Hospitals, nursing homes, doctors’ offices and other medical facilities typically sit at the top of the food chain for cybercriminals and malware purveyors. That’s because while hospitals face pressure to optimize and improve patient care by leveraging more advanced technologies like the internet of things (IoT), hackers are busy exploiting these “open doors.” In response, cybersecurity has risen to the level of military-grade protection in this battle to shield a patient’s sensitive information and avoid hefty penalties and class action lawsuits.
What does it mean for MSPs and IT service providers? Opportunities for modernising a healthcare provider’s security and backup systems with integrated protection that create an impenetrable barrier between a patient’s personal information and cybercriminals looking to exploit system weaknesses.
Hackers are Way Ahead of the Game:
During the pandemic people were sharing personal information like never before with virtual doctor and clinic visits and remote testing. Even prior to 2020, healthcare organizations were storing vast amounts of sensitive data.
Unfortunately, antiquated systems and limited budgets made the medical industry particularly vulnerable. According to a report in Security Magazine, there are three reasons why healthcare organizations experienced a spike in attacks: a high probability to pay the ransom, the value of patient records, and often inadequate security. Patient data is a prime target for criminals today. Protected health information (PHI) is one of the hottest commodities on the dark web, with consumer credit reporting company Experian putting a price tag of USD 1000 on each stolen patient record.
How are cybercriminals infiltrating practices, clinics, and hospitals?
Email: Phishing scams are one of the most frequent entry points for cybercriminals. There was a 61 per cent increase in the rate of these attacks in the last six months ending October 2022 compared to 2021. The CNBC report also found the sophistication of these incidents is rising.
The Department of Health and Human Services is investigating more than 850 open cases of breaches of unsecured protected health information (the HITECH Act requires the Secretary to post a list of breaches affecting 500 or more individuals), many through email. In February of this year, for example, nearly 240,000 individuals were affected by an email hack at healthcare plan provider Highmark Inc.
Medical Devices: These same bad actors are finding other ways to creep into network servers. A study by online marketplace vendor Capterra late last year also found that healthcare organizations with connected medical devices also experience a greater number of cyberattacks. Of those breaches, nearly half (48 per cent) affected patient care and two thirds (67 per cent) affected patient data. Several related studies have shown devices from MRI machines to heart rate monitors as a weak link in a hospital’s cyber defense in most data breaches.
Healthcare Organizations Must Act Now:
Data breaches can be costly to medical providers and organizations. The Health Insurance Portability and Accountability Act (HIPAA) rules covering patients’ medical records are extremely strict, and regulators can levy huge fines for breaches of personal health information (PHI), which gives cybercriminals the upper hand with ransomware demands.
Government and industry sanctions are just one consequence of a cyberattack. CommonSpirit Health, one of the largest nonprofit hospitals in the U.S., is facing class action lawsuits for a 2022 cyberattack that disrupted operations at some of its facilities.
According to reports, that incident exposed the confidential and potentially sensitive information of more than 623,700 people. This example shows a single attack could escalate quickly into multi-million-dollar settlements – in addition to regulatory fines and the cost of restoring systems and data.
Cybercriminals continue to gain unauthorized network access through email phishing and by exploiting weak passwords. External facing servers and databases without the proper cybersecurity practices and technology in place also provide easy access to sensitive records. Implementing staff/awareness training programs and locking down easily accessible systems are two of the many steps MSPs can take to better protect their healthcare clients today.
Edge security is also becoming a priority to increase cyber hygiene and reduce risk. A recent report found that 44 per cent of healthcare organizations expect to spend between 11 per cent to 20 per cent of their overall IT budget in this tech segment.