Healthcare organizations are vulnerable to cyberattacks, even more so than most other industries. In fact, advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations. And according to the 2021 Verizon Data Breach Investigation Report, many APTs currently employ ransomware, including some that focus on the COVID-19 pandemic.
Cyberattackers carried out 91% of data breaches for financial gain, and human error continues to plague the healthcare industry. In other words, targeting healthcare is a lucrative and practical option for cybercriminals.
Let’s break down the top 5 reasons why healthcare is a popular victim before exploring the best cybersecurity approach to stopping such attacks before they cause irreparable damage.
1) Wealth of valuable data
One of the main goals of HIPAA (the Health Insurance Portability and Accountability Act of 1996) is to set the policies and procedures for safeguarding protected health information (PHI). PHI is any personally identifiable information that can identify a patient and is disclosed during patient care. This can include addresses, Social Security numbers, financial accounts information, medical records, and even someone's name. These are all types of information that APTs use to commit identity theft or insurance fraud as well as to extort a ransom.
According to researchers, hackers target healthcare because of the high value of PHI on the black market. Not to mention the amount of money an APT could get from a ransom demand.
2) More likely to pay
Healthcare organizations are more likely to pay a ransom as lives may hang in the balance; they need access to their systems to provide patient care. This makes them more likely to bend to a demand. RELATED: The costs of ransomware attacks In a recent flash alert about Conti ransomware, the FBI reiterated,
Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of [PHI].
A patient even died in Germany after the University Hospital of Düsseldorf turned her ambulance away following a ransomware attack. Such concerns ultimately lead to healthcare providers paying a ransom (against governmental advice) hoping for the swift return of their data and no double extortion.
3) Excessive and more vulnerable attack surfaces
Healthcare organizations typically have large, vulnerable attack surfaces, which are composed of all the access points (or threat vectors) that allow unauthorized entry into any system. The most attacked threat vector, email, starts with a simple phishing attack and leads to stolen PHI, shut down systems, and/or continuous spying. Last year alone saw a 600% increase in malicious emails due to COVID-19. Such attack surfaces include:
- Unpatched, outdated legacy software and hardware
- Unmonitored medical devices
- Personal devices used at work
- Third-party vendors (i.e., business associates)
- Insufficiently trained remote workers
4) Untrained, tired employees
The last two attack surfaces are especially pertinent because hackers take advantage of stressed, overworked employees. The healthcare industry is known for having a stretched staff that is regrettably unknowledgeable about cybersecurity. Additionally, team members are not likely to be up-to-date on cyber risks.
In fact, the IBM Security Cost of a Data Breach Report 2021 states that compromised employee credentials caused the most data breaches at an average cost of $4.37 million. Add to this the switch to remote working and there has been a definite spike in phishing and brute force attacks. Human error is inevitable, particularly for organizations that rely on their employees to recognize and block attacks rather than create a healthy and secure cyber environment with solid, HIPAA compliant cybersecurity.
5) Lax cybersecurity
Unfortunately, many healthcare organizations are lax with cybersecurity controls. In fact, several covered entities are doing a poor job of protecting themselves and their patients’ PHI. This is especially true for some small and midsize businesses who take an "it-won’t-happen-to-me" approach to cybersecurity. For some healthcare organizations, the idea of overhauling cybersecurity seems more daunting than dealing with a breach. But the cost of a breach ever increasing, it’s time to rethink this.
RELATED: The costs of ransomware attacks
A healthcare organization may view cybersecurity as an expense, but it is nothing compared to what you could lose in the event of a data breach.
It’s essential to follow best cybersecurity practices
The significance of PHI, along with the unfortunate use of legacy devices and notoriously overworked employees, sets up the healthcare industry as a prime target for cybercrime. This is why it is time to proactively focus on cybersecurity and put down a strong line of defense. What does this mean? It means a layered approach that includes such best practices as:
- Continuous employee awareness training
- Up-to-date and consistent policies and procedures
- Prevention and recovery strategies
- Strong technical and physical access controls
- Multiple offline backups
- Patched and updated systems and devices
- Increased security around remote working and cloud technologies
And especially, solid inbound/outbound email protection (i.e., HIPAA compliant email).
Utilize strong email security—Paubox Email Suite Premium
Paubox Email Suite Premium stops the most utilized threat vector—email—from being a cyberthreat. With our HITRUST CSF certified solution, all emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace). It requires no change in email behavior to send or receive an email. No extra logins, passwords, or portals.
Paubox’s solution also comes with ExecProtect (built to block display name spoofing emails) and our new patent-pending Zero Trust Email feature, both of which safeguard an inbox. Paubox Email Suite Premium also includes data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization, along with email archiving.
Don’t hesitate to make cybersecurity a priority. Take proactive action and implement robust protections today to avoid future headaches and potentially millions of dollars in costs.