9 Tips to Help You Reduce Cyber Threats for Your Healthcare Entity
Did you know that over 45 million patient records worldwide were affected by cyberattacks in the healthcare sector in 2021?
Cyber threats in healthcare are growing in number and hurting more people, businesses, including large entities such as hospitals, medical centers, and health insurance providers.
The problem with cyber threats in healthcare is that they affect various stakeholders including patients, the hospital or medical center, third-party vendors, and other companies and people who interact with them.
Cybersecurity Ventures forecast a surge in the cost of lost data and related failures from cyber attacks on the healthcare sector to $6 trillion by 2021, marking a 100% increase from the $3 trillion figure estimated in 2015.
Globally, the cybersecurity market is expected to reach $345.4 billion by 2026, up from $217.9 billion in 2021, registering a compound annual growth rate (CAGR) of 9.7% between 2021 and 2026. (Markets and Markets)
In this article, we're going to focus on healthcare cybersecurity, its importance, the top threats in the industry, how to prevent cyber threats in healthcare, and how to secure private health information.
What is Healthcare Cybersecurity?
Healthcare cybersecurity is a branch of cybersecurity that's focused on the healthcare industry. This includes patients, hospitals, public and private medical centers, vendors and suppliers, and any kind of entity or business, or person that takes part in the healthcare industry.
But that's not all. The healthcare sector, whether globally or in each country around the world, houses tons of medical, personal, and financial information.
Healthcare cybersecurity entails the protection of all of this information including patient records, medication, and medical information. Private data shared between healthcare companies and suppliers and vendors are also part of the sector and should be secured.
Not to mention the hospital's internal systems such as Electronic Health Record (EHR) systems, clinical decision support systems, computerized physician order entry systems, electronic prescribing systems, among others. And let's not forget the thousands – or hundreds of thousands and millions – of devices located at healthcare facilities and vendors.
Elevators, heating, ventilation, and air conditioning (HVAC) systems, remote patient monitoring devices, infusion pumps, ventilators, among other systems and devices are all connected to each other and are subject to cyber-attacks.
As you can see, the healthcare sector is broad but interconnected, making it a feast for hackers and cyberattackers.
Why is Cybersecurity Important in Healthcare?
The biggest problem in the healthcare industry is that there are many variables and tons of data that could be stolen, primarily patient data.
And because of those many variables, healthcare facilities – around the world – are prone to data breaches and cyberattacks.
In addition, poor cybersecurity awareness along with the presence of legacy systems and a lack of up-to-date systems make it easier for hackers to breach those systems.
The targeted data can include anything from financial data – although with healthcare cyber threats that's not the main target – and personal health information (PHI), and personally-identifying information (PII) such as social security numbers. Intellectual property pertaining to medical research and tech is also subject to cyber threats.
According to the AHA Center for Health Innovation "stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web."
And the cost to "remediate" a healthcare breach can amount to triple the cost incurred by other industries.
The average cost of recovering a stolen healthcare record amounts to $408 (in the United States) compared to $148 for each stolen non-healthcare record, according to 2018 data by IBM and Ponemon I.
Cyberthreats in the healthcare industry can hurt people and businesses alike. People may get their patient records and financial information stolen, while businesses and healthcare providers can suffer a damaged reputation and penalties and lawsuits.
Not to mention the fact that patient care and safety may suffer if hackers breach software that controls devices such as pacemakers. Similarly, healthcare providers would not be able to care for patients if devices are attacked by ransomware.
In 2017, Britain's National Health Service (NHS) fell prey to the "WannaCry" ransomware attack which impacted computer systems across 150 countries.
The ransomware attack caused ambulances to be diverted and surgeries to be canceled.
Top Cybersecurity Threats in Healthcare
As one of the top three industries impacted by cyber threats and data breaches, the healthcare industry has had its fair share of cyberattacks.
Here are some of the world's top cybersecurity threats in healthcare that have taken place over the years:
Anthem Blue Cross – 79 million patients affected
In January 2015, healthcare insurance provider Anthem Blue Cross reported being the target of a cyberattack that affected 78.8 million patients in its network.
The hacker had gained access to sensitive information such as social security numbers, email addresses, and employment and income information. However, they did not hack medical or credit card information, Anthem had said.
Premera Blue Cross – 11+ million patients affected
Healthcare insurance provider Premera Blue Cross revealed in March 2015 that it had suffered a cyberattack.
Premera said hackers had gained access to 11+ million patients' medical and financial data including bank account numbers, social security numbers, and other details.
Excellus BlueCross BlueShield – 10+ million patients affected
In September 2015, healthcare provider Excellus BlueCross BlueShield suffered a data breach that affected over 10 million patients.
Unlike other cybersecurity healthcare threats, Excellus' problem was that hackers had access to nearly all of its patient information for two years!
The breach involved sensitive data such as social security numbers, telephone numbers, mailing addresses, claims, and some credit card numbers.
TRICARE – 4.9 million patients affected
In September 2011, TRICARE, the United States federal government healthcare provider, suffered a massive data breach that impacted 4.6 million military patients and their families.
However, this breach occurred after records, in the form of tapes covering patient data from 1992 till 7 September 2011, were stolen from a data contractor's car.
Medical Informatics Engineering – 3.9 million patients affected
In May 2015, Medical Informatics Engineering was the "target of a sophisticated cyber-attack," according to AppKnox.
The attack impacted 11 healthcare service providers along with a total of 3.9 million patients.
The hackers stole sensitive information including social security numbers, mailing addresses, diagnoses, among other sensitive data, the company said.
Banner Health – 3.62 million patients affected
Banner Health, a US-based non-profit health system that operates 30 hospitals along with several specialized medical facilities, said it noticed unusual activity on its servers.
In August 2016, the non-profit found evidence of two cyberattacks where hackers stole patient information and payment-card records.
Accellion – 3.5 million people and 100 companies affected
In December 2021, Accellion, a file transfer company, reported that its file transfer app (FTA) was hacked.
The company had legacy technology and many known security gaps that hackers were able to use and hack the data.
However, the hack began earlier in 2021 and has continued well into 2022.
The problem with Accellion was that hackers were able to access information for a host of companies including banks and healthcare providers. Healthcare entities were the most impacted with over 2.5 million patient records hacked.
"The attack was launched by the Clop ransomware group, notorious for actively targeting the healthcare sector," reported SC Magazine.
NewKirk Products – 3.47 million patients affected
In August 2016, Newkirk Products, Inc., a healthcare ID card issuer for healthcare insurance providers, said it suffered a cybersecurity incident where unauthorized people gained access to a server housing personal information.
The server "did not contain Social Security numbers, banking or credit card information, medical information or any insurance claims information," the company said.
Trinity Health – 3.3 million patients
In 2020, Trinity Health was the victim of a ransomware attack, where hackers gained access to 3.3 million records including information pertaining to patients and donors.
Famous Cyberattacks on Hospitals
Medical facilities and healthcare service providers aren't the only ones affected by cyberattacks. Hospitals are a major target for cybercriminals.
Here are a few well-known cyberattacks on hospitals.
1. Boston Children's Hospital
A hacker initiated a Distributed Denial of Service (DDoS) attack on the Boston Children's Hospital, resulting in the hospital's donation page being shut down.
According to StormShield.com, the Boston Children's Hospital "is estimated to have lost $300,000 on repairs to its computer system" following the attack.
2. Czech's Brno University Hospital
After the Czech government announced a state of emergency in 2020 due to the coronavirus pandemic, the Brno University Hospital suffered a cyberattack.
The Brno University Hospital was one of the largest testing facilities at the time and the cyberattack came one day after the state of emergency was announced.
The cyberattack was a ransomware attack that "paralyzed the hospital's computer networks," according to Digital Peace Now. It caused doctors to postpone surgeries, while incoming patients had to be relocated to nearby hospitals.
3. Universal Health Services
The Universal Health Services (UHS) is a hospital chain with over 400 locations in the US and the UK. It suffered a cyberattack in September 2020.
The UHS's IT systems were affected and taken down by a "Ryuk" ransomware attack, which prevented medical staff from getting access to thousands of patient records.
Like the Brno University Hospital, the UHS had to reroute ambulances and incoming patients to nearby hospitals.
How to Prevent Cyber Threats in Healthcare?
Although Anthem Blue Cross may have been the largest healthcare cybersecurity breach in recent years, Accellion was the most far-reaching because it not only affected the company and its employees but it hurt other businesses that were using its software.
So how can healthcare businesses protect themselves and prevent cyber threats?
The first step in securing a device, server, or an entire hospital is to be proactive.
This means whether you're a person at home or the Chief Information Security Officer (CISO) of a large hospital, you need to initiate your security procedures and not wait for something bad to happen so you can – try to – fix it.
Here is a list of cybersecurity healthcare best practices for any organization or business that's looking to protect its assets and information against hackers:
1. Conduct Risk Assessments
An essential element for any business or organization looking to ensure its cybersecurity is in check, is conducting cybersecurity risk assessments. Healthcare is no exception.
In order for a company to take action, it first needs to assess the risk and level of risk involved.
Entities will need to review or assess the risk based on several factors such as how likely it is to happen and its impact on their organization. They also need to prioritize their risks.
A best practice for cybersecurity, including healthcare cybersecurity, is to conduct regular risk assessments. This means at least one risk assessment per year is required.
2. Use Basic and Advanced Security Controls
Healthcare entities, whether businesses, hospitals, insurance firms, or any healthcare service provider, should have basic security controls in place.
The next step would be to use advanced security controls.
3. Educating Staff
This includes doctors, nurses, assistants, secretaries, and all other staff who work at medical facilities, hospitals, and related entities.
4. Having Data Usage Controls
Having a data usage control module can help an organization with its control issues. The module "allows data providers to exercise some control over the generated data by their sensors and ensure that the policies put in place by the data producers are respected by data consumers." (Hackernoon)
5. Using Data Encryption
This means that files, patient data, and status, among other types of information, should be encrypted. You may choose to use asymmetric encryption for highly sensitive data.
6. Securing Staff's Mobile Devices
Similar to securing one's devices at home, businesses should help their employees and other stakeholders secure their mobile devices, especially if they bring them to work.
7. Use Off-site Data Backup
This means that in addition to having your data stored on your local network, you may opt to have it backed up on a secure server elsewhere.
8. Avoid Risks of Connected Devices
It's common in businesses, healthcare, or otherwise, to see an employee get a home device that's been infected with malware. Once they connect it to the network in the hospital, office, or anywhere, the malware begins to spread through the network.
To avoid the risk of a connected device infecting your network, you'll need to have strict policies in place about personnel bringing equipment or laptops and similar devices from home.
9. Train Staff on Healthcare Cybersecurity
Part of your role in ensuring cybersecurity in your hospital or healthcare organization is to offer staff training and raise awareness about healthcare cybersecurity and its importance.
This will help you be proactive and provide more insight to your team and personnel so that they, too, can be a part of securing your entity's online security.
Tips for Securing Private Health Data
So how can people working in hospitals, medical facilities, healthcare providers such as healthcare insurance companies secure private health data?
Healthcare cybersecurity is of growing importance to businesses and people alike.
To help you ensure your private health data is secure and to prevent potential future data breaches, here are a few tips to follow;
1. Use Unique and Strong Passwords
You've probably heard it before. To secure your devices, email, and other areas where you get online access, you need to have a strong and unique password with numbers, uppercase and lowercase letters, and unique characters.
Having a strong password reduces the risk of getting hacked.
2. Use a Strong Firewall
As part of securing your home or office assets such as your laptop or your company's server, you'll need to have a strong firewall and antivirus software.
3. Use Two-step Verification when Possible
Have you seen that message from Gmail asking you to use a two-step verification process to secure your email?
That's a higher level of cybersecurity and it's designed to make it harder for hackers and cybercriminals to gain access to your personal information and data.
For a higher level of security, use a two-step verification process whenever possible.
4. Turn off Devices when You're not using them
We all don't like to turn off our devices, be they laptops, tablets, or certainly our phones. But turning them off, or at least turning off their Wi-Fi or data usage can significantly reduce the chance of being hacked.
Conclusion
One of the reasons medical and patient records are considered valuable among hackers and cybercriminals is that the stolen data can be sold and used in insurance fraud.
And as the years pass, hackers become more resilient in gaining access to private information, particularly healthcare data for companies and patients alike.
That's why healthcare entities need to "be on guard not only of their cybersecurity posture but also of third party vendors that have access to data and networks," advises John Delano, healthcare cybersecurity strategist at Critical Insight and vice president at Christus Health in a statement to Fierce Healthcare.
He notes that healthcare firms and hospitals are beginning to be more proactive in their approach to cybersecurity. "But there is still a long way to go," he adds.
CyberTalents provides different cybersecurity services to help secure your business. Start Now