According to a recent update from the International Monetary Fund (IMF), cyberattacks have more than doubled in volume since the pandemic. The financial toll they have taken has also grown dramatically with “extreme” financial losses more than quadrupling since 2017.
In healthcare, cyberattacks are particularly frequent. That’s because the industry possesses valuable data hackers can steal and sell on the black market, use for medical ID theft, or blackmail patients or health systems. The attack surface in healthcare is broad, encompassing an array of equipment, devices, and apps, often underpinned by legacy technology. The resulting vulnerability makes it easy for bad actors to penetrate networks.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reported ransomware and hacking as the foremost cyber threats in healthcare. Over the past five years, there has been a 264% increase in ransomware attacks with large-scale breaches climbing 256%. The tactic used most is phishing. In this scenario, a hacker sends out emails hoping a recipient will click on the link or file it contains, giving the hacker a way into their network and the opportunity to launch a ransomware attack.
You only have to go back a few months to see how great the damage can be. In February, UnitedHealth saw one of its entities, Change Healthcare, become a ransomware victim. At the close of Q1, the cost of cleaning up from the attack was $872 million and growing, the anticipated total expected to top $1 billion. This doesn’t address the hit its reputation has taken, the impact it had on the availability of prescription drugs for hospitals and pharmacies, and how the attack kept hundreds of providers from processing insurance approvals.
Without question, the frequency of these attacks will continue to increase. Still, while there’s not a lot a healthcare organization can do to prevent being targeted, hackers can be stopped and disaster avoided through strong cyber resilience and ensuring employees are knowledgeable about potential risks.
Educating employees
In general, the infrastructure of healthcare organizations lags behind other industries, which makes handling today’s cyber threats especially challenging. There are so many ways for a hacker to gain access to a network and its data, but the path of least resistance is still the employee who clicks first and asks questions later.
That said, healthcare entities must ensure employees know how to recognize and handle cyber threats. Educational programs are a must, particularly as part of onboarding a new employee. Some organizations’ IT departments will also send suspicious-looking emails to identify employees who need additional training. Remember, though, threats evolve and new tactics emerge, so efforts to educate employees should be ongoing.
Divisive devices
Most employees are given company computers and devices, allowing secure settings to be implemented by their IT department. With this in mind, healthcare organizations should limit access and logins to only those devices; personal ones are easier to exploit. Controlling security settings is particularly critical when it comes to remote employees. That’s because security is often weaker at home due to the use of older technology and issues such as missed updates.
Healthcare’s increasing use of IoT devices raises additional cybersecurity concerns. Most IoT devices become static over time, so patches and security updates must be automated or handled by end users. Failing to update a device to protect against threats is especially dangerous. For instance, if a hacker gets control over a smart medical device linked to high-care settings, patient safety could be jeopardized by a distributed denial-of-service (DDoS) attack that keeps them from valuable online services.
The right path
Healthcare organizations need to ensure their systems are secure and access is stringently controlled. Depending on the type of information, leveraging partners, vendors, and apps accustomed to managing high volumes of data can be useful. With the Change Healthcare breach, alternative and redundant systems mitigated the attack’s impact. For those sending information through Change, the re-routing of information to another vendor or different endpoint helped lessen glitches in revenue, workflows, and access to patient claims for processing.
Automation and direct routing integrations can prevent harm to a healthcare ecosystem by quickly redirecting enrollments and processing. This stops further financial loss while preventing delays in areas from surgery estimates to prescription refills.
The Change Healthcare instance punctuates the need for redundancy via alternate data pathways within a system. Infrastructure, pathways, and partnerships needed to move operations information must be evaluated. Also, this clearly shows while placing all your trust in a single technology basket may offer immediate cost savings, it can create a chokepoint that severely hampers response during an attack.
Vigilant and resilient
The threat landscape in healthcare remains relatively the same when it comes to how hackers gain access to data. The frequency of attacks, however, is constantly rising. As mentioned, there are two particular areas hackers will continue to target for the foreseeable future. This includes employees who are too quick to click and connected medical devices lacking security patches and updated settings.
Regarding the latter, can you imagine the chaos hackers could unleash by controlling monitoring tools, ventilators, and smart medical devices connected to an actual patient? Healthcare organizations must be vigilant, its employees trained, and its systems resilient if they want to beat the bad guys and maintain their business.