Cybersecurity in Healthcare- The cyberthreat to the healthcare business has grown considerably in the last decade, as has the sophistication of cyberattacks. This new era is recognised by both industry and government. The vulnerability to malevolent cyberattacks grows with each advancement made possible by automation, interoperability, and data analytics.
Cyberattacks are of special concern in the healthcare industry because they can endanger not just the security of systems and information, but also the health and safety of patients.
For three key reasons, healthcare businesses are appealing targets for cybercriminals:
- On the darknet, criminals can swiftly sell patient medical and billing information for insurance fraud.
- Because ransomware can lock down patient care and back-office systems, it’s conceivable that ransom payments will be lucrative.
- Medical gadgets that are connected to the internet are vulnerable to tampering.
Cybersecurity issues in the healthcare industry
Cybercriminals prey on health care businesses, both large and small. The rising incidence of healthcare-related hacks indicates that cybercriminals are targeting smaller health providers at an increasing pace.
Large healthcare organisations frequently have the financial means to mount a powerful cyberdefense plan. Large hospitals and health-care organisations can frequently afford to appoint a chief information security officer, staff a security operations centre, and pay for the best threat intelligence services.
Healthcare organisations have been the target of some of the most prominent cyberattacks in the recent decade.
Community hospitals, independent doctors, and dentists don’t always have the financial resources to invest in sophisticated cybersecurity measures. Nonetheless, they face the same cyber threats and provide crooks with an equal opportunity. According to the American Medical Association, about 57 percent of medical offices in the United States include ten or fewer doctors, with about 10% being solo practitioners.
Many small healthcare providers are unable or unwilling to pay excessive ransoms and are forced to close their doors as a result of these attacks. These experts understand that paying a ransom demand does not ensure that the hacker would release data or equipment. It also doesn’t guarantee that they won’t sell your patient’s information on the darknet.
Hundreds of dental businesses were hit by ransomware in August 2019, according to the American Dental Association. Dentists were locked out of their data as a result of the attack, which targeted a dental-focused technology supplier.
Wood Ranch Medical in Simi Valley, California, had to close its doors on December 17, 2019 due to a ransomware attack in August of this year. “Unfortunately, the damage to our computer system was such that we are unable to restore the data saved there,” their website stated. We can’t recreate our medical records because our backup system is also encrypted,” the note reads. “I will not be able to attend to you professionally after that date, as much as I have enjoyed giving medical treatment to you.”
The Verizon DBIR is arguably the most renowned and insightful security industry annual report (Data Breach Investigations Report). According to the 2020 DBIR, the healthcare industry has seen a significant increase in the number of breaches and incidents overall. In 2020, there were 71 percent more breaches or incidents in healthcare than in 2019.
Financially motivated criminal gangs continue to use ransomware attacks to assault the healthcare business. Assets that are lost or stolen are also an issue, and human mistake is rife in this industry. To dispel the myth that most healthcare cyberattacks are conducted from a hidden bunker, it’s worth noting that roughly half of the breaches in this industry are caused by internal bad actors.
According to the DBIR, internal actor breaches (59 percent) outnumber foreign actor breaches in the healthcare industry (42 percent). External actor breaches have increased to 51% this year, while internal actor breaches have decreased to 48%. This is, nevertheless, a modest fraction, and healthcare continues to have the biggest number of internal bad actors.
The 2020 DBIR shows that privilege misuse cases have decreased across the board, which is a ray of hope. In 2019, 23 percent of privileges were misused. This year, it has reduced to 8.7%. Poor access control directly leads to privilege abuse. Users have greater access permissions than they need to execute their tasks, and the company fails to appropriately monitor and oversee the behaviour of privileged accounts. The decline in these types of incidents can be attributed to better security rules and training. These signs show that the organization’s security awareness is increasing.
User errors that result in data loss or unauthorised access by an adversary are caused by privilege misuse occurrences. Internal bad actors should not be confused with privilege abuse.
A decrease in multiple actor breaches is another shift that goes hand in hand with decreasing insider abuse breaches. This type of breach has historically been led by the healthcare industry. External and internal actors generally join forces to steal data utilised for financial fraud in this sort of breach. Multiple actor breaches accounted for 4% of all breaches last year, but only 1% this year.
Misdelivery is the most common cybersecurity mistake in the healthcare industry. This error usually falls into one of two categories. One example is when sensitive material is received by unauthorised personnel after an email is sent to the incorrect email address or distribution list. When address labels for a mass mailing get out of sync and confidential information is mailed to the wrong recipient, the second is the snail mail counterpart.
Case Study of Cybersecurity Breach in Healthcare
A cyberattack hit a local community health institution in Wyoming in 2019. Campbell County Health has a 90-bed acute care hospital in Gillette, as well as approximately 20 clinics spread around the county. After encrypting important patient data and medical devices, the attackers sought a ransom.
Campbell County Health personnel were forced to cancel services such as radiography, endocrinology, and respiratory treatment as a result of the attack. Patients were reportedly transferred to hospitals as far away as South Dakota and Denver, according to reports. Cash registers, email, and fax machines were all down. Doctors had to rely on pen and paper to track medical issues, and patients were expected to bring medication bottles to appointments because prescription records were unavailable.
Many security experts believe that a cyberattack against any healthcare business is a question of when, not if.
“CCH is not the first business, hospital or otherwise, to be targeted with a ransomware attack,” Andy Fitzgerald, Chief Executive Officer of Campbell County Health, said in a video address to the community. This form of cybercrime can affect any firm. We weren’t the first to go through this, and we won’t be the last, either. To avoid becoming a victim of this type of crime, individuals and organisations must maintain constant vigilance at home and at work. CCH had robust mechanisms in place prior to the attack, and we have invested in further safeguards, but the threat to all of us remains.”
What makes cybersecurity challenging within the healthcare field?
The healthcare industry has all of the cybersecurity challenges that any firm does, as well as some unique ones. They must safeguard their networks, databases, and endpoints. They are in charge of safeguarding their patients’ and staff’ confidential financial and medical information. They frequently safeguard important intellectual property. They also face challenges that few other firms face. Over the last ten years, the number of linked medical devices has surged. Almost every piece of medical equipment can now be connected to the organization’s operational network or is web-enabled.
Every day, more connected medical devices are being deployed, and they can account for up to 74 percent of all devices linked to a hospital’s network. Because of the widespread nature of medical device hijacking, the term “medjacking” has been used to describe these attacks on linked medical devices.
These connected devices are frequently required to keep the patient alive. It can mean the difference between life and death if you disable them or change their functionality. To keep them functioning and safe, they, like any other digital gadget, require upgrades.
Patient tracking bracelets, equipment tracking for crash carts, ventilators, portable X-ray machines, and vital-sign monitors are all examples of connected devices. All of these gadgets interact over the hospital network, giving clinicians access to vital patient data stored in electronic health records. The information sent allows clinicians to deliver care at a lower cost. Clinicians can work more quickly and in a safer environment. Each of these devices serves as a point of entry for cybercriminals.
Black Book Market Research LLC conducted a poll of over 2,800 security specialists from 733 organisations late last year to discover gaps, vulnerabilities, and flaws that continue to make hospitals and physicians sitting ducks for data breaches and assaults.
Budget limits are to blame for healthcare’s cybersecurity problems, according to the research. Replacing old software is expensive. According to previous security investigations, the bulk of healthcare medical equipment run on older platforms. Microsoft’s Windows 7 operating system is still used by 56% of healthcare providers. Many of these providers have difficulty comprehending or implementing essential fixes.
Nothing is more important than a patient’s health and well-being, and communication between healthcare practitioners and patients, as well as between different healthcare activities, has been honed to an art. So, why does the healthcare industry have such a hard time with cybersecurity?
The following are the major cybersecurity challenges that the healthcare industry is facing:
- On the darknet, patient information is precious.
- Security protections for medical devices are frequently inadequate.
- Medical workers require the ability to access medical information from a distance.
- Healthcare workers receive insufficient cyber risk training.
- Many healthcare facilities still use outdated technology.
Only a small percentage of healthcare providers are unaware of the industry’s significant cybersecurity threats. Their status as the most targeted industry has not gone unnoticed. The issue of cybersecurity has come to the top of this industry’s worries. For healthcare professionals, there are seminars, conferences, white papers, and a plethora of cybersecurity training options.
Efficiencies are introduced to improve competitive advantage in the same way they are in any other business field. The amount of time spent with each patient is one of the major efficiencies employed by healthcare practitioners. If you spend too much time with one patient, it’s possible that you won’t be able to attend to the medical requirements of others.
Dr. Christian Dameff is the University of California, San Diego’s Medical Director of Cybersecurity. “I have a lot of patients that I need to take care of, and I only have a finite amount of time to take care of them,” he says in an Ars Technica article from November 2019. Even with my cybersecurity expertise and understanding of these issues, I still struggle with the question of whether I should talk to a patient about patching their pacemaker or talking to them about their horribly uncontrolled diabetes and high blood pressure if I only have 15 minutes with them and may never see them again. In an ideal world, those things would not be mutually exclusive, but that is just not the case in modern medicine and healthcare.”
Dr. Dameff is required to place a higher priority on healthcare than on cybersecurity. No one would want it any other way, but the necessity of making such a decision emphasises the need for this industry to develop innovative solutions to meet its specific requirements.
Cybersecurity Solutions for the Healthcare Industry
In the fight against cybercrime, the healthcare industry is currently losing ground. This sector is vulnerable due to outdated computing systems and a scarcity of experienced cybersecurity personnel, as well as an increase in linked medical devices. Improvements in backend support systems, where critical patient information is maintained, have lagged behind technological breakthroughs in patient care equipment, systems, and processes.
The current global pandemic is only worsening the situation. “With healthcare systems under constant strain amid the SARS-CoV-2 worldwide pandemic, hospitals and healthcare facilities around the world have also been attacked by a surge of cyberattacks, including ransomware attacks,” Bitdefender Labs, a renowned cybersecurity firm, stated in May 2020. While officials have warned that hospitals, municipalities, and institutions should be wary of losing data and access to important systems, Bitdefender telemetry shows that the incidence of cyberattacks and ransomware events directly targeting healthcare has increased dramatically in recent months.
According to Bitdefender telemetry, the number of cyberattacks detected at hospitals surged by over 60% in March compared to February. This is the largest peak in our global evolution of cyberattacks recorded at hospitals in the last 12 months, indicating that cybercriminals have obviously taken advantage of the epidemic to launch these campaigns.”
Healthcare cybersecurity solutions should include safeguards that are superior to those provided by most enterprises. In terms of the level of protection given, these systems and devices should, in theory, be on par with or better than those employed in financial institutions.
To reach this goal, healthcare organisations must consider the medicinal advantages delivered to their patients as well as the danger of cyberattacks when considering new platforms.
According to the Forrester New Wave: Connected Medical Device Security, Q2 2020 Report, any security platform under consideration for introduction into the medical environment should be thoroughly evaluated against the following criteria.
| rchitecture | Where do sensors and appliances need to be placed in the network for typical operation? How many sensors or appliances does the typical hospital require? What information does the vendor’s product require to be transmitted off-premises? How is this data secured (both in transit and at rest)? |
| Analytics and Reporting | Does the vendor produce dynamic reports that effectively communicate risks associated with a medical device environment? |
| Attack Response | What are all the remediation and response actions available to customers when a security attack is identified (e.g., configuration changes, device quarantine, behavioral block, device removal from network, etc.)? |
| Threat Research | How does the vendor discover new medical device threats and vulnerabilities? |
| Device Visibility | How granular is the classification taxonomy of the devices in the environment (i.e., device function, type, OS/firmware, vendor, and model)? How does the vendor ensure that classification taxonomy remains up to date in light of new devices, vendors, models, etc.? |
| Vulnerability Management | Does the product track medical device vulnerabilities (i.e., CVEs and medical device security advisories)? How are these reported on, and what actions can be taken from the admin console? |
| Integrations | What are all of the native, out-of-the-box integrations with third-party security and IT operations tools? Which are bidirectional, and what are the specific benefits to customers? |
| Vision | How well does the vendor’s product vision align to address the major customer requirements for medical device security? |
| Roadmap | What are the vendor’s short-term and long-term product roadmaps? How differentiated is the roadmap from the competition? Are the planned features expected to contribute meaningfully to customer and product success? |
Conclusion
From the confidentiality of sensitive health information to insurance premiums to patient care, cybersecurity has an impact on every element of the healthcare industry. Healthcare, according to industry and government authorities, lags behind in terms of cybersecurity technologies, standards, and practises.
While some advocate for more government regulation to protect patients and their data, many healthcare executives recognise that voluntary compliance with the most stringent standards is the only way to avoid more onerous compliance rules.
As scary as today’s known healthcare cybersecurity dangers are, the scariest of all cyber threats could still be lurking around the corner. Last year, Israeli researchers reported the creation of a computer virus that can inject tumours to CT and MRI scans. According to a piece in The Washington Post by Kim Zetter, this malware could trick doctors into misdiagnosing people in the wild.
Healthcare has severe cybersecurity issues that are particular to that industry. When lives, not just fortunes, are on the line, the sharpest minds in computer science, medicine, and business must collaborate to develop new answers to the dangers to medical care as we know it.
