Blog

Healthcare is the Preferred Target of Cyber Attackers

Mar 02, 2020

Healthcare U.S. healthcare institutions are under constant attack from cybercriminals, and unless hospitals take concrete steps to protect themselves, the situation won’t get any better. In 2019, the healthcare industry was the number one target for cyber attackers, with the cost of breaches totaling $4 billion, according to a new report.

2020 Vision: A Review of Major IT & Cybersecurity Issues Affecting Healthcare , published by security intelligence firm CyberMDX , provides an in-depth look at the causes and types of cybersecurity threats affecting the industry, as well as recommendations for healthcare institutions to fortify their cyber defenses.

Attacks on healthcare are prevalent, according to the report, because the industry handles “valuable patient medical records” and has shown a “willingness to pay ransoms to restore care-critical technologies.” And the means for the attacks “are provided by a very wide attack surface that is entirely inadequately protected.”

According to the report, U.S. healthcare targets suffered 426 separate breach events and 759 ransomware attacks in 2019. One of every eight Americans were affected. The number of breached medical records exceeded 40 million, three times as many as in 2018. “In fact, the healthcare industry plays host to roughly 70% of all U.S. data breaches.”

At least 10 hospitals had to turn away patients “due to a compromised ability to deliver care as a result of cyber attacks,” the report says.

In one breach case, involving an attack on the American Medical Collection Agency (AMCA), hackers broke into the company’s web payments page and lingered for almost nine months before the breach was discovered. “Over that period of time, the privacy of more than 24 million individuals was violated – exposing sensitive information such as medical data, social security numbers, and payment card details.”

Fighting Back

To fight back, the report suggests, healthcare organizations have to get better about setting up their defenses. The task is complicated by the proliferation of Internet of Things (IoT) devices, which now number 120 million across 6,210 hospitals. That averages out to 19,300 devices per hospital, according to the report. Hospitals on average lose track of 30% of their connected medical devices, the report says.

Securing these devices and keeping up with software flaws and updates is a big job. Too often, the report says, known vulnerabilities remain unpatched, creating opportunities for cyber attackers to target an organization. “CyberMDX research shows that four months after a major vulnerability is disclosed, most hospitals will still not have managed to patch more than 40% of their vulnerable devices,” the report says. “More than 10% of hospitals admit to altogether ignoring software patches and updates.”

In addition, most hospitals do not use network segmentation to separate sensitive assets from networks that are easily accessible by any user. The report recommends a number of remedies, including patching, segmentation, credential management, shutting off unused ports, and ongoing monitoring for anomalies. See the report for a full list of recommended best practices.

Skills Training

Although the CyberMDX report doesn’t go into the need to build strong teams with updated cybersecurity skills, having a well-trained team of cybersecurity experts is essential to building effective cyber defenses.

(ISC)2 offers the HCISPP certification for the specific needs of cybersecurity professionals in healthcare. Available since 2013, the certification program was recently refreshed to ensure its relevance to current cybersecurity needs and regulations in securing healthcare environments and data. Click here for more information on certifications.

If you are an HCISPP holder or work in a healthcare environment, does the data in the CyberMDX report ring true to you?