Cybersecurity is vital for all industries, but there are in which breaches have more impact than healthcare.
Threats like patient data leaks and attacks affecting vital hospital machinery can have major impacts on patients’ lives. Due to confidentiality and liability clauses, they can also be disastrous for healthcare providers.
Knowledge of this, often alongside the use of outdated computer software, makes hospitals and healthcare administration services tempting targets for hackers.
It's something of which the industry is well aware. According to GlobalData, the parent company of Hospital Management, cybersecurity has been the 8th most mentioned theme in healthcare company filings for the past eight years, racking up 57,404 mentions in 2023 alone. Awareness alone is not enough, though.
An FBI report found that cyberattacks on hospitals are increasing at an alarming rate, and a survey performed in January suggests that the ability of healthcare providers to defend against these attacks may in fact be falling.
This year, there have already been two major attacks on healthcare providers. Payments manager and subsidiary of UnitedHealth Change Healthcare was attacked in February, locking practices out of payments for insurance claims. The damage has threatened many practices with closure and reportedly cost the company $22m to fix.
Earlier this week (8 May), private healthcare provider Ascension was also hit by an attack, though few details are known at this time.
In light of these attacks, Hospital Management has reached out to cybersecurity experts in the field to hear companies need to make cybersecurity a key priority, and how they can stay safe.
Administration and legislation concerns
Due to the highly sensitive nature of healthcare records, most of the world has strict regulations for confidentiality. A records breach can therefore cost more than just a ransom if it falls foul of legislation like HIPPA (US) or GDPR (EU/UK).
Of some of the other regulatory concerns of attacks, Victoria Hordern, partner at Taylor Wessing's technology, IP and information team, explains: "Keeping health data secure in our technology-charged world is not an easy feat. Companies have lots of new rules from both a UK and EU perspective to get used to – like the recently enacted security requirements under the UK Product Security and Infrastructure Act and the forthcoming EU Network and Information Security Directive (NIS2).
“The UK's Product Security and Infrastructure Act (through its regulations) requires manufacturers to comply with a higher standard of security, concerning aspects like the setting of default passwords on devices. The EU's NIS2 imposes obligations on a broader range of companies who will be required to carry out additional security measures such as risk assessments and timely reporting to a Computer Security Incident Response Team (CSIRT) if a significant security incident occurs.
“Non-compliance with NIS2 will result in hefty fines. But not only that, increasingly devices and apps that provide healthcare are in the hands of patient users and are being influenced by the impact of new AI technologies. Where there is a multiplication of devices and a variety of different parties involved (i.e. NHS trusts, healthcare providers, tech support), there are also more points of weakness and vulnerability where bad actors can seek to gain entry into and control systems.
“A health data repository is a tantalising prospect for a cyber criminal intending to carry out a ransomware attack since they know that a healthcare body will be paralysed if it can't access data to provide patient care. Just witness the recent chaos caused to US hospitals and medical providers by the successful cyber hack of Change Healthcare, the largest billing and payment clearing house in the US, which reportedly could cost the company as much as $1.6bn.
“Consequently, health companies and public sector health bodies should regularly test for potential vulnerabilities within their security infrastructure. But it's not just checking technical aspects and system design. It's also testing the resilience and understanding of staff to identify and not fall victim to phishing attempts and to spot where activity on a network doesn't look right.”
Medical devices as attack vectors
It is also of vital importance to remember that any internet-connected device can act as a vector for attack. In order to stay safe, networks need to worry not only about patient data, but the lifesaving machinery in their hospitals as well.
Mohammad Waqas, CTO of Healthcare at cybersecurity firm Armis, explains: “In 2023 alone, healthcare organisations saw a consistent month-over-month increase in attack attempts of 13%. Costs of healthcare breaches soared, and the UK’s healthcare sector saw an average of 1,383 cyberattacks per week. This constant barrage of attacks has resulted in millions of patients having their privacy violated, jeopardising trust in the healthcare system and potentially delaying critical care.
“The rapid proliferation of connected medical devices, from infusion pumps and patient portals to media writers and imaging equipment, has created a vast and vulnerable attack surface. Nurse call systems have been identified as one of the riskiest medical and IoT devices in clinical environments, with 39% having critical severity unpatched CVEs and almost half (48%) having unpatched CVEs.
“More worryingly, millions of medical devices in NHS Trust hospitals across England are either incapable of running security software or rely on EoS versions. In many cases, they’re totally unmonitored. Therefore, healthcare organisations must consider the criticality of assets within the care process. Not all devices are equal – an infusion pump in an ER carries a higher risk than one in a day clinic. Only by understanding and seeing all potential vulnerabilities, can organisations prioritise remediation efforts and effectively mitigate risks.
“This means having complete visibility and security for all connected medical devices, clinical assets and the entire healthcare ecosystem. Other steps include segmenting the network and creating barriers between critical systems and older devices to help contain potential breaches and limit the damage attackers can inflict. Implementing best practices like strong passwords, firmware updates and access control – alongside complete visibility of the attack surface – can improve cyber hygiene and make organisations less vulnerable.”
These thoughts are echoed by Spencer Starkey, VP of EMEA at cybersecurity firm SonicWall, who sees medical equipment and telehealth platforms as a key target for future hacks.
“Internet-connected medical equipment can be expensive,” she says. “When a hospital invests in a new device, they expect it will give them many years of use. But what happens when the original device maker stops developing updates for it? It’s not always as easy as buying a new one, especially if said device costs hundreds of thousands of dollars.
“Suddenly, that priceless device has become an inexpensive threat vector. In 2024, we expect to see an increase in medical device hacks that will enable cybercriminals to target medical devices to steal patient data, disrupt healthcare operations or even harm patients. We believe we'll also see threat actors targeting telehealth platforms.
Telehealth platforms are becoming increasingly popular, and cybercriminals are taking notice. A compromised telehealth platform can enable a bad actor to steal patient data, disrupt healthcare operations and even impersonate healthcare professionals. Healthcare organisations need to take steps to secure their telehealth platforms and protect patient data.”
What can be done?
While there are some very basic steps that all healthcare providers should adopt – including investing in cyber insurance, something Change Healthcare went without – a robust approach requires rather more involvement. Eoghan Casey, VP for cybersecurity strategy and product development at software-as-a-service (SaaS) provider Own Company, offers a checklist:
- Perform regular electronic protected health information (ePHI) check-ups. Like regular check-ups with your doctor, routine risk analysis of your SaaS data helps identify gaps in your security posture before a successful attack exploits them.
- Maintain ePHI Health and Hygiene. Although SaaS providers are responsible for the security of their platform, it is up to the customer to protect their data. The first line of defence against unauthorized access to ePHI is multi-factor authentication and restricting API access. Routinely backing up mission-critical SaaS data to a secure third-party system is essential to recover from incidents, including data loss and corruption.
- Diagnose ePHI problems and misuse. An ongoing challenge is to prevent people from putting ePHI at risk. The solution is a combination of raising awareness and routine monitoring. Effective data breach and data loss prevention starts with employee education. It’s critical that all staff members understand evolving data security risks and are well-equipped to prevent an outside attack.
- Address problems promptly. When it comes to cybersecurity protection, take inspiration from the ultimate defender: the human body’s immune system. Similar to an infection, organizations that experience a serious cybersecurity incident learn from the experience, creating digital antibodies that improve their data security posture and incident response capabilities. An effective approach to building incident preparedness without actually suffering a major disaster is to conduct periodic exercises that test response processes.
- Cultivate operational continuity. Being prepared for the worst-case scenario makes it easier to restore normal operations when something actually happens.
- Understand legal obligations. Healthcare providers are required by law to perform certain actions after experiencing a data breach. For instance, the HIPAA Breach Notification Rule includes notification of impacted individuals, informing Health & Human Services (HHS), and, under certain circumstances, publishing a press release for prominent media outlets, all within 60 days of discovering the breach.