Technology and the way people are using it are evolving in an increasingly steady pace. Just 20 years ago cellphones were getting photo display functions for the first time and were primarily being used to talk to people. Now our phones have facial recognition software and people are using them to shoot and edit films for fun. And the world of healthcare is no different. The amount of technology used and how it is being used has skyrocketed and unfortunately, alongside it so has the amount and sophistication of cybersecurity threats.
To hear more about the current healthcare cyberattacks, we reached out to our lovely Healthcare IT Today Community. The following is what they say are the biggest ongoing threats to watch out for in your organization.
Matthew Sciberras, CISO and VP of Information Security at Invicti
Before the pandemic, the most exploitable security vulnerabilities were built into on-premises systems. But today, as more and more healthcare organizations use web browsers to access data stored in the cloud, cybercriminals are exploiting new web/cloud vulnerabilities, such as cross-site scripting (XSS). While there are many tools and best practices to protect against ransomware, such as ensuring backups are segregated from production, proper incident response, file integrity monitoring, etc., web vulnerability scanners are another example of a solution that can help healthcare IT administrators best protect their critical assets. As web vulnerabilities become a key part of ransomware attack chains, even those that originate from phishing emails, it is critical for health IT administrators to identify and eliminate vulnerabilities to proactively minimize the risk of downtime and data breaches.
Russ Smith, VP of Infrastructure & Security (CISO/CPO) at Lightbeam Health Solutions
Cyber criminals are a serious and growing threat to healthcare organizations today, and phishing may be the most common means for a hacker to gain unauthorized access. As a healthcare consumer, my own medical records were impacted when my former provider network fell victim to a ransomware attack a couple of years ago. How did it start? An employee clicked on a seemingly innocent email which then deposited malware on their hospital laptop. From there, the hackers were able to infect the entire network with ransomware. All told, the attack cost the hospital over $50 million dollars, and interrupted patient care for months! As a security professional, it’s critical to help all users understand their role in preventing cyber-attacks. Educate them on what’s at stake for them, their organization, and their patients. Coach them on what to look for in phishing attacks, how to report issues, and who to go to if they have questions. A key part of education is testing. But phish testing needs to be about teachable moments, not “gotcha” moments. Communicate, communicate, communicate until everyone in the organization has the awareness and the tools to help keep their organization secure.
Will LaSala, Field CTO at OneSpan
During the pandemic, we know healthcare organizations were forced to quickly digitize, ramping up technological capabilities to meet the needs of patients — namely through virtual appointments and other telehealth offerings. However, in most cases, security was severely neglected – not for convenience, but to continue essential services as the world shut down. In 2023, convenience is now a patient demand, hackers understand how to take advantage of such virtual practices, and the industry has yet to widely implement the security measures needed to combat these growing threats. As a result, we’ve seen massive increases in data breaches coming from all areas of healthcare on a global scale— most notably, Australia’s largest health insurance provider, Medibank, suffered a data breach that compromised almost all of its four million customers. There has also been an increase in phishing, social engineering, and ransomware attacks that we expect will continue into the new year.
Looking ahead, there is a balance that must be struck between patient demands, privacy and lack of human interaction. Security should be considered a must have and should be interwoven into all the choices application providers are making. Data breaches from a variety of application providers mean threat actors can gain access to a wealth of knowledge and valuable personal identifiable information (PPI). Furthermore, threat actors can now see things like patient trends, patterns and the way patients interact in social settings — not just the obvious PII, like names and birthdates – meaning threat actors can now create almost impossible to identify synthetic identities. Without the correct technology to detect these fakes, these synthetic identities will severely disrupt people’s lives and the way we do business. The response to all of this is the increased level of security that must be adopted into the fabric of all our transactions and agreements.
Rich Vibert, Co-Founder and CEO at Metomic
One of the biggest threats to healthcare organizations that we should be concerned about is the fact that healthcare organizations need to communicate with their customers over digital channels more than ever before. As a result, health data is creeping into cloud-based tools where it becomes exposed to very new and very real security threats – some of which healthcare organizations have never had to deal with before. Some of the latest technologies or security approaches that every healthcare organization should have in place to address cybersecurity threats are automatic data retention periods for protected health information for SaaS-based tools like file storage and communication. This minimizes the spread of data without getting in the way of employees doing their jobs and delivering a first-class experience to customers.
Old technology or processes that not enough in healthcare are using in their cybersecurity efforts, including employee awareness training. It’s old but effective. It’s the only way to properly scale cybersecurity practices across a modern workforce when each employee is an end-point in themselves. It helps when it’s adapted to the modern workforce by making training more point-in-time and engaging. A simple example of something you can do to train staff to be more aware of their role in security is to communicate with them via the tools they use to communicate with their colleagues, like Slack and Microsoft Teams. Don’t use outdated and clunky setups like long videos or PowerPoint presentations.
Gerry Blass, President and CEO at ComplyAssistant
What are the biggest threats to healthcare organizations that we should be concerned about? In January 2021, HHS’s Health Industry Cybersecurity Practices (HICP) rule was signed into law. It is an extension of the HIPAA/ HITECH Security Rule and identifies the top five threats to healthcare organizations. They are:
- Email phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Internal, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Email phishing and ransomware attacks have caused extended critical system and connected medical device downtimes that impact not only breaches of PHI and PII but also threaten patient lives. What are some of the latest technologies or security approaches that every healthcare organization should have in place to address cybersecurity threats? HICP identifies the top ten recommended security practices (RSPs), aka “controls,” that are scoped for small, medium, and large healthcare organizations. They are:
- Email protection systems
- Endpoint protection systems
- Access management
- Data loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Bruce Johnston, Senior Software Architect at MedAcuity
Many device manufactures make the mistake of thinking unconnected devices don’t need to worry about cybersecurity. Monetary incentives and theft of intellectual property are driving double digit growth, both the number and cost of “insider” attacks. The physical security of the unconnected device, its access points and its environment all need to be considered in a comprehensive cybersecurity assessment and effort.
Ryan Orsi, Global Head of Cloud Foundational Partners for Security at Amazon Web Services
Email phishing remains one of the top security threats for healthcare organizations as a proven method to obtain credentials, deploy malware, or other tools leveraged by bad actors. Common phishing scenarios include unsuspecting users who are coerced into entering their network credentials into illegitimate login screens, or downloading what appears to be a normal file they encounter in their daily work but is actually malware in disguise.
Ransomware and related malware attacks aimed at data exfiltration also remain popular at healthcare organizations as the organizations are understandably sensitive to the impact of any operational downtime and the regulatory consequences they would be subject to following the loss of patient data.
Email phishing training for staff members is a simple and effective way to raise overall awareness and foster the security mindset of being critical when downloading files, installing software, and clicking links within emails. Educating staff to spot suspicious domains from email senders that may include one or two extra characters is a great start. For example, an email addressing ending with @company1.com can look very close to the actual @company.com domain.
Adam Mahmud, Senior Product Marketing Manager at Jamf
Personal data stolen from healthcare organizations normally ends up being bought and sold on the dark web for a high price. Healthcare providers in the US are a particularly popular target for threat actors as data usually commands a higher price due to the country’s affluence and economy. Healthcare providers are constantly adding new endpoints such as tablets, laptops and other interconnected devices to their networks, which exposes them to new attack vectors. With more devices connected to the network, it widens the attack surface, and ultimately, makes it harder to maintain visibility across the network, leaving gaps for threat actors to exploit.
Britton Burton, Sr Director of Product Strategy at CORL Technologies
What are the biggest threats to healthcare organizations that we should be concerned about? It sounds like the Mr. Obvious answer, but I don’t see how there can be an answer other than ransomware and the evolving landscape of data destruction, wiper, and extortion attacks. These are a significant threat for any industry, but healthcare is so uniquely vulnerable to them due to the confluence of several factors:
- An extremely variable technology footprint that runs the spectrum of traditional endpoints to IoT, ICS, medical devices and the ever-evolving investment in cloud and other data-sharing technologies
- An emphasis on maintaining operational continuity, so that patient care isn’t interrupted
- A workforce that is stretched to the limit, churning rapidly and constantly in a post-COVID staffing world… and who are frequently not the most security-savvy users because their jobs require hands-on skills rather than all-day computer work
- A business model that can have extremely thin margins, which tends to constrain spend on security budgets and staffing when compared to other industries
These factors make healthcare a ripe target for attack because there are myriad ways for attackers to gain a foothold and because healthcare, as much or more than any other industry, is motivated to pay attackers so they can restore operations as quickly as possible. Every week there’s a new story of a healthcare system going on diversion or shutting down certain patient care operations due to a ransomware event.
Perhaps that’s too obvious. The newer twist we all need to keep our eyes on is more about the threat vector than the threat itself. More of these attacks every year manifest in healthcare’s vendor ecosystem. Healthcare is outsourcing its critical business operations to third parties at lightning speed, and attackers are aware of this trend. The ability to compromise a third party who serves multiple healthcare organizations makes those third parties an even juicer target. And suppose a hospital system relies on a third-party provider for billing, imaging, lab, or critical operations. That hospital can be hard down for as long as that third-party provider is dealing with a ransomware event.
John Gomez, Chief Security and Engineering Officer at CloudWave
Threats healthcare organizations should be concerned about are:
- Most software, policies, and regulations protect data; not enough protect life. Threats to medical devices need a different level of cybersecurity planning, including the clinical response team.
- Awareness of the latest threats. Cyber criminals are evolving (for example, exploiting ChatGPT). If you aren’t up to date on tactics, you can’t protect against them.
- Attackers are in an environment for 190+ days before an attack, which includes accessing the backup. A robust backup plan must be in place to address this.
A scary list but important to know! Thank you to everyone that submitted a quote, we always look forward to hearing from all of you. And thank you to all of the readers as well! We’d love to hear from you to, so leave a comment down below on your thoughts of healthcare cyberattacks or share on social media.
