Why do healthcare organizations have a target on their back?
Medical records command a high value on the dark web due to the large amount of personal information they hold. Cybercriminals can sell stolen healthcare data for a massive profit, up to $1,000 for each record, a fact that encourages them to continue hacking as the payoff is worth it.
While there has been an uptick of attacks on healthcare organizations due to coronavirus, a 2019 Healthcare Data Breach Report found more healthcare records were breached in 2019 than in the six years from 2009 to 2014, indicating that the rise of threats to healthcare records has been an ongoing trend.
Healthcare organizations need to understand the interconnected relationship between cybersecurity and patient care. Investing in cybersecurity ensures organizations have the appropriate controls in place to protect the patient, their data, the brand, and business, all while complying with HIPAA requirements.
Healthcare organizations will remain a top target beyond COVID-19
Healthcare data is of interest to nation-state threat actors looking to steal clinical trials and research data to solve concerns in their country and create economic and political advantage by being first to market on innovation or a critical vaccine.
A patient’s record can also hold insight that could be used to inflict harm to persons of interest. On top of personally identifiable data, patient records contain very sensitive and personal information, such as blood type, allergies, medications, medical devices in use, and past procedures. All of it can be used to commit identity theft, insurance fraud, blackmail, or to cause bodily harm.
Unfortunately, most of this data cannot be changed if stolen. In addition, this information is often stored in legacy systems, not built with security in mind, in multiple disparate systems and different locations, and the organization cannot afford the cost to migrate data to a modern, secure, system.
Biomedical devices have historically been bad at implementing even the most basic security controls, such as encryption, authentication, and access controls. To complicate things further, these devices are often out of scope when it comes to implementing basic protections like anti-virus, endpoint detection and response, and other software that could be seen as intrusive to the system and impact or influence the operation of the device. Technically, the device is a sitting duck for any attacker that can get access to the same network. It has only been about five years since healthcare organizations started pressing and holding device manufacturers accountable to basic security standards.
The unfortunate thing is these biomedical devices and the inherent lack of security controls and protections have been moved directly to the consumer whether that is in their home or installed on their bodies. This has broadened the reach, capabilities, attack surface and potential damage that can be inflected by the malicious threat actor.
Pacemakers are a prime example as hackers have had success interfering with the device. Recently, patients, providers, and manufacturers were notified of a security vulnerability called SweynTooth. The vulnerability, associated with Bluetooth Low Energy, could be exploited to wirelessly target certain medical devices – crash, deadlock them, or bypass their security protections to gain unauthorized access. This makes medical devices a real life and death situation, beyond what we normally would consider.
Patient infrastructure is also not up to par. Telehealth is more integral to healthcare than ever before as it reduces expenses, lowers exposure to illnesses and is more convenient. In March, telehealth visits surged 50% and analysts estimate coronavirus-related virtual visits could top 1 billion globally in 2020.
This surge further complicates the security landscape if hospital groups don’t have the infrastructure in place to protect consumer data as they are often leveraging telehealth platforms that were not built for healthcare; and have expanded the risk by inheriting the existing weaknesses and vulnerabilities of those platforms.
How can organizations combat these attacks?
Organizations should ensure their infrastructure is secure by using platforms that are designed for healthcare use, while meeting legal privacy requirements. The infrastructure systems should be configured according to security standards, with ample visibility and a strategy should be in place for patient owned devices and endpoints. It’s important the healthcare provider has visibility into what is happening across the environment to monitor for signs of suspicious activity in real-time so immediate action can be taken.
Furthermore, as 48% of threat actors in healthcare are internal, organizations must monitor for behavioral changes in users and their data, providing visibility to uncover user-based threats that might otherwise go undetected. There must also be security tools in place that automate common investigation tasks and streamline remediation to halt a breach immediately and in real-time. Detection and response early in the cyberattack lifecycle is key to protecting health records and the company from a large-scale impact.
Organizations that do not have the above security capabilities in place and suffer from a data breach can expect to face financial penalties under HIPAA for not effectively protecting confidential customer information. As a fine could range from $100 to $50,000 per violation (or per record), it is critical companies go beyond the minimal security requirements to avoid such a fate.
Furthermore, a significant incident or breach erodes patient trust and damages the brand, including reduced revenues. Given the current evolving threat landscape and increased focus on healthcare by cybercriminals, companies must commit to improving their security operations to protect patients and the organization.