Healthcare information security

Top Cyber Security Risks in Healthcare [Updated 2020]

May 1, 2020 by Susan Morrow

Executive summary

The healthcare industry is a prime target for cybercriminals. Stolen protected health information (PHI) is worth hundreds, even thousands of dollars on the black market. For cybercriminals, the healthcare industry is a golden goose. Time-to-report and time-to-discover periods are often long, giving cybercriminals ample time to collect and sell stolen records online before vulnerabilities are detected and patched.

The healthcare industry’s growing use of connected medical devices, equipment and other IoT devices also means there are many new risks and endpoints to manage and secure. In the following pages, we will review critical security concerns facing the industry and healthcare compliance regulations. We will also explain the advantages of workforce security awareness training.

Top security concerns in the healthcare industry

Managing budgetary constraints

According to Symantec, the healthcare industry spends considerably less on cybersecurity technology and staff than other regulated industries. For comparison, in 2019, the US federal budget allocated $15 billion for cybersecurity-related activities, an increase of 4.1 percent above the FY 2018[1]. However, healthcare averaged at only 5% of budget spent on security.

A recent survey from the Healthcare Information and Management Systems Society (HIMSS) has, however, found good news in terms of budget for cybersecurity. In their 2019 report, “HIMSS Cybersecurity Survey,” they state that “Many positive advances are occurring in healthcare cybersecurity practices and healthcare organizations appear to be allocating more of their information technology (“IT”) budgets to cybersecurity.”

While spending on cybersecurity is much like purchasing insurance, the changing tide of increased cybersecurity threats targeting the healthcare sector is slowly resulting in attitude changes and increased budgets. This perspective can be catastrophically short-sighted in the long term. A recent Ponemon Institute study found healthcare data breaches increased by five percent in the past year and the cost of the exposed data was $429 per record.

Correcting human error and unintentional insider threats

Many healthcare security incidents result from preventable human error. In its annual study of healthcare data privacy and security, Ponemon Institute reported most medical identity theft is preventable through employee security awareness training. The report highlighted that increased staff training, coupled with hiring more skilled IT security practitioners, could significantly contribute to improved cyber defense.

The 2019 Data Breach Investigation Report (DBIR), points out that in healthcare, more often than in other industries, security breaches take the form of the following:

  • Privilege misuse
  • Lost or stolen assets
  • Web application attacks

The report also identified that insider incidents, both malicious and accidental, are more common than external attacks.

The danger of mistakes

A 2019 report by Egress found that 79 percent of IT leaders said that employees had accidentally placed sensitive data at risk of exposure. And, 60 percent believe they will suffer an accidental data breach in the next 12 months.

Examples of accidental PHI exposure are included in Table 1 below, “Human Error & PHI Disclosure”

Mistake Example
Losing or not securing devices holding sensitive medical data Leaving a personal laptop at a restaurant or inserting an infected USB into a device
Not following appropriate security standards Using weak passwords on devices
Inappropriate publishing of private information Sharing information about a patient’s treatment or prognosis with a friend or family member who has no legal right to the information
Sending health data to the wrong individual CC’ing an inappropriate person on an email or discharging a patient with instructions for another patient
Breaching a patient’s privacy simply out of curiosity Viewing medical records of a well-known patient and later sharing this information in the cafeteria
Retaining confidential information after resigning from a job Selling work-related backups to someone who has no right to view the sensitive data
Misusing privileges Giving inappropriate system access to someone to get a job done quickly

Ransomware

According to Comparitech, there have been 172 individual ransomware attacks on US healthcare organizations since 2016; the costs to the industry are around $157 million. Of those affected, 74 percent were either hospitals or clinics. Because these critical-care facilities rely on 24/7 access to medical records to serve their patients, they are more likely to pay a ransom. This makes medical facilities a prime target for ransomware attacks.

The majority of ransomware incidents result from unintentional sharing of information or stolen assets. Victims are usually infected with ransomware through phishing attacks and malvertising, and they are largely successful because their victims are not aware of how these attack methods work.

Vulnerability to “classic” attacks

“Classic” attack vectors continue to be prevalent. A 2019 report into cybersecurity attack types in healthcare by Malwarebytes found the following methods were most often used:

  • Vulnerabilities in third-party vendor software, exploiting known vulnerabilities that are unpatched
  • Social engineering tactics such as phishing and spearphishing to deliver malicious emails, attachments and links[2]

These findings show users are as vulnerable as ever and cybercriminals exploit vulnerabilities in both users and software.

Fortunately, security awareness training and attack simulations can teach employees how to recognize common threats like phishing and link manipulation.

Combating intentional insider threats

Intentional insider threats continue to plague the healthcare industry. In their report on insider threats, Verizon found that 46 percent of healthcare organizations were affected by insider threats.[3] Intentional insider threats are some of the most difficult to detect and mitigate. The report found that malicious insiders may be “coerced, recruited, or bribed” into stealing data on behalf of cybercriminals.

Other insider motives include malicious attacks and grudges, especially in the case of disgruntled employees. And the wider hospital network, including smaller facilities which offer assisted care, are not immune to insider breaches. Earlier this year, an employee at a facility in Maryland used his privileged network access to steal patient data. He then used the data to fraudulently obtain credit cards. This was carried out over a two-year period before it was detected.

Lack of executive leadership

Many healthcare providers still do not have a dedicated executive leader assigned to security. A 2019 HIMSS leadership and workforce survey showed that half of non-acute providers do not employ an information and technology leader, such as a Chief Information Security Officer (CISO).[4]

This is on par with other industries. ISACA’s 2020 State of Cyber Security study found that 62 percent of respondents said their cybersecurity team was “understaffed”. Compounding the issue was a lack of qualifications; 70% of those interviewed stated that less than half of security candidates were well qualified to do the job. How effective a CISO can be with a lack of qualified staff remains to be seen.[5]

Managing endpoint security

The use of connected medical devices in healthcare has grown dramatically, further increasing the industry’s vulnerability to outside attack.

In a recent Nuix survey of 70 professional hackers and penetration testers, just 36 percent of participants identified endpoint security as an effective hacking countermeasure. Twenty-two percent of these white-hat hackers boasted “no security countermeasures could stop them and that a full compromise was only a matter of time.”

Healthcare facilities with cybersecurity budgetary constraints should consider professional assistance from an outside partner to thwart cyber-attacks on connected devices.

Third- and fourth-party security risks

Many healthcare providers outsource services such as catering, payroll and web development to third-party vendors. These vendors often have access to sensitive information, which can be more vulnerable to attack outside the organization — particularly if the healthcare provider doesn’t have full visibility on how a vendor manages security.

In 2019, 54 percent of PHI breaches experienced in the healthcare sector originated because of poor risk assessment across the vendor ecosystem. The average breach of this nature costs a healthcare organization $2.75 million.

Recently, the Australian Red Cross hired Precedent Communications for website development and database management. A Precedent employee working on the project backed up a database file containing donor information and inadvertently saved it to a public-facing web server. The server was subsequently hacked, exposing the records of 550,000 prospective blood donors.

Fourth-party risk management is also emerging as a new area of concern for healthcare organizations using vendor services, who then in turn outsource to fourth-party vendors. The danger of fourth-party risk is closely linked to IoT and the increasing use of connected devices. Healthcare executives must understand they have little, if any, control over data that leaves their networks.

The Health Insurance Portability and Accountability Act (HIPAA) applies to virtually all businesses and organizations in the healthcare sector and their partners, even if those partners are not technically involved in healthcare in any way. For instance, data clearinghouses that store patient information are as equally bound to HIPAA security awareness compliance requirements as hospitals or doctors’ offices.

HIPAA requires implementation of a program that ensures security awareness and training for all staff members of the organization. It also requires organizations:

  • Implement specific procedures to detect or prevent security violations
  • Undertake a risk analysis to determine potential vulnerabilities
  • Ensure adequate security steps have been taken to reduce risk
  • Create a sanction policy to deal with staff members who fail to comply with related policies and procedures
  • Ensure information system activity records are regularly reviewed

Simply put, healthcare organizations must have a robust security awareness and training program in place, and everyone within the organization must complete the training. This includes executives and management.

HIPAA is just one example of the many compliance regulations impacting healthcare. In addition to other regulations like PCI DSS, each state also has its own overlapping set of laws and rules applicable to the industry.

Mitigating security threats with security awareness training

Security awareness training is a prerequisite for many security standards, including HIPAA. However, an effective security awareness program also adds considerable value to healthcare providers’ overall security strategy. The human element is often the primary cause of many data breaches through simple mistakes like downloading malware. By teaching healthcare employees how to detect cyber threats, they will be better equipped to prevent data breaches and keep patient data secure.

According to Verizon’s 2019 Data Breach Investigations Report, 81% of breaches in healthcare were caused by miscellaneous errors, privilege misuse, and web applications vulnerabilities. Other findings include:

  • 33 percent of all breaches leveraged social attacks
  • 32 percent of beaches were due to phishing
  • 69 percent were carried out by external attackers
  • 29 percent used stolen credentials

Criminals have humanized their hacking methods — and as the data shows, it’s working. By exploiting common drivers of human behavior like eagerness, distraction, curiosity and uncertainty, hackers can easily convince uninformed users to share sensitive data or install malware. With so many security risks stemming from human behavior, awareness training for healthcare employees can be an effective tool in the prevention, detection and early reporting of security breaches.

Getting executive buy-in for security awareness training

Cybersecurity today is the responsibility of a broad range of C-level executives — CFOs, CTOs, CEOs and COOs — who report directly to the organization’s board of directors and other stakeholders. Once these leaders reach C-suite level, technical expertise matters less than leadership and business skills. They now have more influence, wider-ranging privileges, better access to resources, more autonomy and more support from senior leadership. This suite of movers and shakers has the ability to leverage specialized skills in focus areas, like security awareness.

Executives must not only understand how security incidents can negatively affect their organization’s bottom line, but also how awareness training can help add value in the form of client trust and reputation. Linking security awareness and network security to these business goals will help create a culture of security and increase support for security initiatives.

Conclusion

The healthcare industry is and will remain a prime hacker target. Healthcare facilities host a plethora of valuable and marketable patient information — information that can be accessed through countless vulnerable endpoints and resold on the black market long before many breaches are detected. While regulatory and security frameworks help protect patient data, it ultimately comes down to people and processes to keep PHI secure.

A comprehensive security awareness program can help healthcare facilities combat many of the security concerns discussed in this paper. With the right resources and support from leadership, security awareness training can teach facility staff how to identify, avoid and report attacks before hacks occur. At just a fraction of the cost of a data breach, healthcare providers can leverage security awareness training to protect PHI, maintain patient trust and avoid reputational fallout from a data breach.

 

Sources

  1. Your Electronic Medical Records Could Be Worth $1000 To Hackers, Forbes
  2. Several May health data breaches took 3+ years to discover, Post-Healthcare
  3. Yes, terrorists could have hacked Dick Cheney’s heart, Washington Post
  4. 2017 HIMSS Cybersecurity Survey, HIMSS
  5. Healthcare Under Attack: 89 Percent of Organizations Experienced Data Breaches, According to New Ponemon Study, PR Newswire
  6. Verizon Data Breach Investigations Report, Verizon
  7. Sixth Annual Patient Privacy Data Security Report (paywall), Ponemon Institute
  8. Healthcare Special Edition, Beazley
  9. ICIT Ransomware Report, ICIT
  10. Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches And The Actions That Organizations Are Taking, CISCO
  11. Insider Threats at Hospitals, Infosec
  12. State of CyberSecurity, ISACA
  13. The Best Cybersecurity Investment You Can Make Is Better Training, Harvard Business Review
  14. $5.5 million HIPAA settlement shines light on the importance of audit controls, HHS
  15. Security Awareness Compliance Requirements: Understanding Regulatory Mandates, Infosec
  16. The Black Report, Nuix
  17. Red Cross Blood Service partner owns up to data breach blunder, ARN
  18. Vendor Vulnerability, Bomgar
  19. The Bottom Line – Security Awareness Training As A Revenue Generator, Infosec
  20. Charts: Must-know healthcare cybersecurity statistics, Healthcare Dive

 

 

Posted: May 1, 2020
Articles Author
Susan Morrow
View Profile

Susan has worked in the IT security sector since the early 90s; working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology. She tweets @avocoidentity