Why Healthcare Has a Cyberattack Target On It…
By Gil Vidals, , HIPAA Blog, Resources

We’ve all heard by now that healthcare is seriously lagging in cybersecurity effectiveness. According to a recent study, healthcare ranked 15th out of 18 major U.S. industries in terms of overall cyber health. Another study indicates that in the past seven years, 2,149 breaches have occurred, amounting to 176.4 million patient records disclosed.

If you’re a member of the healthcare industry, or even just a consumer of it (aren’t we all?), these statistics should prompt you to sit up and ask, “Why does healthcare seem to have a target on its back?” We’d like to suggest a few reasons – based on available evidence – with suggestions for how the situation might improve:

  1. A Victimized Industry

    The facts are clear: hackers have found a veritable “gold mine” in holding health records for ransom. According to a recent Trustwave report, a healthcare record may go for up to $250 on the black market, compared to $5.40 for a payment card. Primarily, it’s the wealth of personal information these records contain – including social security numbers, financial information, health insurance, and more, combined with the relative ease of cracking into less than adequate health networks (substandard IT) – that literally make them a treasure trove for illicit profit.

    Further, it appears the stakes are raised – as well as the payout – when you prey on the vulnerable, and hackers with seared consciences know this. A 2015 survey of 223 healthcare executives revealed that nearly 80 percent of their IT had been compromised by cyberattacks. It’s a sickening reality that someone can effectively disable a care-giving institution – like the MedStar Health incident, which saw the Maryland-based healthcare system nearly incapacitated by a Ransomware attack. MedStar was forced to shut down its email, records database, and even radiation treatment to cancer patients for days. Patients suffered for a lack of services.

    Suggestion for Improvement:

    Some suggest that healthcare has suffered from tunnel vision, focusing almost entirely on its quest to improve patient care. But what if the idea of “patient care” was expanded – especially in the hospital or health system’s internal messaging and priorities – to highlight the fact that cybersecurity actually plays an important part of that life-saving mission? Would hospital budgets reflect this critical need to ensure the most up-to-date protocols, secure networks, and prompt patching – such as provided by an experienced managed security service provider (MSSP) like HIPAA Vault?

  2. A Slow-Moving Industry

    According to a 2018 Security Scorecard Healthcare Report, “60 percent of the most common cybersecurity issues in the healthcare industry relate to poor patching cadence (which measures how quickly an organization applies an update that patches a security vulnerability).”

    One reason for this may be that average-to-small healthcare organizations tend to be “less sophisticated from an IT point of view,” according to Cybersecurity Strategist Matthew Gardiner. “Many also struggle with smaller IT budgets, meaning healthcare IT teams can’t afford the security that big businesses like banks can afford.” More often than not, this reality amounts to having a vital defense with gaping holes in it.

    But even larger organizations can be slow-moving about patching the holes. Medstar Health (mentioned above) might have fixed a vulnerability that opened the door to their Ransomware attack, by applying a patch for the system or deleting two lines of software code. This was a flaw which many groups, including Red Hat and the US Government, had warned about in 2007 and 2010.

    Suggestion for Improvement:

    It’s time to get proactive about all aspects of security, rather than merely remaining reactive to external attacks. According to Gardiner, “Health organizations need to focus on general security controls, such as keeping sensitive data in a fewer number of places, encrypting it at rest, access controls, patching [promptly and thoroughly], and the like.” Again, from a hosting/network/security point of view, an MSSP can greatly help – and even save on capital expenditures for costly upgrades on servers, network equipment, etc.

  3. An Internally Vulnerable Industry

    Yet it also seems that poor internal security policies and practices are also playing a major role in healthcare security lapses. In fact, data breaches are 50 percent more likely to stem from internal mistakes, according to a study published in JAMA. IT errors, negligence (the human element), the lure of financial gain, physical theft, and even professional revenge are all powerful “insider threats.” Health organizations, it seems, may actually be their own worst enemy.

    Suggestion for Improvement:

    With the prevalence of phishing attacks, anti-phishing tools and staff training must also be evaluated and a risk assessment conducted yearly – because the tech and schemes keep changing. As another writer notes, “All it takes is one healthcare worker in a sea of thousands to fall for a phishing scam or allow a personal device to fall into the wrong hands, and the entire system can be compromised.” Insider snooping of records and workstation/equipment negligence is also a huge problem – which makes access controls and training all the more necessary.

    Other factors might be mentioned, such as possible network inconsistencies and IT integration challenges across multiple campuses/buildings, and changes due to mergers and acquisitions. Or, the increasing number of medical devices (X-ray, MRI, ventilators, etc.) that are becoming networked, owing to the growing “Internet of things” (IoT). All of this must be adressed, which is why an annual cybersecurity assessment is indispensable. Inconsistent security standards, processes, and practices can be addressed and corrected – and then maybe healthcare can get the target off its back.

About HIPAA Vault:

HIPAA Vault is the low-cost leader in HIPAA compliant solutions and managed security services, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Advanced security measures are needed to ensure HIPAA compliance, and customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure and ensure that systems stay online at all times.