Every year the healthcare industry is greeted with headlines stating that ‘last year was the most-breached ever.’ And that trend is unlikely to stop in 2022. The healthcare industry has historically been one of the most-targeted by hackers, and one of the most breached by internal actors. Key reasons why include vast amounts of extra sensitive patient data, higher-than-average payouts, and a slow-moving tech update culture (mostly due to budget constraints).
Now that 2021 is wrapped up and we’ve had time to analyze, it’s time to take a look at the big cybersecurity trends in healthcare. What threats did the healthcare industry face last year, and what can it expect to carry over into 2022?
Cyber Risk in Healthcare Grows Alongside Cloud Usage
The future of healthcare is data. Data that will be widely shared, collected, and analyzed – and not just by primary care doctors. Patients are increasingly able to drive their own health data collection through apps, smart devices, and other emerging technologies. But as the amount of data and methods for collection and sharing grow, so too does the appeal for hackers.
There is more data out there as well as more avenues for digital attack. While more data for patients can help drive better healthcare decisions, it also means that organizations need to safeguard additional data and inroads.
Changing Cyber Threat Trends: Internal Actors, COVID-19, and Expensive Healthcare
One study from Verizon found that healthcare organizations are facing a changing threat landscape. Luckily, part of that is that malicious internal actors are less of a threat than previously. However, human error and external threats are still leading causes of data breaches.
The pandemic caused additional issues for healthcare organizations not only with a novel virus and overloaded hospital systems, but also in terms of attacks: IBM found that healthcare jumped from 3 percent of all attacks in 2019 to 6.6 percent in 2020. COVID-related research and treatments were likely at the heart of this increase. And as the pandemic continues to lead to an increase in both the number and frequency of security attacks, it’s unlikely that the healthcare industry will be able to avoid these – but it may be able to avoid breaches.
IT experts have also found that countries where healthcare is more expensive tend to be targeted at higher rates, the goal being to obtain PHI, which can be more valuable than even credit card information.
Despite some positive shifts, the new additions and mainstays are still worrisome. Notes Nakia Grayson, IT security specialist at the National Institute of Standards and Technology (NIST), "healthcare continues to be plagued with cyber threats that include ransomware, malware, and phishing."
Cyber Attacks on the Healthcare Industry
HIMSS, the Healthcare Information and Management Systems Society, found in their 2021 Healthcare Cybersecurity Survey that financial information is the main target for hackers, and they continue to lean on tried-and-true tactics like phishing and ransomware.
Related Reading: The Top 10 Healthcare Data Breaches of 2020
Ransomware
In 2021 alone, 28 percent of all healthcare-related attacks were ransomware, according to IBM’s annual Threat Index. This malware subtype encrypts data on infected IT systems and demands a ransom in exchange for access to or decryption of that data.
A newer threat within the ransomware family is Ransomware-as-a-Service (RaaS). Like SaaS solutions, it allows less-savvy users to roll out ransomware by purchasing it and, sometimes, support and troubleshooting assistance from expert ransomware developers.
Phishing & Social Engineering
Phishing attacks target people to steal login or other confidential information by tricking users into clicking malicious links in emails, messaging apps, or on the web. It’s one of multiple social engineering attacks, which all involve manipulating users into exposing sensitive information. According to the HIMSS survey, phishing and social engineering are the foot in the door for most healthcare data breaches.
While these tactics aren’t new, they are getting smarter. And they continue to work for hackers: out of more than 150 cybersecurity professionals interviewed by HIMSS, 45 percent reported a phishing attack within the last 12 months.
Cybersecurity in the Healthcare Industry: Prioritizing Prevention
As this Forbes article notes, keeping data secure in healthcare is a unique case: a stolen bank card can be cancelled with only some inconvenience, but the results of lab tests or the notes a doctor maintains cannot be changed. Once the data is exposed, there’s no way to unlearn the information.
So, the primary method to keep this sensitive data under lock and key is prevention. The following are key ways to protect patient data from cyber attacks in the healthcare industry.
Budgeting for Security Software and Safer Infrastructure
The number of attacks on often-outdated medical infrastructure is increasing, but limited budgets make upgrading to securer systems difficult. Approximately 6 percent – or less – of IT budget goes towards cybersecurity. And while IT spend on cybersecurity is increasing, many healthcare IT professionals say they should be spending even more to be better prepared for security attacks. Part of the budget issue is technical, but headcount is also a limiter. Determining which area to shore up first can be difficult.
Personnel and Training
Fostering a security-minded organization starts with people. Teaching employees at all levels how to identify threats like phishing establishes a secure foundation for any organization. Once those gaps are sealed, the next step is further focusing on communicating risk: what the issues are, why everyone at every level should care, and how they can maintain security.
Another strong approach is to build and train a security team that thinks beyond traditional security risks. For instance, rather than prioritizing an infrastructure-focused approach, perhaps the framework is data centric, considers how to manage security outside the walls of the organization, or thinks of innovative ways to promote security-centric thinking at all levels.
Related Reading: Developing a Plan for Data Risk Management
Data Access and Control
Data is the crown jewel of any organization, and the main target of any hacker. Putting an emphasis on data protection is an essential security layer. There are many data-centric security strategies, but they all have some aspects in common. These include:
- Understanding data on hand: Know what data the organization collects, how it is processed, and where it is stored – and for how long. Understanding the ways in which the business collects and uses data is a first step towards understanding the steps needed to protect it.
- Training: Besides teaching users how to identify threats, this also encompasses teaching employees about the tools available to them and how to use them to avoid Shadow IT systems.
- Physical and technical safeguards: Physical and technical barriers that allow you to prevent or monitor access to where data is stored. This can include anything from network monitoring to security cameras.
- Data access limitations and monitoring: Not everyone needs access to the same data, and organizations should limit access accordingly. Plus, visibility into how employees are using, viewing, and sharing that data is important.
Related Reading: 3 Data Centric Security Strategies for 2022
Secure Healthcare Data Transfer Solutions
Healthcare is a huge industry that necessitates quick, efficient work. Using tools built to improve processes – whether cloud-based or on-premises – helps support busy healthcare workers and patients while keeping data security at the forefront. Discover how MFT can help you today with a demo.
