Healthcare Cyber Attacks: Recognizing Vulnerabilities to Get Ahead of Cybersecurity Challenges

The healthcare sector is at increasing risk for cybersecurity breaches. In just the past few years, there have been a growing number of healthcare cyber attacks via malware and ransomware that have created devastating consequences for healthcare organisations across the globe.

• In May 2021, a New Zealand hospital saw services brought to a standstill as it struggled to fix its computer systems following a massive cyber attack.
• Also in May 2021, a ransomware attack crippled Ireland's health service's IT systems, leaving most of the country's hospitals without computers for over a week.
• In 2020, a patient died after ransomware hit a hospital in Germany, delaying their treatment.
• Also in 2020, a ransomware attack at a Colorado hospital left five years' worth of patient records inaccessible.
• A few years before in 2017, the WannaCry cryptoworm hit the UK's NHS, bringing machines such as MRI scanners to a halt, resulting in 19,000 cancelled appointments.

As criminals continue to take advantage of similar weaknesses, healthcare cybersecurity is integral. So, what are the issues, and what should healthcare organisations be doing to stay safe?

Healthcare sectors at risk

Healthcare cybersecurity covers multiple sectors, with hospitals and pharma representing particular targets.

Healthcare organisations are attractive to adversaries because of the vast amounts of data they store. While hospitals' data includes in-depth patient records to ensure they can maintain optimum levels of service, pharma firms typically possess a lot of valuable business IP.

Whichever healthcare niche they operate in, organisations of all sizes are vulnerable to attack. While bigger healthcare providers possess larger amounts of data, smaller organisations will have less budget for security, which could potentially add to the risk.

Covid-19 posing new threats

During the COVID-19 pandemic, healthcare cyber attacks ramped up further, with pharma an even larger target for cybercriminals looking to steal valuable data. Pharma is at increasing risk from nation state cyber espionage, with adversaries looking to get ahead by stealing other countries' vaccine data.

Another issue during the COVID-19 era is a surge in staff working remotely, using their own potentially insecure devices or working practices that create more weak points through which to attack. As a result, cybercriminals have been targeting employees with phishing emails that encourage them to click on a link or download a document, allowing the adversary to break into systems or steal credentials.

Vulnerabilities in security

Medical internet of things (IoT) devices also open up more vectors through which healthcare organisations can come under attack. Although these devices don't store data themselves, adversaries can use them as a means to leapfrog into a network and steal sensitive information, install ransomware or even form a botnet to perform a distributed denial-of-service (DDoS) attack.

Another major issue is the number of healthcare organisations still using outdated systems and software. Attackers can leverage weaknesses in older systems to sneak in and lock them with ransomware.

There is also a lack of cybersecurity awareness inside the healthcare industry overall. Many organisations think, "It won't happen to me," and therefore fail to take the basic steps needed to stay secure. This is made worse by falling budgets allocated to cybersecurity, with many in management failing to see the importance of spending on new systems and keeping them up to date.

Healthcare regulation

As past experiences have shown, the result of a cyber attack on a healthcare organisation can be overwhelming. Regulators across the world know the risks associated with healthcare cyber attacks, which is why the sector is considered critical national infrastructure (CNI) alongside the financial industry and utilities.

It is with this in mind that regulation is helping to improve healthcare cybersecurity. In the US, HIPAA regulation focuses on two main objectives:

• Security outlining how patient data must be kept secure.
• Privacy outlining how patient data should be only accessed by authorised people and used for authorised purposes.

Other examples include:

• The California Consumer Privacy Act (CCPA) outlines people's right to know the personal information collected about them and how it is used and shared.
• In Canada, The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organisations collect, use and disclose personal information in the course of commercial business.
• In Europe, the EU's update to General Data Protection Regulation (GDPR) includes strict requirements covering how patient data is handled and shared.

Along with adhering to regulation to help keep data safe, there are several steps healthcare organisations can take to improve security and avoid becoming a cyber attack victim.

Steps to improve security

To avoid being hit by threats such as ransomware, healthcare cybersecurity starts with the basics, including strong passwords, two-factor authentication and making sure systems are patched and up-to-date. This should be used in combination with regular training to prevent staff falling for phishing emails that could allow an attacker to infiltrate a healthcare organisation.

In order to comply with regulation, healthcare organisations should also be using encryption to protect valuable data, alongside restricted access to data which will help to reduce risk.

Threat intelligence is key. Healthcare organisations need to be aware of the specific cybersecurity risks they face, and know how to mitigate them. This can be combined with a strategy that includes regular penetration testing by external companies that specifically tests readiness for threat vectors such as ransomware, DDoS attack, or anything else that could expose patient data or cripple critical operational systems.

Healthcare cybersecurity needs to be addressed at the board level, ensuring budgets are allocated to tackle the growing risk. Organisations need to accept that it isn't a matter of if they are attacked, but when, and know they have the strategy and tools in place to respond.

At a time of increasingly sophisticated cyber attacks, healthcare cybersecurity is paramount. By taking a strategic approach that takes into account the specific risks they face, healthcare organisations should be equipped with the tools they need to stay secure.