Healthcare providers and systems are squarely in the crosshairs of cybercriminals, and this threat will persist given the value of patient information and the vulnerability of their networks. By targeting providers with attacks that scramble and lock up data until victims pay a ransom, hackers can demand thousands or millions of dollars. Such attacks increased during 2020, which prompted the federal government to issue a warning to healthcare providers about "credible, ongoing and persistent" cybersecurity threats. In this environment, hospital and healthcare executives need to adopt best practices both to repel attacks and also respond to attacks if they are successful.
The scope of the problem is difficult to overstate. According to the Associated Press, ransomware is partly to blame for about 700 private health information breaches (affecting about 46.6 million people) that the federal government is currently investigating. Recent attacks against healthcare organizations have resulted in outages lasting longer than 30 days, loses of over $1 million a day, and overall related expenses exceeding $50 million.
Not all victims pay a ransom, but many do, and they have cybersecurity insurance expressly for this purpose. Once cybercriminals have infiltrated a healthcare provider or network there are clearly strong incentives to pay the attackers as quickly and quietly as possible to avoid public embarrassment, regain access to systems and keep patient records private. “Once criminals get into certain systems, no one can be admitted or discharged,” said Steve Stasiukonis, a managing partner at Secure Network Technologies, an information security consulting firm. “The costs are huge. These are really bad, sinister people.” Typically, these criminals are part of syndicates based in Eastern Europe and Russia and are very rarely caught.
Why are Healthcare Providers and Systems Tempting Targets?
There are many reasons why healthcare providers and systems are such attractive targets. First and foremost is the payday. “Criminals want to make money, and they know that hospitals and healthcare networks need to get their systems back up and running as quickly as possible to care for patients,” explains Jeff Tarte, SVP, Chief Information Security Officer at People's United Bank. They also know that hospitals and healthcare networks are treasure troves of patient information. Cybersecurity Ventures estimates that personal health information is 50 times more valuable on the black market than financial information. But the other reason that hospital and healthcare networks are such attractive targets is their many vulnerabilities.
- Stretched resources: “There’s never enough money in the budget for cybersecurity,” Stasiukonis said, which makes it difficult for healthcare providers and systems to keep up with the evolving threat. Health systems spend only 4% to 7% of their IT budget on cybersecurity, whereas other industries such as banking or insurance spend three times as much, according to Associated Press reports. COVID-19 has made matters worse. Many hospitals and healthcare networks postponed technology upgrades or cybersecurity training that would help protect them from the newest wave of attacks.
- Old technology and complex systems: At most healthcare providers and systems, the backbone systems and technology are outdated and complex, often cobbled together over decades of mergers and acquisitions. This creates gaps in security that cybercrooks can exploit. For example, the anti-virus solutions that worked four years ago can’t detect many of today’s threats. “You need a different set of tools to keep up with changes in ransomware,” Tarte said. “A lot of attackers use technology management tools that make their activity look like legitimate IT administrators doing their jobs.”
- Medical devices: At large organizations there can be thousands of medical devices connected to the network. It’s difficult to monitor all these devices or efficiently upgrade security across the network. Medical devices such as x-rays, insulin pumps and defibrillators lack the security found on other network devices such as laptops and computers. But hackers can use them to attack a server that holds valuable information.
- Supply chain vulnerabilities: Cybercriminals don’t just look at the healthcare providers and systems for vulnerabilities. They are experts at exploiting security gaps at trusted healthcare vendors to infiltrate healthcare providers and systems, and they often focus on payments made by accounts payable. Before the pandemic, 81% of businesses across industries were targets of payment fraud.1 The pandemic has only made matters worse. Companies must now anticipate new vulnerabilities resulting from changed business processes, such as fast-tracking new business partners and suppliers. Among anti-fraud experts, 82% anticipate payment fraud will increase over the next 12 months.2
- The workforce: An enormous number of people must access healthcare providers and systems every day, opening up numerous attack vectors. Social engineering that targets employees is on the rise: 98% of cyberattacks across all industries rely on social engineering, tempting employees to click on links that will download malware or to simply misdirect them.3 For example, cybercriminals will often send bogus payment update information, hoping to trick employees into send legitimate payments to their illegitimate accounts. Again, the pandemic is only making matters worse. Among anti-fraud experts, 77% say that fraud prevention and fraud investigations are more challenging as remote work continues.4