Fortra. The State of Cybersecurity in Healthcare

In the past fifteen years, at least 5,887 large healthcare data breaches have been reported to the U.S. Office for Civil Rights (OCR). With so much sensitive personal data housed in one place, it is no wonder the healthcare sector is a prime target of attack.

The State of Cybersecurity in Healthcare  

According to the HIPAA Journal, healthcare-targeted data breaches have been trending upwards over the past few years, with nearly 46 million breaches in 2021 turning into nearly 52 million in 2022. However, 2023 “smashed all previous records with an astonishing 133 million records exposed, stolen, or otherwise impermissibly disclosed,” the Journal states.

According to the Verizon 2023 Data Breach Investigations Report, 35% of healthcare data breaches stem from internal bad actors, while 66% come from outside. What motivates attackers targeting this sector? Per the same report: money, espionage, fun, and ideology, in that order.

There are several key factors that make healthcare a highly targeted industry:

  • Vast amounts of sensitive data 
    With swaths of personal health information (PHI) and other forms of personal identifiable information (PII) in their databases, healthcare organizations are a jackpot of data wealth to criminals.
  • Slow digitization 
    A slow-moving tech update culture leaves many medical groups still transitioning to digital records and, consequently, still learning to secure them.
  • Third-party risks 
    The global healthcare supply chain is so vast that the healthcare supply chain management market size is expected to more than double in the next six years and is already valued at nearly 3 billion dollars worldwide. That’s not even mentioning the software supply chain, and with ubiquitous digitization, cyber threats can lurk anywhere among those upstream vendors.

Additionally, the most common cyber threats and vulnerabilities resulting in data breaches are:

  • Ransomware attacks
  • Email phishing
  • Electronic health records vulnerabilities
  • Insider threats
  • Lost, stolen, or misplaced devices
  • Identity fraud
  • DDoS attacks

Diving into just a few, ransomware attacks on hospitals have changed for the worse, becoming more sophisticated and evolving into a matter of life or death, as hacked devices could include defibrillators, surgical technology, and life support machines. When it comes to social engineering, phishing is not only the leading cause of healthcare data breaches, but seems to be increasing, with 57% of healthcare cybersecurity professionals stating that their most severe security incident involved phishing.

And since the Electronic Medical Records (EMR) Mandate took effect in 2014, healthcare groups with no prior experience creating digital health documents now have had to secure them — with varying levels of success. A report by Critical Insight noted that EHR-related breaches accounted for a full 7% of all data breaches to the healthcare sector within a six-month period.

The Main Industry Challenges

Although attack rates may be high, it is safe to say that the healthcare sector has its share of troubles when securing their patient data. The main industry challenges include:

  • Increasing costs 
    Rising costs associated with healthcare and tight security budgets make it nearly impossible for healthcare organizations to effectively manage the vast amount of data flowing through their systems and storage spaces.
  • Complex technologies 
    Newer technologies like smartphones, tablets, and even medical IoT devices can throw people and processes for a loop, and legacy healthcare security systems have a hard time keeping up. As organizations move to the cloud and otherwise diversify their digital landscapes, it is challenging for security leaders to ensure medical device security. Medical devices like X-rays and MRIs are also potent vector of attack for hackers.
  • Intertwined systems and omnichannel interactions 
    The complexity of EHR systems, increased cloud usage, the rising number of health-related apps, and remote work (even doctor’s visits) expand the medical attack surface, introducing more opportunities for endpoint attacks.

Solutions on the Horizon 

Notwithstanding the challenges, there are also solutions coming to the forefront. The U.S. Department of Health and Human Services (HHS)’s Cybersecurity Strategy for the Healthcare Sector is one such example. It is a framework put forth by the federal government to help protect the healthcare sector against cybersecurity threats. Its tenants include:

  1. Establishing voluntary security goals within the healthcare industry
  2. Incentivizing the accomplishment of these security goals
  3. Implement an HHS-wide strategy for greater enforcement and accountability
  4.  Expand and mature the HHS’ “one-stop shop” for healthcare cybersecurity

Government strategy and involvement is an encouraging step to developing mature healthcare cybersecurity regulations. However, it is one that must be coupled with the right security technology.

Cybersecurity Best Practices for Healthcare and How Fortra Can Help  

When crafting their security strategy, it is important for organizations to prioritize prevention, not simply the cure. Prevention goes a long way to protect PHI and PII from being exposed in the first place and save medical groups from damage to their systems and reputation.

Here are a few tips for developing a preventative security approach:

  • Choose a multi-layered data security solution that will help you classify data, detect and prevent leaks, and encrypt sensitive data both in transit and at rest, as well as provide next-generation data loss prevention (DLP) for healthcare.
  • Monitor for changes to your EHR so you know when an unauthorized party is trying to make changes without the owner’s consent.
  • Perform risk assessments on your network, technologies, software, and applications to close security gaps. Regularly patch software to ensure all systems are up to date.
  • Invest in a robust identity governance and administration (IGA) solution to help you properly manage access to medical devices, hospital rooms, and applications.
  • Pick an identity and access management (IAM) platform that features a managed file transfer (MFT) solution and a zero-trust methodology as standard components. HIPAA secure file transfer solutions enable your team to work with confidence and focus on what matters — all while keeping patients, the organization, and the industry safe.
  • Find a trusted email security solution that can identify good email behavior from bad.
  • Closely manage and monitor third-party vendors who have access to your systems and data.
  • Maintain a detailed incident detection and response plan at all times. While prioritizing prevention, it’s vital to always be ready for the crisis.
  • Share your experiences. Team up with healthcare security experts and government agencies to share your expertise and find innovative solutions to emerging threats.

And remember, good healthcare cybersecurity software solutions deliver effective compliance, helping you keep up with standards such as:

Source: Fortra