Perhaps more than any other sector, the healthcare industry faces great tension between security and easy access to data. Hospitals, doctors and other care providers need to have as much data and information readily available to use to treat patients and save lives; while at the same time keeping this sensitive information secure. This tension combined with the complexity of the healthcare sector, including its web of facilities, medical records, devices insurance companies, care providers, prescriptions and more, shows why cybersecurity is a challenge in this field.
The numbers also reflect this challenge; In 2022, cyberattacks in the healthcare sector were up 86%, making it the third most-attacked sector. And with the average data breach costing $10 million, attacks in the medical sector are the most expensive of any sector to discover, mitigate and report. My company also found in a recent report that healthcare ranks the lowest out of 11 sectors in more than 15 countries when it comes to cyber maturity.
At the same time, human lives are increasingly at risk. One recent study found increased mortality rates at hospitals following ransomware attacks, and a few deaths have been directly blamed on cyberattacks. Unless something changes quickly, this is, unfortunately, only set to get worse.
Healthcare is a huge lucrative target
Healthcare is no doubt a valuable target by its very nature. Because of the extent of sensitive and personal information contained in medical records, such as contact details, billing information, medical history, and identification numbers, cybercriminals can reap large profits by selling this information on the Dark Web, using it to perpetrate other data breaches, using it to make fraudulent claims or fill prescriptions on the black market.
In addition to the valuable and comprehensive nature of the data, a hospital’s need to operate around the clock also makes it a valuable target. This is especially true when it comes to ransomware attacks. Because they must keep their services up and running, hospitals are often more likely to pay a ransom.
A complex web of stakeholders, digital assets and devices
Because hospitals and other medical facilities have many different stakeholders involved in care, it often results in piecemeal security solutions. There are situations in which medical record administrators, facility operators, doctors and insurance companies are all linked together, but each has a different solution dedicated to their part of the data. This makes overall visibility nearly impossible.
Medical devices also complicate the situation. More than half of all connected devices contain critical vulnerabilities. These devices, including infusion pumps, imaging equipment and wearables, could not only stop working if they are hacked, putting lives in danger, but could also be a gateway to reaching further into hospital networks to carry out larger attacks. These devices need to be protected properly and with these risks in mind.
Additionally, Shadow IT—devices or software that are used without the IT team’s awareness or control—can present a type of insider threat. Often installed or acquired by employees who are searching for a quicker, easier way to do their jobs, these devices and applications can leave the hospital open to data loss, exposure to exploitable vulnerabilities, and serious compliance issues. Many lack sufficient access control or fail to encrypt data at rest and in transit, allowing patient data to be intercepted, viewed, and stolen at any point in its journey.
At the same time many hospitals also fail to conduct an annual risk assessment or risk quantification study, and are thus unable to detect and close gaps. A risk assessment must take into consideration threats from everywhere: the perimeter, inside the organization, and the supply chain. It should determine the real risk of ransomware, data leaks, phishing attacks, malware, and other threats, categorizing risk based on how vulnerable your systems are, the likelihood of your organization being attacked, and the damage that could result from a breach.
Cyber investment and security practices lag
Healthcare only invests about half of the amount that other industries do into cybersecurity. This is partly because this is a dynamic industry, often operating under stress and emergencies, as became increasingly clear during the Covid pandemic. Investment in security needs to change immediately. But increased investment should not just be poured into tools and tech solutions. Policies and producers need an overhaul.
Hospitals need to start taking risk assessments and visibility more seriously. Health systems need to think as a whole, rather than take a siloed approach to protecting individual data sets or devices. Hospitals and medical centers will only be able to prioritize what to protect by carrying out thorough risk and threat assessments. Other basic-sounding measures, like password policies and user authentication also need to be taken more seriously, and improving them can quickly increase security.
It is a fact that healthcare IT environments are among the most challenging to protect. But they are also among the most important, as human lives are at stake.
About Reuven Aronashvili
Reuven Aronashvili is the founder and CEO at CYE. He is a serial cyber security entrepreneur, having acquired deep knowledge and passion for cyber security while serving in an elite cyber security unit of the IDF. Reuven is a national-level cyber security expert, with expertise in designing and developing innovative security solutions for governments and multi-national organizations around the globe. He brings CYE an impressive track record for conducting high-profile cyber security improvement programs across a wide range of industries. Reuven serves a trusted advisor for executives in leading Fortune 500 companies and was certified by the US Department of Homeland Security as an international industrial control systems cyber security expert. Reuven holds an M.Sc. in computer science, accomplished as part of an excellence program during his military service.
