Few industries today are faced with as many cyber security threats as the healthcare sector. Patient data is among the most sensitive information in the digital ecosystem, and cyber criminals are often looking to leverage these resources for profit.
As a result, healthcare institutions are frequent targets for attack. Indeed, according to a survey conducted early in 2018 by HIMSS, a non-profit global advisory organization supporting the transformation of health through the application of information and technology, most healthcare organizations had experienced a significant security incident in the previous 12 months.
HIMSS surveyed 239 healthcare executives and cyber security experts between December 2017 and January 2018 and found that three quarters had experienced a recent significant security incident, according to an article posted by HIPAA Journal in March 2018.
Of those that experienced an incident, 96% were able to characterize the threat actor responsible for the attacks, with the top three being online scam artists such as phishers (38%), negligent insiders (21%), and hackers (20%).
More than 60% of the respondents said email was the main initial point of compromise in the attacks. In second place were “other” avenues of attack, including compromised customer networks, Web application attacks, guessed passwords, misconfigured software/cloud services, and human error.
Another 12% said they did not know how the attackers gained access to their networks or data. In most of the cases (68%), incidents were discovered internally (41% by security teams and 28% by non-security personnel).
The HIMSS research indicated that the severity of data breaches in the industry was reduced compared with the year before, which indicates cyber security in healthcare is improving. A majority of the survey respondents (84%) said more resources were being used to address cyber security, with a mere 3% saying resources had decreased year over year. And most of the organizations now employ a senior information security leader.
More than half (56%) said a dedicated or defined amount of the current budget was allocated for cyber security, while about one quarter said there was no specific budget for cyber security but money was being spent as needed or could be requested.
Despite the positive developments, there’s still plenty of room for further cyber security improvement in the industry, according to HIMSS. The organization says compared with other industries healthcare cyber security programs lack maturity, and typically security programs have only been running for five or fewer years.
The need for stronger security in the sector was also brought home in a June 2018 report from cyber security advisor firm Coalfire. In a study noting that mid-sized businesses are benefitting from a security sweet spot that has allowed them to outperform their larger competitors, the firm said healthcare had the worst external security posture of the industries studied.
Meanwhile, the industry continues to be plagued by security threats. According to a March 2018 article in CSO, healthcare organizations tend to have a number of different systems that are not patched regularly, and the critical nature of what healthcare organizations do puts them on the radar of attackers.
The article described the five biggest healthcare security threats for 2018:
- Many of the top breaches in healthcare are ransomware attacks. Criminals assume ransomware attacks are more likely to succeed because hospitals, medical practices, and other healthcare providers will put lives at risk if they can’t access patient records, the article noted. They therefore feel compelled to take immediate action and pay the ransom rather than go through a long recovery process from backups.
- Theft of patient data. Healthcare data can be more valuable than financial data to cyber criminals, the article noted. Hackers can use the data from identification cards and other medical data to get government documents such as driver licenses. Healthcare records are worth a lot because they aggregate lots of information in a single place.
- Insider threats. The article cited the Verizon Protected Health Information Data Breach Report, which noted that more than half of all the threat actors responsible for breaches at surveyed healthcare providers were insiders. Financial gain was the main motivation for internal threats. A significant share of insider breaches are motivated by fun or curiosity. The number of different systems within a healthcare organization is also a factor.
- This is the most popular tactic for attackers to gain entry to a system, the article noted. It can be used to install ransomware, cryptomining scripts, spyware, or code to steal data. It said healthcare organizations with 250 to 1,000 employees that have not received security awareness training have a 28% chance of falling victim to a phishing attempt.
- The article noted that the clandestine hijacking of systems to mine cryptocurrencies is a growing problem across all industries. But systems used in healthcare are particularly attractive targets because it’s critical to keep them running. The longer a system runs, the more the criminal can make mining cryptocurrencies, it said.