According to a recent update from the International Monetary Fund (IMF), cyberattacks have more than doubled in volume since the pandemic. The financial toll they have taken has also grown dramatically with “extreme” financial losses more than quadrupling since 2017.

In healthcare, cyberattacks are particularly frequent. That’s because the industry possesses valuable data hackers can steal and sell on the black market, use for medical ID theft, or blackmail patients or health systems. The attack surface in healthcare is broad, encompassing an array of equipment, devices, and apps, often underpinned by legacy technology. The resulting vulnerability makes it easy for bad actors to penetrate networks.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reported ransomware and hacking as the foremost cyber threats in healthcare. Over the past five years, there has been a 264% increase in ransomware attacks with large-scale breaches climbing 256%. The tactic used most is phishing. In this scenario, a hacker sends out emails hoping a recipient will click on the link or file it contains, giving the hacker a way into their network and the opportunity to launch a ransomware attack. 

You only have to go back a few months to see how great the damage can be. In February, UnitedHealth saw one of its entities, Change Healthcare, become a ransomware victim. At the close of Q1, the cost of cleaning up from the attack was $872 million and growing, the anticipated total expected to top $1 billion. This doesn’t address the hit its reputation has taken, the impact it had on the availability of prescription drugs for hospitals and pharmacies, and how the attack kept hundreds of providers from processing insurance approvals.

Without question, the frequency of these attacks will continue to increase. Still, while there’s not a lot a healthcare organization can do to prevent being targeted, hackers can be stopped and disaster avoided through strong cyber resilience and ensuring employees are knowledgeable about potential risks.

Educating employees

In general, the infrastructure of healthcare organizations lags behind other industries, which makes handling today’s cyber threats especially challenging. There are so many ways for a hacker to gain access to a network and its data, but the path of least resistance is still the employee who clicks first and asks questions later.

That said, healthcare entities must ensure employees know how to recognize and handle cyber threats. Educational programs are a must, particularly as part of onboarding a new employee. Some organizations’ IT departments will also send suspicious-looking emails to identify employees who need additional training. Remember, though, threats evolve and new tactics emerge, so efforts to educate employees should be ongoing.

Divisive devices

Most employees are given company computers and devices, allowing secure settings to be implemented by their IT department. With this in mind, healthcare organizations should limit access and logins to only those devices; personal ones are easier to exploit. Controlling security settings is particularly critical when it comes to remote employees. That’s because security is often weaker at home due to the use of older technology and issues such as missed updates.

Healthcare’s increasing use of IoT devices raises additional cybersecurity concerns. Most IoT devices become static over time, so patches and security updates must be automated or handled by end users. Failing to update a device to protect against threats is especially dangerous. For instance, if a hacker gets control over a smart medical device linked to high-care settings, patient safety could be jeopardized by a distributed denial-of-service (DDoS) attack that keeps them from valuable online services.

The right path

Healthcare organizations need to ensure their systems are secure and access is stringently controlled. Depending on the type of information, leveraging partners, vendors, and apps accustomed to managing high volumes of data can be useful. With the Change Healthcare breach, alternative and redundant systems mitigated the attack’s impact. For those sending information through Change, the re-routing of information to another vendor or different endpoint helped lessen glitches in revenue, workflows, and access to patient claims for processing.

Automation and direct routing integrations can prevent harm to a healthcare ecosystem by quickly redirecting enrollments and processing. This stops further financial loss while preventing delays in areas from surgery estimates to prescription refills.

The Change Healthcare instance punctuates the need for redundancy via alternate data pathways within a system. Infrastructure, pathways, and partnerships needed to move operations information must be evaluated. Also, this clearly shows while placing all your trust in a single technology basket may offer immediate cost savings, it can create a chokepoint that severely hampers response during an attack.

Vigilant and resilient

The threat landscape in healthcare remains relatively the same when it comes to how hackers gain access to data. The frequency of attacks, however, is constantly rising. As mentioned, there are two particular areas hackers will continue to target for the foreseeable future. This includes employees who are too quick to click and connected medical devices lacking security patches and updated settings.

Regarding the latter, can you imagine the chaos hackers could unleash by controlling monitoring tools, ventilators, and smart medical devices connected to an actual patient? Healthcare organizations must be vigilant, its employees trained, and its systems resilient if they want to beat the bad guys and maintain their business.

ABOUT THE AUTHOR

Eric Demers

Eric Demers is the CEO of Madaket Health. He believes we can transform healthcare delivery through the power of data and interoperability. With more than 25 years of global healthcare experience, Demers has built and scaled leading technology and service companies, from early stage to Fortune 100. He is highly sought-after for speaking and consulting on international health, having advised global entities and governments on critical issues facing healthcare. A growth-minded leader, Demers has founded three companies and exited two. He previously served in strategy-focused executive roles at IBM, Accreon, MEDecision and Orion Health. Demers is a graduate of Brandeis University and The George Washington University School of Medicine and Health Sciences.

How Ignoring Data Backups Puts Your Processes, Products, and People at Risk
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
READ MORE >
How to Find the Right Balance Between Cost and Level of System and Application Availability
Imagine a curve that represents the amount of time it takes you to recover a mission critical system that has...
READ MORE >
Best Data Management Bets for Rapid Recovery
Ransomware has put a heightened focus on data recovery and on disaster recovery specifically unlike any other event in recent...
READ MORE >
Cybersecurity’s Lesser-Known Pain Point: Operational Technology Systems
Worldwide focus on cybersecurity is not new. Over the last decade, governments and corporations have invested heavily in information technology...
READ MORE >