Cyberattacks in healthcare are on the rise. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), healthcare organizations experienced a 93% increase in large breaches from 2018 to 2022, with a 278% increase in ransomware attacks. As long as cybercriminals continue to experience financial windfalls from holding medical records hostage or selling patient data on the black market, healthcare organizations will be primary targets for attacks.
These attacks can be devastating for healthcare organizations and patients. Ransomware attacks, data breaches, distributed denial-of-service (DDoS) attacks, and other types of incidents can severely disrupt healthcare services and have immediate, life-threatening consequences for patients. For organizations, recovering from attacks can take months and cost millions of dollars.
The Growing Threat of Cyberattacks on Healthcare
The recent ransomware attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse is a prime example. The attack severed the link between medical providers and insurers, preventing providers from transmitting patient claims and receiving payments. Patients had to delay medical procedures and were left unable to receive needed discounts on medications.
How can your organization strengthen its defenses? The first steps are recognizing the potential consequences of poor preparation and identifying the particular challenges that healthcare organizations face. Constructing a more robust strategy will then involve not only deploying new technology solutions but also implementing best practices and forging new partnerships within and beyond the healthcare industry.
The Impact of Poor Cybersecurity in Healthcare
Healthcare organizations continue to be targeted in part because their cybersecurity strategies, tools, and expertise lag behind organizations in other sectors. Hackers might more easily gain access to healthcare IT systems than systems in financial services, manufacturing, or other industries. Once they have access, they can release malware, shut down systems, and steal sensitive data.
Attacks can have a large, far-reaching impact on healthcare organizations and patients. Ransomware attacks and other breaches can force organizations to take essential systems offline, causing disruptions in vital patient services. Unauthorized access to electronic healthcare record (EHR) or billing systems can expose a wealth of sensitive information, leaving patients vulnerable to identity theft while triggering fines against healthcare organizations for violating HIPAA (the Health Insurance Portability and Accountability Act of 1996) or other regulations.
The financial costs of a single attack can be staggering. Even organizations that do not pay an exorbitant ransom could still need to recover data and restore systems, conduct forensic investigations, provide identity protection services to affected patients, and deploy new security measures. Many organizations lose revenue during attacks and could continue to lose revenue for months after if their reputation is damaged. Beyond paying regulatory fines, organizations might need to settle lawsuits brought by patients who suffered financial or physical harm as a result of an attack.
Why Healthcare Cybersecurity Requires Special Attention
Healthcare organizations face unique challenges in safeguarding systems and protecting data. First, many organizations continue to use legacy systems and proprietary devices whose vendors might not issue frequent software updates or patches to address the latest cyber threats. Second, healthcare organizations often have highly complex networks with numerous access points, creating a large attack surface.
Finally, healthcare organizations must comply with strict regulatory compliance, and they have significant potential liabilities. Operating in this environment forces organizations to take cybersecurity very seriously. But it also means that organizations can be slow to implement new security measures because they need to ensure that they remain in compliance with laws and regulations.
The Role of Government Agencies in Healthcare Cybersecurity
Government officials understand the critical importance of protecting healthcare organizations from cyberattacks, and key agencies are working to help bolster defenses. For example, the HHS recently released a multi-point strategy for strengthening cybersecurity in healthcare while increasing accountability and coordination within the healthcare sector. The Food and Drug Administration (FDA), which is responsible for regulating medical devices, now requires medical devices to adhere to cybersecurity guidelines.
Meanwhile, the HHS continues to collaborate with the U.S. Cybersecurity & Infrastructure Agency (CISA) and law enforcement agencies on the release of the latest cybersecurity advisories. Government offices and agencies are also exploring ways to tighten policies on cybersecurity and increase enforcement of regulations.
Key Areas for Healthcare Organizations to Strengthen Defenses
As healthcare organizations begin to revamp their cybersecurity strategy, many will benefit from focusing on several key areas. For example, organizations should implement strong access and authentication controls to help prevent unauthorized individuals from gaining access to enterprise apps and IT systems. They should also implement network monitoring and network segmentation capabilities to rapidly identify attacks and isolate systems from infection. And they should tap into threat intelligence sharing platforms so they can prepare early for new threats.
All organizations should also invest in education. Employees must understand the tremendous risks of cyberattacks and learn best practices for reducing vulnerabilities. Those practices range from implementing stronger passwords to refraining from clicking links within suspicious emails.
The Importance of Following Cyber Hygiene Best Practices
Beyond adding security capabilities, healthcare organizations should follow essential best practices for cyber hygiene. For example, they must keep software patched and up to date. Attackers can quickly find and exploit software vulnerabilities, so organizations must stay a step ahead. In addition, IT teams should use robust antivirus tools on all devices. The vendors providing these tools often have the latest threat intelligence and will update capabilities ahead of new attacks.
Employees should be advised to use unique, difficult-to-guess passwords. And because attackers often gain access through stolen credentials, organizations should make unauthorized access more difficult by applying multi-factor authentication.
Since human error is often a vector for attacks, organizations must also minimize the likelihood that a single error will open access to an enterprise network. Organizations could, for example, implement a policy of least privilege, which can help ensure that a single error will affect only the areas that a particular employee can access.
Organizations should also back up data regularly and keep copies offline. In the event of a ransomware attack or another type of breach, IT teams can isolate affected areas, failover to redundant systems, and restore data from backups.
How to Collaborate Across the Healthcare Sector
Clearly, your healthcare organization is not alone in combating cybersecurity threats. In addition to sharing information directly with other healthcare organizations, you can and should participate in efforts to share information across the industry, such as those spearheaded by Health-ISAC (the Health Information Sharing and Analysis Center) and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. You might join healthcare cybersecurity coordinating bodies and professional organizations, such as the Association for Executives in Healthcare Information Security (AEHIS). And you should follow key government entities, such as the HHS and CISA, for cybersecurity updates.
Overcoming Resource Constraints for Smaller Providers
Not all healthcare organizations will have the budget or internal resources to implement multiple capabilities or follow all cybersecurity best practices. Nevertheless, smaller healthcare providers can still take advantage of federal and nonprofit resources for gaining threat intelligence. You can also partner with regional healthcare coalitions, developing mutual aid agreements for cybersecurity incident response strategies. And you can focus on the lower-cost cybersecurity best practices, such as regularly backing up data and instituting employee training.
A Look Ahead at Future Healthcare Cybersecurity Challenges
As technologies evolve, so will cyber threats. The increasing use of Internet-of-Things (IoT) devices and 5G wireless technologies in healthcare, for example, will no doubt sprout new types of threats from cybercriminals. With medical devices such as pacemakers and insulin pumps vulnerable to hacking, future threats could be more malicious and directly impactful for patients. Healthcare organizations will need to implement strategies that protect not only devices but also the data they are transmitting and the network they are accessing.
At the same time, foreign governments are likely to step up their support of cybercrimes that affect healthcare organizations. Healthcare organizations will have to be on guard against advanced persistent threats—prolonged network or system intrusions, often funded by adversaries of the United States—that aim to steal data, disrupt operations, or destroy systems.
One of the best ways to address these and other cybersecurity challenges is to build a robust cybersecurity workforce. Hiring IT professionals with cybersecurity expertise can help your organization develop stronger strategies that are also adaptive to change. Supplementing that workforce with outside experts can further enhance your strategies and improve defenses.
The Importance of Vigilance and Preparation
The growing number and increasing severity of cybersecurity threats facing healthcare organizations demand heightened vigilance. To safeguard data, avoid critical disruptions, and help ensure patient safety, healthcare organizations must make security a top priority. By implementing the right solutions and practices, and collaborating with the right public and private entities, healthcare organizations can prevent attacks and mitigate damage.
Learn how Cloudticity can help your organization prepare to withstand rising cybersecurity threats. Contact us for a free consultation today.