Cyberattacks continue to be a costly issue for the healthcare industry. According to IBM’s Cost of a Data Breach report, healthcare organizations were saddled with the highest average cost for each data breach. The trend has persisted for eleven years in a row as of 2021.
The cost of a healthcare data breach increased from $7.13 million in 2020 to $9.23 million in 2021, an increase of 29.5%. Over 40 million patient records were compromised in 2021 alone, with the worst breach occurring near the beginning of the year.
The Florida Healthy Kids Corporation had “significant vulnerabilities” that were present since 2013. This eventually led to the leaking of Social Security numbers, names, addresses, birth dates, and other personally identifiable information (PII). The breach affected 3.5 million individuals.
It also takes longer for health systems to get back to normal after a breach. A data breach lifecycle is the elapsed time between a breach’s first detection and containment of the breach. The average lifecycle of a breach in 2021 was 287 days in general.
The average lifecycle of a healthcare data breach in 2020, by comparison, was 329 days (while the average for all industries that year was 280). Healthcare breaches take longer to identify and contain in general.
Why is healthcare particularly vulnerable to cyberattacks?
You may be wondering what sets healthcare apart from other industries. Why do hackers focus cyberattacks on the healthcare industry?
PII and PHI are valuable to healthcare cyberattackers
Healthcare organizations store large amounts of both personally identifiable information (PII), as well as a subset of protected health information (PHI). The difference between the two is how they are legally defined. PII doesn’t have to be health-specific; it refers to anything that can identify an individual. PII can include addresses, full names, Social Security numbers, credit card information, and email addresses, to name some examples.
Protected health information (PHI) includes anything in individual medical records that can identify them based on health information. That may be more sensitive if the person in question has a rare condition or a unique combination of health conditions.
Confidential patient data is valuable to hackers and can sell for a high price. That makes healthcare a more attractive target for ransomware attacks and other types of breaches
The healthcare industry takes longer to adopt new technology
Turning the technology tide in a healthcare organization is no easy feat. Depending on the amount of stored data on legacy systems, migration to more secure platforms requires effort. Limited budgets can also prevent migration.
Adding more security measures, like multi-factor authentication, can add a time-consuming learning curve that depends on the size of the healthcare system. Organizations may run into staff hesitant to change their routines. Due to these factors, organizations may avoid adoption, despite the risk of a breach looming overhead.
Insufficient cybersecurity education
Hackers are targeting the healthcare industry because of the valuable data the systems contain and because of the outdated systems. However, they are also targeting this industry for employees without adequate training to identify and protect against threats.
The United States Department of Health and Human Services (the risk management agency designated for healthcare by the Cybersecurity & Infrastructure Security Agency) has 609 cases under investigation of breaches of PHI. Those breaches affected 500 or more individuals per breach from 2021 alone.
When it comes to Bring-Your-Own-Device (BYOD) threats, employees need to be trained on what they can do to keep PHI safe. The more training employees receive, the less susceptible the organization is to threats. This will make it less likely hackers will work to target the industry over time.
Increasing reliance on telehealth and remote work
Much like other industries, health care is no stranger to remote work. Telehealth increased by 63.4% in the U.S. in 2020. While usage slowed down in recent months (down to about 20% of adults using some time over the past 4 weeks compared to 25% in April 2021), telehealth isn’t going anywhere.
Telehealth’s remote nature may pose a risk for the healthcare sector in the years to come. Remote access to work means additional devices IT professionals need to strive to protect.
Wide access to sensitive patient information
Between personal devices and organization-owned devices, healthcare workers on average have access to 31,000 sensitive files as soon as their first day of work. That’s almost 20% of files available to all employees. Multiply that by the number of people who have access to the system, and you can see why the lifecycle for a breach is so large.
Lack of internal expertise due to the workforce shortage
The workforce shortage is also hitting cybersecurity: 2.7 million open cybersecurity jobs were yet to be filled as of 2021. Being short-staffed on cybersecurity professionals can add complications, including:
- misconfigured systems
- hasty deployments
- inadequate time for risk assessment and management
How to prepare for cyberattacks on the healthcare industry
Employing security measures to better prepare your organization against attacks should be a cumulative strategy. Reexamining your approach to IT due to increasing threats, reliance on remote work, and the overall acceleration of digital transformation initiatives? Here are some things to help you adapt and evolve during times of uncertainty.
Multi-factor authentication and access control
Healthcare employees have access to a large amount of PII and PHI almost immediately after starting at a job, a risk that becomes even larger with BYOD initiatives. One way to reduce risk right out the gate is to enable multi-factor authentication (MFA) and access control.
Multi-factor authentication requires a user to log in using a second authentication method. This could be a second device, a special key, or a passcode delivered by an app. Cloud-based MFA services are set up quickly and more affordably than more traditional methods.
Access control limits your data to the audiences that need the patient information. Changing the access levels of patient data can:
- help keep more information secure
- aid in finding the source of a breach faster
- put limits on access that certain members of your organization don’t need
Access controls to data relevant to patient care include passwords, PINs, biometric scans, endpoint protection, or security tokens.
Firewalls and filtering
One of the most effective ways to protect from threat actors is to stop them before they start. This is especially true for cyberattacks on the healthcare industry. Web application firewalls (WAFs) can protect your data by identifying behaviors that don’t match what humans will do. They also serve as an additional line of protection for vulnerabilities in software development.
Next-gen firewalls go one step beyond this via website blocking, malware filtering, web application protection, and network intrusion detection. While adding firewalls does take time for configuration and deployment, it’s quickly worth the investment.
The better your healthcare professionals understand how to protect data, the more prepared they will be when a breach occurs. Everyone who has access to PII and PHI should be familiar with common ransomware and phishing tactics. They should also test regularly to determine when additional training is needed.
Data security training should be part of the onboarding process and done periodically, identifying individuals along the way who may benefit from extra instruction.
Are you ready to face today’s healthcare security challenges?
Cyberattacks on the healthcare industry require being aware of today’s threats, building systems to prevent attacks, and staying up to date on the latest tactics to keep patient data safe.
Learn more about how to defend your organization against rising ransomware threats. Download our complimentary ‘Preventing Ransomware’ Whitepaper.