A patient requires an emergency surgical procedure. Surgeons need to perform an MRI scan before they can proceed with surgery. But the machine only shows a red screen asking for a bitcoin payment. The urgency of the situation cannot be overstated and yet cannot be addressed until the hospital goes through a lengthy and expensive recovery process for restoring access to their computer network that has been held hostage by a cybercriminal group using a commonly used ransomware.
Though this scenario may sound fictional, it is fast becoming a troubling reality of the healthcare sector which has lately been crippled by a barrage of sophisticated cyber attacks.
There was a time when only certain sectors of the economy faced the high stakes challenges of dealing with cybersecurity risks. However, today every consumer-facing sector has to defend against the increasing occurrences and impact of cyber attacks.
The number of cyber attacks made on healthcare organizations has drastically increased over time. The impact of these cyber attacks ranges from halting of operations at medical centers to large scale breaches of sensitive medical data. The year 2015 can perhaps be called the worst year for the healthcare sector as data breaches jeopardized over 100 million patient records. In 2016, 329 large-scale healthcare breaches were recorded, which exposed more than 16 million patient records. The following year, 2017, also observed healthcare data breach instances in numbers (342 in total) close to that in 2016. However, only one breach was reported to affect more than 500,000 individuals and eight breaches impacted over 100,000 individuals. Once again, 2018 saw 18 large data breaches with three of them divulging more than 1 million healthcare records. All these figures show how attackers continue to bring down the healthcare sector with large-scale data breaches.
Trend this year
With more and more devices being interconnected, the healthcare sector is no exception in this aspect. Attackers can target medical as well as IoT devices, that can not only compromise sensitive information but can put a patient’s life in danger. Elements like ransomware, which are evolving frequently, can cripple medical systems once they infect them. A report by Verizon shows that ransomware accounts for 24 percent of cybersecurity attacks made on healthcare organizations, which is expected to grow in number.
On the other hand, insider attacks are also on the rise. The same report reveals that insider attacks constituted 58 percent of cybersecurity incidents in 2018 against 42 percent of external attacks. Interestingly, this was only in healthcare organizations. Others sectors reported more external attacks than insider attacks.
Likewise, C-level executives of medical organizations are more prone to social engineering attacks. The report suggested that CXOs are 12 times more likely to be affected by social incidents and 9 times more likely to be a victim of the social breach. Attackers bank on large financial gains by targeting senior executives. Altogether, these three patterns are speculated to rise this year.
Beyond ransomware and spear phishing, cybercriminals can also employ sophisticated malware to maliciously tamper with medical information. Recently, researchers from Israel have developed malware that could alter medical scans of patients to falsely show tumors or other anomalies, thereby misleading the doctors in their procedure and risking patients’ lives.
Factors behind the cyber risks
It is quite evident that cyber attacks in this sector are increasingly becoming successful. The reason: many healthcare facilities have a weak cybersecurity posture. A study by Ponemon Institute showed that over 50 percent of organizations either did not have a time period for reviewing and updating their incident response plan (IRP) or have not reviewed the plan after its creation. When it comes to the healthcare sector, the percentage could be even higher as many local and regional medical centers, clinics, and hospitals lack the resources to set up, maintain and follow the necessary security solutions and procedures.
Absence of elements such as standard cybersecurity practices, procedures for managing incidents and security training are the main factors that make cyber attacks leave a drastic impact. Parallely, the risk of cyber attacks has increased with more connected devices in use. This double whammy of the absence of requisite security measures and the digital transformation of the healthcare sector has lead to heightened cyber risks.
To deal with the existing and emerging cyber threats, healthcare organizations need to address many shortcomings such as the lack of threat intel sharing, use of manual incident response processes, manual analysis, and lack of focus on predictive intelligence, among others.
Moreover, it is paramount for the healthcare sector to promote collaboration between various stakeholders for sharing threat intelligence, best practices, and training of staff members.
Over the years, many large security breaches and incidents have led to monetary and other kinds of losses. Just last week, Quest Diagnostics disclosed that a third-party breach affected nearly 12 million patients. In this case, the third-party was the American Medical Collection Agency (AMCA) which provides collection services to hundreds of large healthcare firms. As expected, Quest Diagnostics was not the only company to be affected by this breach. Within the next few days, the number of affected patients crossed 20 million as LabCorp (7.7 million patients), Bioreference (422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories were added to the list of impacted organizations.
AMCA, which is a vendor to all these companies, was breached by an outsider sometime between August 22, 2018, and March 30, 2019, who had access to sensitive patient information. A breach of this size has led to multiple lawsuits faced by these organizations and exemplifies how lapses in security can have disastrous consequences for the healthcare sector.
As shown by the statistics from the last few years, the healthcare sector has witnessed several major data breaches. In 2017, the infamous WannaCry ransomware infected thousands of computers operated by the UK’s healthcare agency NHS which resulted in the cancellation of thousands of scheduled appointments. The Department of Health found that the attack cost NHS a whopping £92 million. Earlier in 2015, the American health insurer Anthem disclosed a massive data breach that compromised the personally identifiable information of over 78 million people. This lead to a number of civil class-action lawsuits that were settled in 2017 for a total of $115 million. Moreover, security researchers have identified numerous threat actors and malware families targeting the healthcare sector such as the Orangeworm group that targets X-Ray, MRI scan machines. Attackers have also leveraged information stealers and Trojans such as Emotet and Trickbot to extract healthcare information from vulnerable devices. With new advanced malware in the making, cybercriminals could also directly alter medical data and cause harm to patients.
Types of attacks
A report by the Department of Health and Human Services indicates that healthcare organizations are afflicted with five types of attacks regularly. This includes phishing, ransomware attacks, data theft, insider attacks, and attacks made on medical devices. On top of this, each attack type can have many variations, thus posing an added challenge in its mitigation.
Despite all the challenges and issues, the healthcare sector, however, continues to churn out billions of dollars on cybersecurity expenditure. Investments made on cybersecurity solutions has seen a steep rise. In addition, healthcare organizations are leaning towards taking more precautionary measures to protect their resources from cyber attacks, which in turn, increases the need for cybersecurity solutions.
The collaboration of the healthcare sector and governments are also seeing a rising trend. For example, in the US, a program called Cybersecurity Talent Initiative has been promoted by 11 federal agencies to reduce the talent gap currently existing in cybersecurity. This not only employs more security personnel but will go a long way in stopping thousands of attacks that are witnessed every year. Fortunately, government initiatives are aggressively focusing on boosting overall cybersecurity outlook in the sector. However, whether this will be enough, only time will tell.
More players, More complexity
Organizations from different sectors are also venturing into healthcare. For instance, Uber and Lyft’s entry into providing services such as non-emergency medical transportation (NEMT) is a telling sign of how firms are slowly embarking their journey in this sector. But, this again carries the risk of cyber attacks expanding to stakeholders associated with the involved company in healthcare.
Ultimately, as more parties get involved, cybersecurity in healthcare gets more and more complex. This brings forth new security and regulatory challenges for all the parties involved and above all, creates more entry points for attackers to target people’s protected health information. The right way for organizations to navigate these muddy waters is to work together by sharing intelligence to improve cross-sectoral collaboration and their readiness for any security incidents.
The healthcare sector is becoming more and more dependent on a digital environment. This leads to a larger attack surface and consequently provides room for attackers to chart out devastating attacks. While the breadth of the healthcare sector makes it challenging to implement foolproof cybersecurity measures, a forward-looking approach with a focus on collaboration and leveraging innovative cybersecurity solutions can go a long way in ensuring a healthy and safe future for all.