The growth of digitization in healthcare has led to better patient care and improved service delivery by healthcare providers. However, due to the abundance of personally identifiable information (PII), it has made the healthcare sector vulnerable to cyberattacks.
According to the HIPAA Journal, there have been 4,419 healthcare data breaches between 2009 and 2021. This constitutes 314,063,186 healthcare records exposed. According to an IBM report, a data breach in the healthcare sector costs $10.10 million per incident. Most of these breaches were third-party breaches, a shift from the common large healthcare system attacks.
Facing this threat landscape, healthcare security leaders must be mindful of and mitigate a number of cybersecurity threats facing the sector.
1. Third-party breach
The healthcare industry relies heavily on third-party vendors, like cloud web hosting and cloud-based software vendors. Third-party entities help healthcare organizations gain strategic advantages like cost saving and/or expertise they don’t have. As such, they pose a grave risk to these healthcare organizations because most of them don’t have proper cybersecurity plans or data breach protection.
A typical healthcare organization has an average of 1,320 vendors under contract. From a cybercriminal stand, it makes more sense to attack a third-party vendor. If the attack is successful, they gain access to the parent company's data. It is in this nature that 55% of healthcare organizations have suffered a third-party data breach in the last 12 months.
Methods used by attackers include exploiting weak passwords and access controls to gain healthcare organizations' network access. Also, a considerable number of healthcare organizations have insecure external-facing servers and databases that make it easy to hack and gain access to their valuable data.
How to deal with a third-party breach
In 2023 and beyond, healthcare organizations should have proper application security and network security to prevent a third-party breach from happening. Encryption is one strategy for protecting patient data. In case of a breach of patient data, the attacker cannot decrypt the data without access to the encryption keys.
The encryption should be done at rest and in transit so that even if a hacker gets into the system, they cannot get away with the data. Training on handling personal health information will also be handy when curbing third-party breaches. Last, vet third-party vendors to ensure they have the proper security infrastructure to protect healthcare data from being vulnerable.
2. Cloud breaches
Seventy-three percent of healthcare organizations store sensitive data in the cloud. What's more, 45% of this data is personal health information. Sixty-one percent of healthcare organizations surveyed by Netwrix had experienced an attack on their cloud infrastructure in the last 12 months, and phishing was the most common cloud breach.
The biggest challenge in ensuring data security in the cloud was that 69% of their IT/security team are understaffed. 55% lack expertise in cloud security, and 33% lack the budget to implement a cloud security strategy.
How to avoid cloud breaches
Going forward, beyond securing the traditional on-premise IT infrastructure, healthcare organizations should invest in building a secure cloud infrastructure.
Keep testing, monitoring and analyzing enterprise cloud infrastructure to catch on any vulnerabilities and seal loopholes in healthcare security. There are cloud management platforms that can monitor the cloud for your organization. While investing in the infrastructure, it is indispensable to have security policies in place for remote access, BYOD, password use, and data transfer and disposal.
Continually, educate all staff on these cybersecurity guidelines. Lastly, have a disaster recovery plan in case of a cloud breach or attack. A remote data backup system will be paramount.
3. IoT attacks
Fifty-three percent of Internet of Things (IoT) devices in a hospital are at risk of being attacked. The most vulnerable of these devices is the IV pump which accounts for 38% of a typical hospital IoT footprint. The second most vulnerable is the VOIP (Voice over Internet Protocol) which accounts for 50% of IoT devices in a hospital.
The most common cybersecurity risk to these devices are insecure passwords. Most Internet of Medical Things (IoMT) and IoT devices use their default passwords, which hackers can get easily online from their manuals. The rest simply use weak passwords that are easy to hack.
How to prevent IoT breaches
It is vital to build more secure medical IoT devices. To secure IoT devices, a group of 104 tech stakeholders have come up with a global consensus on IoT security standards, specifications and guidelines. The framework describes five tenets of IoT security, including:
- End of universal default passwords
- Implementing a vulnerability disclosure policy
- Regular software updates
- Securing communications
- Ensuring that personal data is secure.
Other solutions would be to use strong passwords for IoMT devices, as well as maintain an inventory of all IoMT technology and use it to conduct risk assessments.
To protect healthcare organizations from cybersecurity vulnerabilities, it is crucial that security leaders understand them first, create a policy around them, and allocate a budget to handle them. With the above information, they will be able to do this and make headway in shielding their healthcare organizations from any data vulnerabilities.