Cybersecurity Snapshots #31 - Healthcare Organizations Are Being Inundated With Cyberattacks

Cybersecurity Snapshots #31 -

Healthcare Organizations Are Being Inundated With Cyberattacks

Attackers have realized hospitals are prime targets for cyberattacks, so healthcare leaders must prioritize protecting their systems. In 2021, healthcare organizations were inundated with cyberattacks, and they can expect more to come. The U.S. Department of Health and Human Services keeps track of cyberattacks and breaches at healthcare providers. According to the department, in 2021, there were 618 breaches, with each data breach affecting at least 500 patients. According to a new study by IBM, the cost of a typical healthcare breach rose to an average of $9.4 million in 2021, an increase of $2 million over the previous year. The average ransomware attack on healthcare costs $4.6 million per incident. In 2022 all healthcare organizations and hospitals are at risk. In November 2021, Matt Georgy, a chief healthcare executive, stated that small and mid-size hospitals and healthcare systems typically have fewer resources to defend critical systems, with smaller staffs and budgets to defend against cyberattacks. Larger hospitals and health networks are also at risk because they offer many more entry points for attackers to find vulnerabilities. Their attack footprint is massive. Cybersecurity attacks aren't just costly to healthcare systems. They're hurting patient care. In November 2020, a Healthcare Information and Management Systems Society (HIMSS) survey shed more light on the toll cyberattacks are taking on healthcare. Most participants (61%) indicated that a cyberattack disrupted non-emergency clinical care. And 28% of respondents reported those attacks disrupted emergency services. In just the first six months of 2022 there have been over 10 documented cyberattacks on healthcare systems affecting well over three million patients. The affected healthcare systems included healthcare providers, medical practices, hospitals, and clinics, and were across the United States. In addition to putting patents' health at risk, the data breaches also led to identity theft and compromise of medical information.

Security researchers have found that adversaries are going after two primary objectives: disruption and data. First, attackers are looking to disrupt healthcare operations. Healthcare providers aren't like other businesses that can take their time if a system is compromised. If a hospital can't access its records or its ability to serve patients is compromised, that's a massive problem. While many threat actors are mainly concerned with disrupting services, some are going after the data in healthcare systems. Researchers noted that in some breaches, attackers have taken the data first and then deployed the ransomware into the organization. In such cases, attackers tell the healthcare organization to pay a ransom, and they can get the data back, and if they don't pay, they'll detonate the ransomware and lock up their computer systems. Mac McMillan, the founder of CynsergisTek states that he thinks we will continue to see more ransomware attacks on the healthcare sector and that they will get more complex and harder to deal with. Leon Lerman, CEO of Cynerio, stated that in the future, he expects to see an increase in both the sheer number of attacks on hospitals as well as severity.

Healthcare organizations aren't investing enough in bolstering their defenses against cyberattacks currently. McMillan stated that adversaries have figured out healthcare is a lucrative target that is more susceptible to disruption than other sectors because they haven't made the investments others have made. Some sectors put 10-15% of their information technology budgets toward cybersecurity. Healthcare organizations, on the other hand, typically spend 6% or less of their IT budgets on cybersecurity, according to the HIMSS survey. Cybersecurity experts say hospitals can improve their defenses with simple measures, including training staff to ensure all employees understand the gravity of breaches to healthcare systems. Other steps such as using two-factor authentication to access systems can help. Georgy stressed the importance of policies instructing workers to frequently change passwords and use passwords that aren't easy to guess. Currently, healthcare systems are developing more Application Programming Interfaces (APIs), the tools needed to exchange records and data. McMillan said APIs should be thoroughly tested before being put into the healthcare systems. McMillan noted that in most cases, it's just as easy to develop them securely as it is to develop them insecurely. Researchers suggest that hospital systems need to invest in defenses such as privileged access management tools to limit the ability of attackers to gain access to passwords or other sensitive data. McMillan noted that as hospitals invest in more security systems, they also need to have someone tracking those systems. Healthcare systems sometimes install monitoring systems to detect breaches, but they don't have personnel actively watching those systems. Cybersecurity experts also stress the need for keeping some segmentation in their systems so that a breach can be contained. Lerman noted that it is critical for hospitals to have proactive response strategies in place to prevent attacks and ensure continuity of care in the event of an attack. Lerman also stated that more government intervention is needed "to ensure hospitals are prepared with the tools they need to address the evolving threat landscape in healthcare." In the future, healthcare organizations must prioritize strengthening their cybersecurity because it could be the difference between life or death for some patients.