By Cindi Carter, CISO in the Office of the CTO at Check Point Software Technologies
Earlier this month, a ransomware attack shut down emergency rooms across the United States, forcing ambulances to route to other hospitals. Prospect Medical Group, which operates 16 hospitals and 166 outpatient clinics across Connecticut, Pennsylvania, Rhode Island and Texas, took their systems offline to protect them while they launched an investigation.
According to IBM’s Cost of a Data Breach Report 2023, the healthcare industry reported the most expensive data breaches at an average cost of $10.93M. But in healthcare, cyber attacks can have ramifications beyond financial loss and breach of privacy. With ransomware attacks such as these, the loss of access to patient data and medical tools can put lives at risk. And as NPR recently reported, it can take months for hospitals to recover.
Unfortunately these are not uncommon incidents. Last month, Check Point Research found that an average of one in 29 healthcare organizations were impacted by ransomware. In 2022, the healthcare industry experienced a 78% year-on-year increase in cyberattacks, with an average of 1,426 attempted breaches per week per organization.
It cannot be overstated that in healthcare, cyberattacks are a matter of life and death. In fact, a survey conducted by the Ponemon Institute found that more than 20% of healthcare organizations reported an increase in patient mortality rates after experiencing a breach.
Why do cyber criminals target healthcare?
Healthcare is essential and it contains troves of sensitive medical data. For cyber criminals, breaching a healthcare organization provides access to that sensitive medical data which can be held for ransom and the guarantee of media coverage and notoriety for the hacker. Both factors put hospitals under immense pressure, increasing the likelihood that a high ransom fee will be paid.
The healthcare sector is vulnerable for several reasons. First, the increasing sophistication and quantity of cyberattacks is not a threat these organizations are set up to deal with. Many hospitals rely on a blend of old and new technologies, most of which are either not directly managed or forgotten due to improper documentation. This problem has only increased over time as more Internet of Things (IoT) and medical devices are added, despite rarely being built securely by design. The current cybersecurity skills shortage also means there’s a lack of expertise to help manage this widening attack surface. Add these factors together, and cyber criminals see a high value target with a large threat surface and many potential points of entry.
Patients deserve quality care that sustains strong physical, intellectual and emotional health outcomes. The protection of their healthcare data is a component of that. A cyber attack has the potential to affect a given individual’s or population’s physical health, and it may cause social and emotional difficulties should personal information become compromised and find its way into public view. In fact, patients are currently suing One Brooklyn Health after the organization was breached by cyber criminals who leaked patient data. The patients are concerned that they are now at greater risk for fraud, identity theft, misappropriation of health insurance benefits and more.
Three actions to prevent cyberattacks from disrupting the healthcare workflow
- Culture: Establish secure-mindedness in every aspect of the patient journey. Educating the staff on why cybersecurity is important and their role in protecting patients through good information security practices should become as second nature to the healthcare organization as maintaining hygienic conditions. Cybersecurity education and training must be frequent and ongoing in order to instill a secure-minded culture.
- Endpoint protection: A single user in the healthcare system may have multiple endpoints from which they access and transmit electronic health information. Even medical devices themselves transmit data. Prevention-first endpoint protection includes a multi-layered approach encompassing the following capabilities: anti-phishing, anti-ransomware, anti-bot, content disarm and reconstruction (CDR), and automated post-detection, remediation, and response. The U.S. Department of Health and Human Services (HHS) provides actionable guidance on the safeguarding of electronic protected health information.
- Access control (zero trust model): By simply cutting back on who has access to healthcare data, organizations can prevent a cyber attack from being successful. Zero trust enables healthcare organizations to enforce policies of least privilege, in which they grant the least amount of credentials necessary for the tasks required. Every level of data should be accessed on a need-to-know basis in order to reduce the number of chances of unauthorized access.
In recent conversations with healthcare CISOs, there’s a strong desire to secure the health of everyone, everywhere, with certainty. Luckily, there is a strong culture of collaboration in the industry, with sharing best practices and lessons learned for taking action. Healthcare professionals understand the importance of good health and remain dedicated to protecting our healthcare institutions and providers.
Recent ransomware attacks against healthcare providers have emphasized that cyber security is essential to patient care and safety. Above all measures, healthcare organizations should take a preventative approach to their cyber security practices, much in the same way that the five rights of medication ensure patient safety: the right, patient, the right drug, the right dose, the right route of administration, the right time.
Clinicians shouldn’t have to worry about whether they will be able to access digital medical records or whether they can rely on their medical instruments. Focusing on improving care outcomes with patients is already a big task. By taking a prevention-first approach to protecting hospitals, providers and patients, we can stop the disruption and destruction from happening in the first place.