The Evolution of Cybersecurity and Risk Management in the Healthcare Industry

2015 was a wake up call for the healthcare industry. It was the year of the healthcare breach, and across dozens of attacks, over 100M records were breached. It showed healthcare organizations that not only were they at risk of attacks, but malicious attackers were beginning to pay attention to these companies and looking to exploit them.

This was supposed to spur healthcare organizations to address their cybersecurity risks and make meaningful investments in their own security posture. However, seven years after the year of the healthcare breach and things are, arguably, worse. In 2021, the number of healthcare breaches hit an all-time high, affecting 45M people.

Healthcare companies continue to be targeted and too many organizations have not adapted to the shifts in risk and cybersecurity. In many cases, it’s a result of a lack of resources and a lack of understanding.

We’ll show you how healthcare companies can address these new risks and improve their cyber resilience in the face of increased attacks.

Healthcare organizations’ attack surface is changing

There are several environmental shifts within healthcare that have resulted in increased risk and a larger attack surface that’s difficult to address and secure. This includes:

Use of cloud-based infrastructure

As has been the case with nearly every organization across all industries, healthcare companies have partnered with various cloud-based vendors to provide all kinds of services and solutions, and even provide infrastructure services. By 2027, the cloud computing healthcare market is supposed to reach $90.46B by 2027, a huge increase from $20.9B in 2020. This displaces the organizations’ data location from on-premise to the cloud, which requires different technology, processes, and actions to properly secure it.

Without the right security controls in place, the risk of a breach or accidental exposure is significant.

Internet of Things and connected medical devices

As medical technology advances, healthcare companies have significantly increased their investments in the Internet of Things (IoT) as well as connected medical devices. However, this has also increased the number of endpoints and devices that are connected to a company’s environment, adding more access points that a malicious hacker could exploit. Connected medical devices have also been known to be inherently vulnerable and risky, with hardcoded passwords and minimal security controls in place.

Digital transformation

This speaks to a broader trend where healthcare organizations are increasingly turning to digital services, solutions, and even digitizing their files and offerings. The explosion of telehealth and increased use of electronic protected health information is a good example. However, not only does this create more opportunities for malicious hackers to intercept and access sensitive data, it also requires healthcare companies to deal with new compliance guidelines and regulatory scrutiny.

The result? More attacks and exploits

Despite the fact that healthcare is facing more risk as a result of these environment shifts, cybersecurity investment has not kept up. Budgets and resource allocation have not changed to properly address this new risk which results in sub-optimal cyber resilience. A study found that only 5% of healthcare companies’ IT budget is dedicated to cybersecurity.

It’s no surprise that healthcare organizations are facing attacks at an accelerated rate. For example, a file transfer service had a zero-day vulnerability that led to 11 healthcare organizations being breached, resulting in 3.5M records exposed.

Malicious hackers are evolving, becoming more threatening

Over the last few years, healthcare organizations have faced an increased number of attacks. This coincides with the fact that these companies are more vulnerable but also with the fact that malicious hackers are ramping up their targeting and evolving their methods.

Ransomware continues to increase

Ransomware has increased dramatically in just a few short years and healthcare companies have seen an increase of 94% in ransomware targeting them. This increase has been fueled by the pandemic as well as a shift in ransomware strategies. Organizations are focusing more on high-value targets and organizations who are more likely to pay (like healthcare companies) and also deploying ransomware as part of more embedded attacks, even resorting to double or triple extortion ransomware attacks. Lastly, the rise of Ransomware as a Service has made ransomware attacks much more profitable and successful.

In 2021, Capture Rx was hit with a ransomware attack that led to a class action lawsuit after nearly 2M records were exposed. The settlement cost CaptureRx over $4.5M.

Attackers are exploiting new technology and environments

Attackers are also targeting the cloud-based environments of the healthcare organizations as well as connected medical devices and IoT devices. A survey found that 82% of healthcare organizations were hit with an IoT-focused attack in 2019. These attacks can get quite expensive, with data breach costs for healthcare companies reaching an all-time high of $10M.

Malicious actors know that healthcare organizations have implemented these new technologies without much regard to security and it doesn’t look like they’re relenting their attacks anytime soon.

New HIPAA compliance rules require attention

Since the pandemic, more and more healthcare companies have shifted towards telehealth and are storing records digitally, which require more maintenance in order to maintain compliance and avoid regulatory scrutiny.

The last major update to HIPAA rules was in 2013, where the HITECH Act expanded HIPAA rules and enforcement to address the increase in digital health offerings, electronic PHI, and ensure health information was kept secure and private even in secure environments. Smaller updates in 2020 and 2021 were released and designed to improve cybersecurity and facilitate a secure transfer of digital health records and communication.

However, a notice of proposed rule-making was introduced in 2020, with the expectation that a final rule would be set in 2022.

Earlier in 2022, the US Department of Health and Human Services issued guidance on behalf of HIPAA and OCR to promote a stronger cybersecurity posture for healthcare organizations. However, healthcare organizations are still waiting for the final rule to be published. Based on the notice of proposed rulemaking, healthcare organizations may have to update their HIPAA training strategy, improve access to ePHI while also maintaining a high level of security, and have an infrastructure that allows for digital health records to flow between patients and other healthcare organizations in a secure manner.

The adoption of digital records and increasing digital services and environments require an updated risk management approach. Not only should organizations look for ways to improve their cyber resilience but they should consider refreshing their entire data privacy and protection strategy to accommodate these new threats, risks, and compliance requirements.

Healthcare organizations should consider a cybersecurity partner

Solving the issue of not having enough cybersecurity while addressing an increasingly complex environment is difficult. Healthcare organizations simply lack many of the resources, budget, and expertise to create an in-house department that will scale with the organization. There’s already a talent shortage and even if the hiring process starts today, a company’s cybersecurity strategy may not be in place for at least another year.

We recommend healthcare organizations consider managed detection services, or MDR. This is an outsourced solution where a cybersecurity partner serves as a security operations center or provides its own technology to help organizations detect and respond to threats.

This requires less of an investment and the MDR partner can scale with the organization as it grows. Operationally, it’s simpler and will be easier to make the case for compared to a full-fledged internal cybersecurity team. It will also result in faster time to cybersecurity as many MDR partners are equipped to onboard and integrate with companies rapidly.