In a hyper-connected world, no organization is immune to cybercrime. In many respects, no sector is more vulnerable to attack than the healthcare industry. Network managers, provider administrators, and healthcare service providers are targets of relentless attack. Too often they are the least prepared.
In this article, we discuss the general landscape of network security in the healthcare sector. We then examine specific incidents to learn how to best protect against and recover from data breaches.
The Special Case of Healthcare in the Fight Against Data Breaches
It’s logical that healthcare data attracts the attention of cybercriminals. As the 2020 Healthcare Breach Report from Bitglass points out, the vast majority of healthcare providers store and process protected health information (PHI). These data include social security numbers, financial, and, of course, health information. It is a readily available target for malicious cybercriminals.
According to a July 2019 article in Healthcare IT News, the healthcare industry has endured the highest cost per incident for nine years running. At an average cost of $6.5 million, the impact is “more than 60 percent higher than other industries,” according to the article.
Christopher Scott, Global Remediation Lead and CTO for IBM X-Force IRIS, told Healthcare IT News how healthcare data is a prime target among cybercriminals because of the “excellent resale value” of PHI:
“Unlike passwords that can be changed or credit cards that can be reset with an expiration date,’ Scott explains, “health data lasts forever and can be used for numerous malicious activities such as identity theft, insurance and health care fraud, and more.”
Understanding the value of PHI data on the black market is important, but many healthcare providers fail to act on this knowledge, leaving their networks unnecessarily vulnerable to attack.
A review of the past year bears out the challenge facing the healthcare industry in protecting its networks and sensitive data.
Equifax and Lessons (not) Learned
The well-publicized Equifax data breach in 2017 exposed nearly 148 million customer data records and was a general wake-up call for consumers and businesses. The aftermath of this incident lingers to this day. Personal data was exposed, leaving individuals vulnerable to financial and identity theft, and Equifax has paid out as much as $425 million in damages.
Even with this episode clear in recent memory, the healthcare industry remains largely unprepared to defend against cyber attack. Let’s review some examples to understand how weaknesses have been exploited recently.
Overlake Medical Center
The security breach recently reported by Washington-based Overlake Medical Center highlights what may be the oldest and simplest scam in the cybercriminal handbook: phishing.
The attack was briefly successful, finding a way in through one employee’s email account. Before the attack was stopped, 109,000 patient medical records were exposed. The breach included personal and contact information, diagnosis and treatment records, and heath ID and provider names.
In October 2019, UK-based mobile healthcare app services provider Evergreen Life fended off an attack targeting the account of one high-level executive. Seeking to leverage his influence, a fraudulent email was sent to everyone on his contact list.
The attack was stopped before the networks were accessed. Evergreen Life reports that the data segmentation protocols used shielded core patient data records from exposure.
Evergreen Life notwithstanding, phishing attacks are among the most common types of cyberattacks. Phishing is an easy way in. Once inside, it’s up to the intruder to decide how much damage will be done.
Virtual Care Provider, Inc:
The Milwaukee-based company provides IT consulting, internet access, data storage, and security services for 110 nursing homes and acute-care facilities throughout 45 states. In November 2019, the company reported a strain of ransomware attack known as “Ryuk”.
As it did with Virtual Care Provider, ransomware like Ryuk brings an organization to a standstill, locked out of its own networks. The perpetrators demanded $14 million for the keys back into their networks.
Learning from these attacks and the methods employed is the first step towards training personnel and hardening infrastructure to defend against these attacks. Cybersecurity Awareness Training resources have been complied by private and government entities to help raise awareness of issues and provide certification-focused instruction. Two places to start looking for this information are the CISA Website (of the United States Cybersecurity and Infrastructure Security Agency) and the Security Awareness Training site of the Department of Health and Human Services.
Review of Breaches in 2019
Phishing and Ransomware attacks are not the only ways cyber criminals are seeking to penetrate healthcare information hosting networks, but they are some of the most common. The impact has been significant.
The healthcare industry was particularly hard hit in 2019. According to the Bitglass report, the total number of records breached last year topped 27.5 million, up from 4.7 million in 2017 and 11.5 million in 2018, and HealthITSecurity reports the figure was as high as 41.4 million in 2019. The trend is alarming.
To be fair, given the value of PHI and the sophistication of many data breaches (often employed through simple phishing attacks), healthcare providers are in an arms race to keep their networks secure and resilient.
A look at some of the top data breaches in the industry from 2019 reveals how too often organizations unwittingly let cybercriminals in through the front door, sometimes not even realizing the intruder is inside. Refer to the HealthIT Security article for more information.
Here are some quick stats:
- In 2019, the average number of people impacted per breach topped 71, 311. Near double from 2018
- 6 percent of healthcare data breaches in 2019 were from hacking and IT incidents, up from 45.8 percent in 2018
- The average cost per breached record reached $429 in 2019, for a total cost of $11,808, 681,885
These figures are staggering. Time is of the essence when it comes to hardening your infrastructure, training your personnel and acting in ways that guard the security of information in your charge.
Looking Forward: Protect Your Network, Your Business, and Your Patients
In our next article, we look to break down the three broad categories of network security:
- Employee awareness training
- Behavior modification
With comprehensive systems, procedures, and protocols in each of these areas, healthcare organizations can guard against cyberattacks, quickly and effectively respond if it does happen, prevent losses, and maybe even save lives.