Healthcare Cyberattacks Are Putting Patients at Risk

On Nov. 25, 2022, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) issued a joint alert warning of attacks directed by the Hive ransomware gang. The agencies say the attacks have victimized more than 1,300 organizations in critical infrastructure sectors — particularly healthcare and public health. Victims have made ransom payments of more than $100 million since June 2021.

Cybercrime targeting healthcare organizations has reached epidemic proportions. A recent study by research firm Vanson Bourne found that two-thirds of healthcare organizations suffered ransomware attacks in 2021 — almost twice the number in 2020.

Federal officials warn that ransomware its patients at risk by forcing hospitals to postpone appointments, cancel surgeries and close some units. Ambulances may be diverted to more distant facilities, delaying access to critical care.

Interested In Learning More?

Untitled design - 2022-12-28T134531.028.png

Why Healthcare Is Targeted

Ransomware is far from the only threat. Data breaches in the healthcare industry exposed the records of more than 45 million individuals in 2021, according to HHS data. That represents a year-over-year increase of more than 32 percent. According to the Cost of a Data Breach Report 2022 from IBM, the average healthcare-related breach costs more than $10 million.

Cybercriminals target the healthcare industry because it’s lucrative. Healthcare organizations capture, store and process large amounts of highly sensitive information, including personal, insurance and financial data as well as medical records. While Social Security numbers sell for as little as $1 and credit card numbers around $5, healthcare records are valued at $250 to $1000 on the black market.

What’s more, healthcare organizations are more likely than other companies to pay a ransom to regain access to data. There’s more at stake than lost revenue or customer churn — ransomware attacks may be a matter of life and death.

Untitled design - 2022-12-28T134613.750.png

Healthcare Cybersecurity Challenges

The growing adoption of network-connected medical devices has made healthcare organizations more vulnerable. Large hospitals may have tens of thousands of patient monitors, imaging systems and other devices, many of which were not designed with security in mind. A vulnerable device can potentially give an attacker a means of infiltrating the network and accessing sensitive data.

Even given these risks, healthcare organizations dedicate just 5 percent of their IT budgets to cybersecurity, according to the Brookings Institution. A significant portion of the remainder is spent on adopting new technologies, which means these organizations are further expanding their attack surfaces without implementing additional cybersecurity protections.

Furthermore, many healthcare organizations are finding it harder to get cyber insurance because they lack strong security. Insurers are also raising premiums due to the rising cost and frequency of attacks on the healthcare sector, and limiting what they will cover.

Untitled design - 2022-12-28T134857.746.png

Improving Cybersecurity

The CISA has outlined steps healthcare organizations can take to reduce their exposure, including the following:

Ensure that operating systems, firmware and applications are kept up-to-date with the latest security patches.
Use multifactor authentication (MFA) to secure access to as many services as possible, especially critical systems, virtual private networks (VPNs) and email.
Maintain online backups or use an immutable backup system that cannot be altered or deleted.
Segment the network to contain attacks.
Review the security posture of vendors, suppliers and other third parties with access to systems and networks.
Develop and regularly test a security incident response plan.

Healthcare organizations should also emphasize endpoint security and extend protection to medical devices as well as PCs, laptops and smartphones. The zero-trust model can further bolster security by validating the identity of every user and device accessing network resources, even if they’re within the secure perimeter.

In many cases, healthcare organizations lack the in-house expertise needed to secure their systems and networks. By partnering with DeSeMa, these organizations gain access to experienced consultants who can assess their environment and recommend effective security controls. Contact us to schedule a confidential consultation and assessment.