posture. HIPAA already recognizes this security aspect and requires healthcare organizations to put sufficient resources into training their staff. The regulation does specify that you should update the training regularly.
Vulnerability Assessment and Threat Analysis
Healthcare networks tend to have substantial IT infrastructures, as discussed in previous sections. For this reason, staying on top of the threat landscape is a sure-fire way to stay ahead of the attackers.
Threat analysis combined with vulnerability scanning (assessments) will maintain a greater level of security. Combining the two, you have a way to detect what threats are present in your industry and if such threats can exploit your vulnerabilities.
Remember, the attacker only has to find one vulnerability to make their way in. The defender’s job is to patch vulnerabilities before the attacker can exploit them.
Global interconnectivity affords us many conveniences in the modern age. These conveniences have also been extended to the healthcare sector.
Unfortunately, with all the industry’s security issues, these conveniences have become more of a liability. Which has many wondering, why are healthcare information systems a target for security threats?
This article discussed some of the more common reasons the industry faces security issues.
But it is not all doom and gloom, there is hope, and it comes in the form of cyber-defense. The industry needs to reconsider its security requirements, and RSI Security can help you achieve your security goals.
A Managed Security Service Provider (MSSP) can make your security budget stretch further and get you compliant with HIPAA. Get in contact with us today.
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.