The healthcare industry has been a major target for bad actors in recent years, who have inflicted heavy financial losses, reputational damage and risking patient health. Administrators have responded by bolstering cybersecurity budgets, security solution deployments, and awareness training. But much more needs to be done to stay on top of this constant threat, experts believe.
In response to a rise in security incidents that continue to put patient data at risk, the Healthcare Information and Management Systems Society (HIMSS) has introduced an annual research program to assess experiences involving cyber-attacks and data leaks in healthcare organizations across the United States. HIMSS describes itself as “a global advisor and thought leader supporting the transformation of health through information and technology.”
The 2019 HIMSS Cybersecurity Survey reveals the steps taken by healthcare organizations in light of these risks. In the report, researchers observe a pattern of cybersecurity threats and experiences across US healthcare organizations.
”Significant security incidents are a near universal experience in US healthcare organizations with many of the incidents initiated by bad actors, leveraging e-mail as a means to compromise the integrity of their targets,” HIMSS says.
Most threat actors responsible for a significant security incident were cybercriminals (either independent or state sponsored). At the same time, a third of incidents were reported to be associated with negligent insiders, a finding echoed in similar recent studies.
Researchers believe insider risks point out the steps healthcare organizations must take to stay abreast of the situation. Specifically, HIMSS recommends educating key stakeholders on information security best practices and to ensure they use them.
As far as hackers’ preferred point of entry is concerned, email has been found to be the attack avenue in 59% of the reported attacks on healthcare institutions. Phishing, in particular, remains a popular attack vector thanks to its efficient and cost-effective nature. HIMSS researchers explain:
“That e-mail (e.g., phishing email) continues to be the most frequently reported initial point of compromise is not surprising as phishing e-mails are inexpensive to generate and can be quite accurate in targeting recipients. E-mail can contain a wealth of information, ranging from sensitive patient information, financial information, business information, and technical information.
Online scam artists using phishing e-mails are known to masquerade themselves as a senior leader within the email recipient’s organization (e.g. CEO or CFO) and request sensitive information (e.g., credentials) or even the transfer of funds to an account accessible to the scammer.”
While phishing remains an effective attack avenue, researchers warn that adversaries are on a constant lookout for alternative points of entry as administrators advance their information security defense.
As noted above, human error was also found to be a significant initial point of compromise, often through the accidental posting of patient information to a public-facing website, or inadvertently leaking or breaching data.