What are some of the biggest challenges in the healthcare sector from a cybersecurity perspective?
With the pandemic sweeping the globe, healthcare organizations’ lack of preparedness in cybersecurity was extensively exploited by cybercriminals. According to the IBM Cost of Data Breach Report, 2020, a healthcare organization loses ~7.1M$ per data breach, compared to the average of $3.9M in other industries! Despite being early adopters of modern technology, this sector has failed to scale up its cybersecurity practices. I’d like to focus on two key aspects here:
1) Lack of cyber awareness: Irrespective of the sector, people contribute to 90% of all global data breaches, yet merely 10% of the security budget is given to protect the human element… and this is no different in the healthcare sector. Most attacks in this sector happen through human negligence either from within or through third-party routes. A majority of the breaches in this sector have occurred as a result of phishing, ransomware and/or poor email hygiene! Ransomware attacks on healthcare organizations alone are predicted to surge 5x in 2021, according to a report from Cybersecurity Ventures.
2) Un-secured technology: System glitches and connected medical devices are a huge source of vulnerabilities and account for 23% of all data breaches in healthcare. An average hospital room has about 15-20 connected devices. Cybercrime in this sector means higher stakes- it isn’t just financial losses, human lives are at risk. In an instance in 2017, over half a million pacemakers needed a firmware update to protect users from hackers controlling the pace, depleting batteries, and allowing connections to the device through Wi-Fi! Today, more than 60% of devices in the healthcare sector do not receive software patches of hardware support because they’re too old! Conficker, a computer worm that exploits weaknesses in early versions of Microsoft Windows, was first detected in 2008. It vanished in early 2009, but in healthcare, it was seen over and over again because of legacy systems, especially in Radiology and Imaging which links to patient data through Electronic Health Record software.
How are the various healthcare players dealing with cyberattacks right now?
The healthcare sector has been predominantly focused on looking at security from a compliance lens. However, with the attack vectors increasing, rapid adoption of digital technologies the healthcare sector is caught unprepared. A prime instance of such an event is the University of Vermont Health Network cyberattack in October 2020. The severity and extent of the attack were so big, they had to deploy the Army National Guard’s Cyber Response to help with recovery efforts!
In my recent conversation with a CISO of a healthcare company, they revealed that the biggest challenge facing the business from a security perspective is the lack of visibility and consistency across people, policies, technology and third-party vulnerabilities. Organizations in this sector are looking at solutions that can help them with a consistent and real-time view of key assets.
The trend, as it is in rendering patient care, is shifting from reacting to diseases, in this case, cyber-attacks, to preventing them. Proactively mitigating cyber risks in the healthcare sector are paramount and organizations are looking at real-time risk measurement to know how likely they are to be breached in the coming twelve months and what is the dollar value impact of the same. Rather than having half baked subjective interpretation of cybersecurity that is laced with IT jargon, this sector is moving towards an objective, unbiased visibility & reporting of cyber risks, much like they do for patient care!
Why are we seeing an increase in cyberattacks in the healthcare sector?
Cybercriminals choose the path of least resistance and highest returns. While PII such as credit card information or social security numbers is sensitive, they can be changed but PHI once leaked, cannot be altered – making it a lucrative form of blackmail. On the deep and dark web, PII sells for about $1-2 whereas PHI sells for a couple of hundred dollars! Healthcare is also a sector where most individuals don’t take risks making them more gullible to simple social engineering scams or phishing attacks. Weak or shared passwords, poor cyber hygiene, absence of 2FA on systems or devices and unmonitored privilege access to vendors makes it a hackers paradise. This has only intensified due to the pandemic which drove telemedicine and other digital cloud advancements in a sector that was already being over-exploited. The Magellan Health breach is a perfect example here. By leveraging a social engineering phishing scheme that impersonated a Magellan client, the attackers were able to gain access to the system five days before the ransomware attack which ultimately put ~365K patients’ records at risk!
What are some of the weakest links in the healthcare industry’s cybersecurity practices or initiatives?
Healthcare is a potpourri of everything vulnerable in cybersecurity! From the staff that is not cyber-aware to legacy systems without patches, devices that are cutting edge IoMT without adequate air-gapping to unsecured third-parties! However, if I had to narrow down to just one aspect that this sector needs to drill down to, I’d say the People. Medical and non-medical staff tend to be time-bound while reading/receiving documents on their devices, due to obvious reasons. This reflex of ‘clicking without considering security’ is what is being leveraged by cybercriminals.
Most cybersecurity concerns in this sector find their origin in human error, be it accidentally sharing confidential PHI through an email or a lost/ misplaced device with patient records. Ransomware has been the biggest threat to this sector in the past year – more than 45% of cyberattacks against healthcare. Large corporations like Garmin and Universal Health Services have fallen prey to carefully crafted social engineering ransomware attacks in 2020. Recently, UHS has been fined $67 million in relation to the Ryuk ransomware attack across its 400 centres! They tend to focus less on negligence and more on cybersecurity ‘awareness’ training. In a sector that is entrenched in quick and confidential data sharing through collaboration tools, the solution can no longer be siloed within one-time training sessions and needs to begin re-engineering reflex.
How important is protecting the supply chain in the healthcare industry?
There is an average of 1300 vendors per healthcare organization according to a Ponemon Institute survey. This sector depends on third-party and integrity of supply chain cybersecurity for medical supplies, technology-support, maintenance of devices, software upgrades and even storing patient information through Hospital Information software and electronic records. The collapse of even one pillar would lead to a domino effect crippling the entire organization. The recent SolarWinds event which has also directly affected the National Institutes of Health and indirectly affected any organization using the relevant software has magnified how interconnected our networks have become and while inter-dependency improves efficiency, security by design must always come at the top of all priorities.
What are the solutions/practices that the healthcare industry should adopt in order to better its cyber risk posture?
In this sector, it is often the CIO who also plays the role of a CISO. For an individual to juggle multiple responsibilities, cybersecurity needs to be presented in a structured yet simplified manner. It must allow granularity when required and provides a bird’s eye view at the same time. They need to measure the effectiveness of what’s working and what’s not in their current Enterprise cybersecurity Strategy. This sector requires directed spending on cybersecurity which streamlines investments that goes beyond compliance. While compliance is the bedrock of cybersecurity for this sector, it doesn’t consider the efficacy of these requirements in an enterprise’s individual business structure. Unlike the IT/ITeS sector where technology is more important or the Fintech industry where Crown Jewels hold priority, healthcare is a unique industry that demands equal attention to every aspect of an enterprise. Organizations in this sector need to look at solutions that provide real-time visibility into People, Policies, Technology and Third-party vendors across on-prem, on-cloud and hybrid work environments.