Updated: Apr 16
Based on 2018 research, healthcare information is the second most at-risk data type. Since 2019, approximately 25 million patient records have been impacted.
The most common questions that bother many people include:
● Why is healthcare the primary target for cyber-attacks, or hackers?
● Why do more than 25 percent of cyber-attacks affect healthcare facilities or hospitals?
● Why are healthcare organizations more vulnerable to cyber-attacks?
In this post, we will address these common questions and discuss the possible reasons.
In 2020, COVID-19 brought an unprecedented spike in cyber-attacks across the healthcare sector, impacting the delivery of care and the research and development of vaccines. Unfortunately, COVID-19 is not entirely responsible for cyber-attacks; however, there are many other reasons why healthcare is the primary target for cyber-attacks.
Why Do Hackers Target Healthcare or Hospitals?
The healthcare sector is currently in a precarious position because new technologies have been continuously increasing the success of outcomes, with the latest resources, technological medical devices, and remarkable consistency. However, this technology transformation has seen a shift of device to the network which invites cyber threats and increases the vulnerability to attack.
There are many reasons behind what makes healthcare an appealing target for cyber-attacks. As a patient or provider of a health organization, you should be aware of the reasons cyber-attacks healthcare organization are more susceptible.
Below, we will review the top eight reasons why healthcare has become more susceptible to cyber-attacks. Reviewing these top eight factors will help you better understand why cybersecurity training, awareness, and protection are so critical in the healthcare industry.
1. Financial Incentives of Selling Private Patient Information on the Black Market
Health records and other patient-related information are in high demand in the black market. With healthcare organizations having extraordinary storage of and access to all of patient information, hackers view healthcare organizations as prime targets for their black market pay day and cybe-business objectives.
In some instances, hackers are able to essentially sell hacked patient information back to the hospital because they use ransomware to hold the hospital’s information hostage until they receive payment to return the information. Ransomware attacks of seen the sharpest rise over the last year.
Because of the prevalence of patient related information, medical record security is a primary concern for persons working in the healthcare industry. It is the responsibility of every healthcare organization to keep their patient's records secure.
As GDPR becomes an integral factor this year outside the United States, the financial impacts of health data exposures and breaches will become more essential for hospitals as they are already struggling with financial strain of operating under the constraints of a global pandemic every day.
2. Healthcare Staff are Often Unprepared to Deal with Cyber Risks
To increase healthcare cybersecurity resilience and minimize cyber risks, medical professionals across the organization should be familiar with, and receive recurring training, to be better prepared for the cyber risks they are likely to confront. With competing priorities in varied roles, and time limitations, it's quite challenging to educate and familiarize medical staff on cyber threats and malware.
Educate all staff members are familiar with basic online protection best practices to minimize cyber risks. Beware of external emails with attachments or links. Only share patient information over secure methods to known business entities. Never share personal information or your password.
Healthcare staff must be trained about associated risks with medical devices and identifying the common cybersecurity and medical device risks. At a basic level the staff should understand the medcial device may interface to other systems, and these interconnected devices and systems create additional risk.
Also these devices can, and do, often collect, store, and transmit protected healthcare information over the network putting patient information at risk. Educating your staff about cyber threats means adding additional layers of context to training so that security across the organization is part of the cybersecurity system.
3. Legacy Technology and Tight Budgets in Healthcare Systems
For all the remarkable advances in medical innovations over the past decade, not every aspect of the healthcare industry has kept pace. Many health systems maintain outdated technology because of financial constrains due to high cost capital equipment and limited capital budgets.
New frameworks, IoT inventories, advanced connected medical device inventories, and predictive maintenance IoT systems may periodically release updates to enhance security, but more often the clinical innovations and devices with become obsolete before security and software elements are maintained at a ‘current’ state to reduce risk.
While the latest technologies and software updates generally enhance device cybersecurity, and may provide bug fixes to keep systems reasonably secure, with medical devices the regulatory nature and software development cycles of the manufacturers just do not keep pace with the escalating vulnerabilities in the healthcare environment.
Health systems must continually adapt and respond to cyber threats aimed at their connected medical devices and systems to keep their data information secure. Meeting this challenge is only possible if health systems adopt the latest technologies focused on medical device security challenges of vulnerability and threat management.
4. Connected Medical Devices can be Network Entry Point for Attackers
In a healthcare system, medical device cybersecurity is a critical factor, which can't be ignored because medical devices are an easy entry point for attackers. Medical care and medical device innovations ensure that more devices will be on our healthcare networks next week than there was today. Medical devices such as x-beams, insulin pumps, and implantable defibrillators can all be accessible via a network and assume a necessary part of routine medical care today.
Medical devices and innovations are intended for an intended purpose, such as; observing heart rate or administering drugs. These are not often designed based on their intended use and not by keeping medical device security in mind.
Medical devices may not be an attackers intended target for network access, although with little to no security the medical device may serve as the entry point to launch an attack on servers or others networked assets that hold crucial (and financially rewarding) information.
If hackers can get access to a medical device, they can prevent a health system from providing care and treatment to patients.
5. Broad Access to Data, Creates Opportunity for Attackers
In healthcare system, there is broad sharing of access to information across business entities and relationships to provide the best outcomes to every patient.
For optimal asset utilization or use of medical devices to meet today’s virtual care sessions, many devices may need to be connected in a network. However, connecting medical devices in a network can broaden the hackers attack surface and create additional risk to the organization, as not all devices may be secure.
Apart from this, clinical staff are not specialist strained in the details and best practices required for a secure network and may not be are that vulnerable or compromised devices create added risk on the network. One hacked device can render an entire network vulnerable, or worse exploited resulting in harm to patients or the inability for the health system to provide care.
It would be best to purchase medical devices from reputable medical device manufacturing companies. Reputable medical device manufacturers can provide medical device lifecycle management services and provide programs to address risk and software support over time. These companies may also support the healthcare staff to identify and address the risks of a given device upon the user, patient, and operations.
6. Broad Use and Sharing of Healthcare Data
In the healthcare industry, there is an opportunity to stop and consider the security risks of connected medical devices during the repurchase phase of device procurement. Many connected devices may collect, transmit, and/or collect protected patient information, both on location instantly and distantly on supporting medical devices and systems. Generally healthcare data is broadly shared across the organization, devices, and systems.
The secondary concern is that not all medical devices are secure. Many existing (i.e. legacy) device present a challenge as security and risk were not any part of a pre-purchase assessment and all efforts to secure the device(s) becomes a post-sale, customer driven effort.
Clinical staff are accustomed to using a device in a fashion or protocol that may not be the best course to reduce risk, and as noted previously this is not the primary role or focus of the clinical staff. In this situation it is best to consider recurring risk assessments to ascertain continued mitigation approaches of a device supporting its intended use.
7. Quantity of Connected Devices Increases Risk to the Organization
Most health systems today have an extensive network of medical devices and are responsible for managing all the associated patient information that may be collected, transmitted, and/or stored.
With the size of a health organization, the range and number of connected devices on the network typically increases. Each connected device increases organizational risk and acts as a potential threat vector for cyber-attackers.
Clinical staff are often preoccupied with performing their daily duties, with minimal cyber risk awareness, particularly as it relates to the connected devices used in daily patient care. Most commonly, healthcare systems implement cybersecurity practices with information technology and security subject matter experts focused on securing the network against vulnerabilities, exploits, and cyber-attack impacts.
8. Small Healthcare Organizations are Vulnerable
Like big healthcare systems, small healthcare systems are equally vulnerable to cyber-attacks, but the reasons in both aspects are different. Large organizations hold a large amount of data; that's why attackers find them a primary target.
Often, small health systems (e.g. critical access, rural locations) have a small security budget; they often do not have the budget resources of staff to support the institution internally and cannot afford to outsource healthcare cybersecurity company or IoT cybersecurity company to support their organization to reduce risks from cyber threats or attacks.
It does not matter whether a healthcare system is large or small; both manage sensitive patient data, and are constrained by the previously discussed issues of data and medical technology risks, both require cybersecurity protection from cyber threats.
Health systems, their interconnected business relationships, and their diverse workforce collect, store, and store an abundant amount of sensitive and personal protected healthcare information data.
This information presents as a valuable target for cyber attackers due to its monetary and demand on the black market. Once this information is in the public sphere it can be sold, misused, and abused in various ways. , so you need to be protective about your healthcare data.
This blog has listed possible reasons healthcare systems are often targets for cyber attackers. Being aware of these factors and influences we can better understand the importance and need for medical device risk management programs and healthcare cybersecurity awareness overall.
Asimily is a healthcare cybersecurity service provider with focused security solutions for procurement risk assessments, threats protection technologies, and staff training courses that can help you protect your organization from cyber-attacks and grow in the years to come.