Cybersecurity recently has become a hot topic in the healthcare industry. Medical device cybersecurity threats have the potential to jeopardize the integrity of hospital information technology (IT) networks and the operation of medical equipment. Although no patient injuries or deaths related to cybersecurity incidents have been reported to the U.S. Food and Drug Administration (FDA), as other industries have experienced, this can change with a single event. Thus, it is very important for healthcare facilities to actively mitigate the cybersecurity risks of their medical devices and IT infrastructure.
The FBI released an alert recently about an increase in ransomware attacks across all sectors, including healthcare, state and local governments, and other infrastructure targets. Over the last few months, the healthcare sector has seen two separate providers permanently close and others forced into downtime after falling victim to ransomware. A McAfee report recently showed ransomware attacks have doubled in 2019.According to two recent reports from Semisoft and the Institute for Critical Infrastructure technology, 491 providers have fallen victim to ransomware so far this year and hackers are ramping up ‘disruption ware’ campaigns for a greater impact on its victims. Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent,” FBI officials wrote. “Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.” Hackers have been leveraging phishing campaigns, remote desktop protocol vulnerabilities, and software vulnerabilities to infect organizations.
Why are Hackers Targeting the Healthcare Industry?
The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers. For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were. The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats. Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors. Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a business associate serving many healthcare organizations or a large healthcare system.
Healthcare providers are susceptible to cyberattacks as many continue to use outdated and unsupported software and operating systems. Many cyberattacks are opportunistic and occur because healthcare providers have failed to address easily exploitable holes in their security defenses. However, it is now increasingly common for healthcare organizations to be targeted based on the amount of data they store. Disruptive and destructive threats continue to be a major problem in the healthcare industry. Cybercriminals and nation-state threat actors are conducting attacks that aim to disrupt the continuity of operations. These threats include ransomware and wiper malware.
Cybercrime activity is financially motivated and poses a high-frequency, high-impact threat to healthcare organizations. Personally identifiable information (PII) and protected health information (PHI) are commonly sought and the information can be used for many different malicious purposes, including financial fraud, medical identity theft, identify theft, and for crafting convincing phishing messages. The information is commonly bought and sold on darknet marketplaces and that activity is unlikely to stop. Attacks are also being conducted to gain access to healthcare networks. Access is then sold to cybercriminal groups, nation state groups, and other threat actors.
32% of Healthcare Employees are not trained about Cybersecurity
There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches. 32% of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware if their company had a cybersecurity policy. 40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization. Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure. It is also essential to address data security and regulatory knowledge gaps. IT security leaders must ensure that every member of the workforce receives regular cybersecurity training and is fully aware of the requirements of HIPAA. It is also important to conduct regular assessments of security defenses and compliance. Companies that fail to regularly check their cyber pulse can identify and address vulnerabilities before they are exploited by hackers and because of a costly data breach.
Cybersecurity risk management is a huge responsibility, and everyone in the healthcare community should continue to keep this subject in mind.
Key Elements of a Management Plan for Healthcare Industries
Organizations should consider a few key steps when they begin devising a plan for cybersecurity risk management.
The first step should be to identify the key stakeholders in a facility and clearly define the distribution of cybersecurity duties among personnel. A hospital biomedical engineering department typically deals with device-specific issues, while the IT department is in charge of the hospital network infrastructure. The emergence of medical devices with advanced integration and IT capabilities requires that these two departments collaborate on safeguarding their devices from cybersecurity risks
PHI can include personal information, medical records, and payment information. Because of the sensitivity of PHI, hospitals are attractive targets for spyware and phishing attacks aimed at acquiring the information.
Safeguarding a facility’s network and minimizing exposure to cybersecurity threats can be done via several common mechanisms. For example, using a virtual local area network (VLAN) can limit access to the equipment.
An effective device management plan also starts at the procurement stage. Before purchasing a device, ensuring that it has good safety features and that the manufacturer will provide continuing support is important
An effective device management plan also starts at the procurement stage.
Establishing a reporting procedure for cybersecurity events also is critical.
