The writing is on the wall: cybercrimes against healthcare organizations will continue to pose a significant threat to healthcare systems in 2023.

According to HIPPA Journal, “the healthcare industry had the highest percentage increase in weekly cyberattacks of any industry sector [in 2022], with an increase of 74% from 2021 to an average of 1,463 attacks per week.”

With the new year, it is imperative that healthcare organizations heed the warnings of cybersecurity professionals and protect their patients’ information, as well as their own establishments. This article covers recent insights about cybersecurity issues in healthcare and various measures healthcare organizations should consider taking to strengthen their defenses against cybercrime.

Recurring Security Challenges in Healthcare

Phishing, ransomware, and data breaches are a few of the most prevalent security challenges that healthcare organizations have faced in the last five years.

Phishing is a method of manipulation hackers use to deceive people into revealing sensitive information. There are many kinds of phishing attacks, and they have become more sophisticated with each year.

According to recent research conducted by HIPPA, instances of phishing have drastically increased since 2020, causing serious financial implications: “The average cost of a phishing attack is now $14.8 million per year for companies in the United States, up from $3.8 million in 2015.”

The installation of malware can also lead to costly ransomware attacks.

A ransomware attack happens when malware spreads into a healthcare provider’s network, and the perpetrator continues to infect and encrypt sensitive data until a ransom amount is paid.

According to Edward Kost, writer for UpGuard, “more than 1 in 3 healthcare organizations globally fell victim to a ransomware attack in 2020.”

A Data breach is a serious security incident which occurs when sensitive data is viewed, stolen, copied, or accessed by an unauthorized individual. Data breaches can occur digitally, after successful phishing attempts, or when physical information is accessed by criminals.

The same HIPPA article further details what’s at stake: “phishing attacks frequently result in data breaches of hundreds of thousands of records, and in several cases, millions of records have been stolen after employees disclosed their credentials or downloaded malware by responding to phishing emails.”

Many cybersecurity professionals suggest that healthcare companies take measures to ensure staff is trained to recognize these cyber threats and prepare for the challenges that emerge due to the adoption of new technologies.

Cybercriminals are targeting vendors

In an article published in Modern Healthcare, Lauren Berryman warns of the cybercriminal’s newest target: vendors.

Berryman explains, “Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.”

Due to work shortage, supply chain issues and financial hurdles, worsened following the hardship that the Covid-19 pandemic brought, many hospitals hired vendors to take on tasks that were once completed inhouse. Unfortunately, these circumstances have also made it more difficult for hospitals and other healthcare organizations to invest in cybersecurity.

According to Berryman, “Data breaches of vendors […] have grown in number and scale over the past five years […] Through November, there have been 116 reported breaches on business associates that affected 17.7 million patients.”

This situation reveals that when healthcare organizations are unaware of the security protocols that their vendors follow, they run the risk of exposing their patients’ information. Fortunately, there are several ways to proactively safeguard against cybercriminals.

How to Prioritize Cybersecurity

FRG is diligent about cybersecurity. Our AccuReports® and Audit Tracker applications have earned r2 certification from HITRUST®, which is considered “the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.” To ensure that FRG is secure against cybersecurity threats, we prioritize routine employee training opportunities and meet compliance expectations according to SOC 2 and HITRUST standards.

By adhering to federal and state regulations, standards, and frameworks, and incorporating a risk-based approach to cybersecurity, certifications like the HITRUST CSF help organizations plan for security challenges. The HITRUST certification even provides a standardized framework for healthcare organizations to achieve compliance to HIPAA requirements.

Michael Brown, Security and Compliance Director at FRG, suggests “at a minimum, you should be asking for security reports on an annual basis; HITRUST, SOC, ISO/IEC 27001 and HIPPA risk reports protect healthcare companies from the high risks associated with storing personal health information.”

“Healthcare companies,” he adds, “should hire someone to ensure that the valuable information is secure. If you can’t do this internally, you should hire a security assessment company to assist.”

It is up to healthcare organizations to understand the severity of cybersecurity threats and prioritize security. To face the myriad of cybersecurity challenges that 2023 may bring, healthcare organizations should consider reassessing their cybersecurity training, acquiring HITRUST or similar certification and hiring vendors who can verify their own cybersecurity measures.

For more information about HITRUST certification, check out their website.