In 2022, the healthcare industry set a record no one will be eager to break.
While this is welcome news, the size and scope of cyber attacks impacting this industry offer troubling signs that those dollars aren’t being used effectively by healthcare organizations.
According to HIPAA Journal, hacking and IT incidents at healthcare organizations resulted in the theft and/or exposure of nearly 44 million records in 2022 alone. Nearly two-thirds of healthcare organizations globally have experienced a cyber attack in their lifetime, and 98% of healthcare organizations work with a vendor who has already experienced a cyber attack.
With sensitive patient records at stake, healthcare organizations must do everything they can to protect this information while adhering to government regulations.
Why Healthcare Organizations Are Being Breached
So, why healthcare? Why is this industry setting cyber attack records when the financial industry moves more money and breaches on other critical infrastructure industries like utilities can have a more painful impact?
There are five major reasons why the healthcare industry is so prone to breaches. IT and security leaders working for hospitals, clinics, nursing homes, and other healthcare providers need to know them, and how to address them.
Expanding Attack Surfaces
When HIPAA was established in 1996, there were no smartphones or wirelessly connected medical devices, and very few care providers stored health data electronically. Today, medical professionals capture ePHI via handheld devices, collect biometric data through wearables, and see patients virtually.
The quest to improve patient care and provide adequate physical security to facilities, equipment, and records has resulted in an increasingly complicated IT landscape, making the challenge of protecting patient data even more difficult.
Take the cloud, for instance. While there is no doubt that the cloud’s ability to connect data across the continuum of care is dramatically improving healthcare, the resulting web of interconnected systems and endpoints complicates security and compliance efforts. It’s estimated that electronic health record (EHR) systems handle more than 2.5 million requests per day per healthcare organization. This is a staggering number of access requests, potentially coming from anywhere in the world — and every single one must be safeguarded against exploitation.
Too Many Assets, and No Way to Protect Them
The ongoing digital revolution has spawned an entire ecosystem of interconnected medical devices across a sprawling distribution of locations. As endpoints and access points continue to grow, a scarcity of cohesive inventory management are major security and IT challenges for all organizations. This can be especially difficult in healthcare, however, where IT teams control the network, but individual medical departments purchase and maintain their own medical devices. That gives hackers opportunities to access healthcare networks via unpatched medical devices and then steal patient records from internal systems.
Legacy systems and complicated IT infrastructures frequently leave vulnerabilities open for attackers to exploit. Data breaches can shut down hospitals, which directly impacts patient care, and has even been shown to increase the number of fatal heart attacks in the U.S.
Security teams within healthcare organizations need a solid, well-implemented strategy for inventory and control of all their hardware and software assets to not only protect patient and organizational data, but also help them take care of those in need.
Security Talent Shortage
Organizations in the healthcare industry store tremendous amounts of protected health information (PHI). This data can be exploited or held “hostage” in increasingly prevalent ransomware attacks. By accessing patient-critical information and then withholding it from the provider, hackers threaten the operations and security of healthcare organizations and the privacy and safety of their patients. To combat this threat, they need 24×7 uninterrupted access to their systems to properly care for patients.
Yet recent estimates reveal that there are only enough cybersecurity workers in the United States to fill 68% of the cybersecurity jobs that employers demand. We’ve discovered that 32% of global organizations have difficulty hiring and retaining staff, and 36% of organizations feel their current staff lacks the necessary expertise. In an incredibly competitive job market, healthcare organizations are at a distinct disadvantage, as they must often divert salary and budget towards securing the best healthcare providers, leaving their IT departments all but incapable of the 24×7 monitoring, detection, and threat response required to protect an organization from modern cyber attacks.
Employee Error
While they have the best of intentions, people often use shortcuts to work more efficiently. In doing so, they frequently engage in sloppy practices — like keeping passwords on a sticky note stuck to their monitor. Creating a work culture that emphasizes cybersecurity is the best way to mitigate the risks and pitfalls that come from human error.
In Arctic Wolf’s Healthcare Cybersecurity Checklist, we outline the five principal steps that need to be undertaken to create a security-minded culture at your healthcare organization:
Regulatory Requirements
HIPAA compliance deserves its own security strategy. All healthcare providers covered by HIPAA must be ready to show how they protect sensitive personal information and how they are prepared to report any data breaches to relevant authorities.
And, as the healthcare industry’s attack surface expands, the growing number of Health Insurance Portability and Accountability Act (HIPAA) compliance requirements designed to protect patient data across that attack surface have made obtaining and maintaining compliance a constant challenge.
Complying with HIPAA’s technical and administrative rules requires complete visibility into all information systems. Achieving compliance, then, calls for a security operations center (SOC) staffed with dedicated security engineers, ones who can not only establish baseline security configurations that comply with HIPAA but can also monitor your network around the clock for noncompliant or suspicious behavior.
Be Ready for Breaches
The bottom line? Your healthcare organization falling prey to a cyber attack is not a matter of if, but when. In addition to proactive protection through 24×7 monitoring, detection, and response, you also need to create a robust incident response plan that can help you recover faster and emerge stronger.
Amidst these growing challenges, healthcare providers need a solid, well-implemented strategy for responding to a breach that will not only protect patient and organizational data, but also keep systems up and running so they can care for those in need.
It’s not enough to simply delete the threat. Instead, finding the root point of compromise, documenting what happened, and restoring business operations to pre-incident conditions are vital in every response scenario to get the healthcare organization back online and to prevent future incidents.
For a major cyber incident like those that impact the healthcare industry, a full-service incident response provider is needed to restore pre-incident business operations. The advanced skills and capabilities of these full-service IR providers go beyond containment and threat eradication to include other crucial capabilities like data and system recovery as well as forensic analysis. It’s mission-critical that healthcare organizations include an IR firm with these additional capabilities and processes when building your incident response plan.
- Download the Arctic Wolf Incident Response Data Sheet.
- Access our Incident Response Timeline for an exclusive look at how we triage, investigate, and escalate ransomware attacks.
- Learn to craft a robust incident response plan via real-world examples in our on-demand webinar.
- Discover why healthcare organizations make us their first call when experiencing a breach.
