Like all sectors, our healthcare industry has become increasingly reliant on technology, the Internet of things and smart equipment that drives efficiency. However, healthcare institutions are unquestionably difficult to secure, trailing behind other industries when it comes to cybersecurity. Its limited resources are naturally channelled towards patient care, making healthcare a substantial and highly lucrative cybercriminal target.
COVID-19 only enhanced this opportunity; hackers capitalised on an overwhelmed system and exhausted staff deploying a surge of ransomware in 2020 – after all, healthcare simply cannot grind to a halt if compromised, lives are at stake.
In 2020, healthcare breaches increased by over 50%*, yet, targeted attacks on this critical infrastructure have been increasing in prevalence for many years. In fact, for 12 consecutive years, it has had the highest average data breach cost of all industries.
In 2021, the average cost of a healthcare data breach exceeded US$ 10 million – a record high.
IBM Report: How much does a data breach cost in 2022?
On top of this, highly regulated industries, suffer the highest long-tail costs with the financial losses being experienced several years after the event^.
And tragically, the cost isn’t only financial. Ransomware claimed its first human life in October 2020 as a direct result of an IT systems failure in a Duesseldorf hospital. A woman requiring urgent admission died having been transported to another hospital+.
In 2019, a single electronic protected health information record available on the dark web was valued at US$ 250. For perspective, a credit card was US$ 5#. In 2021, security vendors, Centrify stated that today, an ePHI will fetch upward of US$ 1,000**.
Payment data contains a single piece of information. A medical record contains far more personally identifiable information (PII), name, address, date of birth and potentially insurance or banking details that can be used for anything from identity theft to insurance fraud.
Common health service cyber-attacks.
Busy, tired staff are targeted with social engineering scams to deploy SQL injection attacks and ransomware through emails, websites or software installation; the industry is particularly susceptible to the latter. According to the HIMSS Healthcare Cybersecurity Survey 2021, phishing was the initial point of compromise for 71% of the respondents.
In May 2017, 80 NHS hospital trusts and 603 primary care services were brought to a standstill for several days following the global WannaCry attack, which exploited an unpatched vulnerability in the unsupported Microsoft Windows 7 operating system. As WannaCry spread via the internet, this included the N3 network that links the entire NHS. Although no ransom was paid, the disruption is estimated to have cost a total of £92 million##.
The FBI has voiced its concern about ransomware deployments on health providers and emergency services+. In July 2022, the FBI joined forces with the Cybersecurity and Infrastructure Security Agency and the US Department of the Treasury to release a joint advisory on Maui ransomware, believed to be North Korean state-sponsored attacks. The single extortion method has been used to target health organisations since May 2021. Maui is different to other ransomware, there’s no automated transmission or ransom note, it’s understood to be operated manually, the attacker choosing specific files to encrypt.
Why is our healthcare attacked?
The more critical the service, the more likely the criminals will be paid; their chances of success are significantly higher.
Prolonged disruption has a far greater impact, not only financially. Life-saving equipment cannot be used, operations cannot take place and shared patient records cannot be accessed in A&E. In addition, cybercriminals threaten to leak highly personal data including medical diagnoses. As such, it becomes a case of damage limitation and restoring operations as quickly as possible – so, the criminals get paid.
Just 6%, or lower, of the healthcare sectors IT budget is assigned to cybersecurity^^; and overall, this has increased slightly, year-on-year. Limited budgets result in an increased likelihood of future data governance issues.
Legacy hardware and outdated software systems pose a significant risk to any user once they become unsupported by the software providers, as was the case in the NHS WannaCry incident. The malicious code moved through the network and that of connected third-parties.
The use of legacy systems is, according to the 2020 HIMSS Cybersecurity Survey, extremely common in the healthcare industry. 80% of respondents said their organisation currently ran legacy systems and software. 39% stated that those systems presented a significant security challenge.
Smaller organisations face the same risks as larger trusts. To operate, they partner with third-party providers who remotely access the network via interconnected systems. A recent study by Verizon stated that a significant number of cybersecurity incidents occur at small institutions; they are less likely to have state-of-the-art software or a CISO and are more likely to comply with the hacker’s demands**.
How can the healthcare industry defend itself against cyber-attack?
Whilst there is a rapid increase in the numbers of health sector breaches, even small establishments can defend themselves, proactively.
Stay up to date.
Replacing legacy systems may not sound feasible to stretched health services. However, with careful lifecycle management, even older hardware can be updated and upgraded. OS systems, applications and software installations will help protect against cyber-attack but will also maximise the lifetime value of devices that may have become end of life IT assets.
Many IT asset disposition companies offer lifecycle management, upgrade services and mobile device recycling; they can also install software so administration access isn’t granted to employees, preventing accidental insiders from installing malicious code.
If you outsource to an ITAD supplier, you have the added peace of mind that the ITAD chain of custody provides. Each asset and its components will undergo professional, secure data erasure and receive supporting documentation; an IT asset disposal accreditation certificate. With a strong ‘reduce, reuse, recycle’ ethos, any removed components are sanitised for the remanufacturing process. The institution can effectively sell redundant IT assets so their components enter the circular economy; this even provides a residual payment and a new revenue stream.
Back up your data.
Ensure that there is an off-line back up of your entire IT system in case your system is compromised. This should be stored off-site and regularly updated. This will minimise disruption, ensuring that records can be reinstated and accessed relatively quickly.
Your back up process should form part of a wider Cyber Security Incident Response or crisis plan for an internal or external breach event. By preparing for an imminent attack, should the worst happen, you curtail the impact, direct consequences for patients and also prevent damage to the organisation’s reputation.
It is essential to have complete network visibility; to know exactly who has access to your network and data, why they need it and what they do with the information. Applying the principle of least privilege is an effective and relatively simple way of ensuring you only provide the access that an individual actually needs to perform their role.
Where external third parties present an elevated level of risk, multi-factor authentication can provide layered security. The foundation of the zero-trust approach, MFA requires two or more user identity verifications, preventing opportunistic access. One of the biggest advantages of two-factor authentication is that it adds another barrier, reducing the risk. For example, in the case that one shared credential has been compromised, an unauthorised actor will be unable to meet the second authentication criteria.
Outdated IT systems, fewer cybersecurity processes and protocols, extremely busy staff, and extremely valuable data make the healthcare industry a very attractive cyber-crime target. The prevention of huge disruption to a critical service along with potential loss of life makes the likelihood of a successful attack high.
Efficient lifecycle management, upgrade programs, environmentally friendly ITAD and multi-factor authentication create infiltration barriers and makes sure that no sensitive data remains on the devices themselves. Despite the best efforts to safeguard patient ePHI data, should the worst happen, a Cybersecurity Crisis Plan will help you respond appropriately, effectively and with agility; whilst a full, off-site, off-line back up will help you restore data and operations swiftly. Whilst budgets and consequently cybersecurity implementation has fallen behind other industries, data governance challenges can be met to a greater extent than many currently are with cost-effective, outsourced solutions.
tier1 provide trusted lifecycle management, upgrades and data erasure services with the utmost reliability and professionalism. We take care of the IT management support and ITAD for the healthcare industry with minimal disruption; leaving you to do what you do best – taking care of your patients.
*Help Net Security #Trustwave, ^Upguard, +Cybersecurity Ventures, **Healthcare IT Security, ##Acronis, ^^HIMSS
Find out how our data wiping services and secure IT asset disposal can support your institution – contact us on 0161 777 1000 or visit tier1.com
Purple Security, CISA, Secure Link, Trustwave, IBM, Healthcare IT News, Field Effect, Health IT Security, HIMSS, Cyber Talk, Cyber Security Ventures, PICUS, Upguard, Acronis, The Telegraph, Help Net Security, Tech Target.