Editor’s Note: Steve Winterfeld is an advisory chief information and security officer at cybersecurity, delivery and cloud service company Akamai.
For most businesses, being knocked offline by an attack like ransomware can lead to lost revenue and dented brand trust. For a hospital, the stakes are infinitely higher. To be clear, a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime.
Ransomware is not the only issue. Cyberattacks against healthcare organizations, including those serving some of the world’s most vulnerable patients at a number of regional and national hospitals, persist because healthcare data is among the most profitable industries for cybercriminals. A single record fetches as much as $1,000 on the dark web. Social Security numbers, by comparison, are valued at $1. Additionally, one ransomware-as-a-service group’s recent alleged targeting of hospitals with distributed-denial-of-service, or DDoS attacks, is another indication of this focus on the industry.
This alarming pattern has put healthcare security leaders at the digital front lines of the battle against cybercriminals, and their experiences in protecting their organizations show a clear need for increased awareness and enhancement as the healthcare industry becomes a focused target of attackers.
Increasingly sophisticated attacks, challenging landscape
A new third-party study from Porter Research has found that:
- More than half of provider executives surveyed experienced a cyberattack in the past three years.
- 36% of life sciences and pharmaceutical industries reported a known breach
- 27% of health insurance payers reported experiencing an attack between 2019 and 2022
These numbers could actually be higher, given the HHS reporting threshold is a breach involving 500 patients or more.
The increasing severity and frequency of cyberattacks on healthcare organizations — and the high stakes surrounding them — is a growing concern. Leaders across provider, payer and life sciences organizations cite growing hacker sophistication as the primary driver behind the increase in successful ransomware attacks. This is further backed by Microsoft’s most recent Digital Defense Report, which noted a rise in credential phishing schemes, social engineering tactics and greater use of attacks like ransomware. Healthcare is facing a broad array of threats using a wide variety of methods to extort and steal data.
Basic protections, such as email filtering and firewalls, are being used by 81% of leaders as a primary defense mechanism against cyberattacks. However, across provider, payer and life sciences/pharmaceutical companies, Porter Research found more than half of leaders are “less than fully confident” in the technologies they use to prevent and mitigate ransomware attacks. Today, companies should have zero trust access controls, segmentation to prevent lateral movement, endpoint protections and secure web gateways monitoring data/users going outside the network.
Patrick Sullivan, chief technology officer for security strategy at Akamai, has stated that many ransomware crews target organizations that are more likely to pay. Due to the life or death nature of their mission, the healthcare industry is perceived as being more likely to pay to restore access to life-saving systems. Healthcare organizations also face a large exposure to ransomware. Chief information and security officers in healthcare are often dealing with complex environments and struggling to hire and keep cyber experts on their staff resulting in the need for strategies built around maximizing the integration and return-on-investment of security solutions.
The complex federated environments, an increasingly intricate regulatory landscape, the difficulty in finding cybersecurity expertise, the exploding number of medical devices and the extraordinary number of legacy systems in most healthcare organizations all contribute to the lagging cybersecurity environment. Meanwhile, the growing use of third-party and external vendors to expand clinical and technical capabilities has further complicated matters. It is time to evaluate your security controls and see where you can mitigate risks across the enterprise.
Prevention is the best medicine
It’s long been said that “prevention is better than a cure.” As it turns out, that philosophy is increasingly being adopted by healthcare IT leaders for the health and sustainability of their enterprise networks and broader ecosystems. That means the right integrated security controls that provide both strong protections and rapid detection of compromises.
An overwhelming majority of Porter study respondents noted that, in order to meet the increasing sophistication of attackers, they’ll dedicate even more resources to cybersecurity than ever over the next few years. Considering the financial, clinical and reputational impacts of downtime, this is promising sentiment from healthcare industry technology leaders. The question is how to get the most risk reduction from that investment.
To keep up, payer and provider survey respondents are prioritizing resource investment into infrastructure enhancement, including but not limited to: protecting the edge with zero trust network access management and multi-factor authentication; protecting the enterprise with segmentation tools to minimize impact if malware gets into the network; protecting engagement with the internet through SWG, DLP and sandboxing. And, let’s not forget, preventing DDoS attacks.
These are some of the key controls to leverage in order to protect the data journey that staffs go on every day to ensure they have access when they need it.
For healthcare organizations, cybersecurity means defending patient safety. Those who make the necessary investments in strengthening their cybersecurity posture beyond the basics will ultimately enable practitioners to provide their best care possible and strengthen patient trust.
