Why Hackers Love HealthcareThe migration of valuable data to the cloud is piquing the interest of cybercrimimals. But there are ways to fight back.
Much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. However, the migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cybercriminals taking a particular interest in the industry.
The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk. From 2011 through 2014, the sector — including hospitals, labs, pharmacies, drug companies and outpatient clinics — experienced the highest number of data breaches of all industries. What makes these organizations such a popular target?
1. Highly Valuable Data
One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.
A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it for a longer period of time.
2. Lack of IT Investment and Training
Another reason the healthcare industry is popular among cybercriminals is its systematic underinvestment in IT security. Most healthcare organizations spend just 3% of their IT budgets on security, while the SANS Institute — the largest provider of cybersecurity training and certifications — recommends spending at least 10%.
For most healthcare organizations, security is often an afterthought. They don't provide regular cybersecurity training for their employees, which could help reduce insider threats. For example, 18% of healthcare employees say they're willing to sell their login credentials for between $500 and $1,000. And about one-quarter of healthcare employees know someone in their organization who has engaged in this practice.
To address employee-related cyber vulnerabilities, it's important to note that while training is essential, it won't magically protect patients’ digital data. Although some hospitals struggle to deploy the most basic IT security measures, such as intrusion detection and the ability to wipe lost or stolen devices, it is imperative that basic cyber hygiene practices are coupled with ongoing training to both protect well-intended employees and mitigate future data loss from those seeking to profit.
3. Highly Connected Systems
Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller, partial systems. In other words, a cyberattack in one place could bring down the entire system. In May 2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.
The impact of WannaCry illustrates how important it is for healthcare organizations to be able to function and provide patient care during a cyberattack. After all, lives are at risk, meaning there's a general urgency to get back to business as soon as possible. For attackers, this urgency makes it extra tempting to target healthcare organizations, because they assume it will make them more likely to pay the ransom to reverse the infection.
What can the healthcare industry do to mitigate cyber threats? To begin with, the industry must realize that cybersecurity is human-centric. Gaining insight into the normal rhythm of users' behavior, for example, or the flow of data in and out of the organization improves risk response. Additionally, the industry should be aware that cybersecurity isn't just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.
Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all personnel on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated on a regular basis.
Additionally, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization's infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.
Yes, reaching 100% security against cyberattacks won't happen. But with a few steps, healthcare organizations can make sure that it's too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.
Allan Alford is Chief Information Security Officer (CISO) at Forcepoint. In this role he leads Forcepoint's corporate security and governance program, including the implementation of the company's internal user and data protection program for 2,700 employees worldwide. As ... View Full Bio