The Importance of Cybersecurity in Healthcare
Cybersecurity in Healthcare
Cyberthreats to the healthcare sector have grown significantly in the past ten years, along with the sophistication of cyberattacks. The risk of malevolent cyberattacks grows with each advancement brought about by automation, interoperability, and data analytics. Cyberattacks are a particular worry for the healthcare industry because they can directly endanger patient safety and health, in addition to system and data security.
Cybercriminals frequently target healthcare institutions, no matter how large or small. The increase in cyberattacks targeting the healthcare industry is a sign that cybercriminals are preying more frequently on smaller healthcare providers. These key reasons explain why healthcare institutions are desirable targets for cybercriminals:
- Criminals can easily sell patient billing and medical information on the dark web in order to commit insurance fraud.
- Profitable ransom payments are likely since ransomware has the capacity to lock down back-office and patient care systems.
- Medical equipment that is connected to the internet is vulnerable to hacking.
Large healthcare organizations frequently have the means at their disposal to develop an effective security plan. They have the resources to frequently afford to staff a security operations center, appoint a chief information security officer, and pay for the top threat intelligence services.
Dentists, independent physicians, and community hospitals don’t always have the luxury of expensive cybersecurity measures. However, they are just as susceptible to cyber dangers and provide criminals an equal chance to succeed.
Unable or unwilling to pay exorbitant ransoms, many small healthcare providers cannot survive these attacks and feel forced to close their businesses. These professionals are completely aware that paying a ransom demand in no way ensures the release of data or equipment from the hacker. Nor does it ensure that they will not sell your patient’s data on the dark web.
“Roughly 57 percent of U.S. medical offices contain ten or fewer doctors, out of which, 10 percent are solo practitioners” – American Medical Association
Cyberattack incidents from the past few years
There are two main goals for attackers: disruption and data.
Attackers’ initial goal is to sabotage medical operations. Healthcare providers cannot take their time if a system is corrupted like other businesses can. A major issue arises if a hospital is unable to access its records or if patient care is endangered. Some attackers target the data in healthcare systems, although many are primarily focused on disrupting services.
In certain hacks, the attackers took the data first before releasing the ransomware on the company. In these situations, the attackers threaten to lock up the healthcare organization’s computer systems and detonate the ransomware if they don’t pay a ransom in order to get the data back.
Let’s take a look at some incidents that provided an important experience with cyberthreats in healthcare.
Campbell County Health (CCH)
In Wyoming, a small community health system was the target of a cyberattack in 2019. Nearly 20 clinics are run by Campbell County Health, which also manages a 90-bed acute care hospital in Gillette. Attackers locked up medical equipment and sensitive patient data before demanding a ransom.
The attack forced staff members at Campbell County Health to cancel services like radiography, endocrinology, and respiratory therapy. According to reports, the organization sent patients to hospitals in South Dakota and Denver. There were no cash registers, emails, or faxes. Patients had to carry their own drug bottles to appointments since doctors had to use pen and paper to record medical problems and prescription records were inaccessible.
“CCH is not the first organization, hospital or otherwise, to be hit with a ransomware attack. Every organization is subject to this type of cybercrime. We were not the first, and, unfortunately, we won’t be the last to experience this. Individuals, as well as organizations, must remain constantly vigilant, at home and at work, in order not to become a victim of this kind of crime. CCH had strong systems in place before the attack, and we have invested in additional measures, but the threat remains for all of us.” – Andy Fitzgerald, CEO
Kaiser Permanente
Following unauthorized access to the US healthcare behemoth’s email system, the healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been made public.
During the first week of April 2022, a data breach incident may very well have exposed the health plan provider’s laboratory test results, first and last names, medical record numbers, and dates of service for patients.
Regulators from the US Department of Health and Human Services Office for Civil Rights estimate that 69,589 records were potentially exposed as a result of the email security blunder at Kaiser’s Washington branch, despite this information not being included in Kaiser’s breach notice.
Common Ground Healthcare Cooperative
Recently, 133,714 members of Common Ground Healthcare Cooperative’s plan were alerted that their information was probably obtained as a result of a hacking event and subsequent ransomware assault on its mailing vendor, OneTouch Point (OTP).
According to the investigation into the ransomware attack on OTP on April 28, the threat actor had access to the company’s computers the day before the malware was released. However, the vendor was unable to ascertain which files, if any, the attacker had accessed during the dwell time.
The compromised servers held patient-specific data, including member names, IDs, dates of birth, contact information, diagnosis codes, service descriptions, and private data collected during health evaluations. OTP has subsequently informed authorities and law enforcement about the occurrence and is acting to strengthen its security procedures, guidelines, and measures.
EmergeOrtho
On May 18, a “sophisticated” ransomware attack was launched, gaining access to the data of 75,200 patients connected to EmergeOrtho in North Carolina. The notice demonstrates that the prolonged investigation was a factor in the delayed notification.
When it was discovered, EmergeOrtho started its disaster recovery plan and hired a forensic investigation company from outside the company, which helped with the investigation and verified the network security. The supplier and the FBI are working together.
A certain amount of patient data was accessed during the incident, according to the forensic investigation. Notably, it seems that only patients’ names, dates of birth, residences, and SSNs were compromised in the incident. No financial information, credit card information, financial account information, or treatment information was compromised.
Since then, Emerge Ortho has added more monitoring tools and is attempting to strengthen the security of its systems. A full year of free credit monitoring services will be provided to all impacted patients.
Cyber Vulnerabilities in Healthcare
These are some of the most significant ways that organizations in the healthcare sector may be particularly vulnerable to cyberattacks.
- Outdated Software Systems
Many software management systems in the healthcare sector are out-of-date or have not received an upgrade in a very long time. This indicates that the typical healthcare organization is likely adopting software that lacks sufficient safety and security measures that are on par with those of cybercriminals. - Lack of Cybersecurity Awareness
The healthcare industry represents thousands of individuals operating complicated software systems, collecting personal data, and working with large amounts of private information. The breadth of the industry and the sheer number of individuals who have access to restricted systems and sensitive information make breaches, mistakes, and password compromises relatively common. Phishing attacks by cybercriminals are bound to score at least one employee within a network, which is all that modern hackers need to infiltrate your systems. - Data Manipulation and Misuse
Healthcare professionals gather a lot of data in order to make decisions about patient care based on the best available evidence. This makes it possible to treat patients and establish accurate assessments. However, because there are so many people working in the healthcare sector who have access to a lot of information, there is a considerable risk of data theft and improper use of patient information, for purposes such as identity selling and insurance fraud. - Limited Cybersecurity Provisions
Other industries, like banking and the corporate sector, are more likely to allocate adequate resources to cybersecurity. This includes current, up-to-date software systems and implementation costs as well as salary and contracting expenses for cybersecurity professionals to help mitigate the risks of breaches and attacks. Healthcare entities often lag in applying adequate resources for cybersecurity and data safety, and this makes it more lucrative for hackers to attack healthcare entities than in comparison with other sectors that are in general harder to breach.
HIPAA Regulations
The Health Insurance Portability and Accessibility Act (HIPAA) is a regulation that aims to protect patient health information in the US. The security controls, methods, and procedures defined in the HIPAA regulation must be implemented by all organizations that have access to protected health information (PHI).
Sensitive patient health information, including treatment specifics, test results, personal identification information, and demographic data, is protected by HIPAA from being shared without the patient’s permission. The HIPAA Security Rule mandates that covered entities keep electronic protected health information (ePHI) secure and guarantee that their security can safeguard the organization from any kind of physical, administrative, or technical compromise in order to provide patients with the highest level of protection for their health records.
Conclusion
Healthcare organizations and professionals need to give cybersecurity top priority. It is crucial that entities make sure that sensitive data is effectively protected and secured in an era where cybersecurity risks result in significant losses and lawsuits across all industries every year.
Our team at Caplock Security is made up of devoted security professionals with years of experience in a variety of cybersecurity fields. Several of our clients have already used our assistance to improve their security standards, compliance requirements, and lower their risk. Our professionals can assist you in locating your security vulnerabilities and offer advice on how to fix them effectively, by conducting the following essential activities.
- Medical Device Penetration Testing
- Network Segmentation for Medical Equipment
- Device Inventory and Risk Analysis
- Vulnerability Detection and Response
- Incident Monitoring and Response
- Medical Device Risk Assessments
- Vendor Risk Management and Reviews
- HIPAA Penetration Testing Services
Prevention is superior to cure. Avoid the costly mistake of neglecting your organization’s cybersecurity aspect. Caplock Security gives you all the tools you need to streamline your security deployment without sacrificing performance, allowing for a unified strategy for efficient operations and getting you ready to scale for corporate expansion.