From malware infections to ransomware attacks and everything in between, cybersecurity issues are a key concern in the healthcare industry. Cybercriminals or bad actors target healthcare organizations because of the large volume of sensitive data contained within a single healthcare record. According to the Department of Health and Human Services (HHS), protected health information (PHI) provides cybercriminals with more information than any other type of breached record.
Much of the data found in medical records is unalterable, which delivers ongoing value for bad actors. For example, it’s easy to cancel a compromised credit card number, but an individual’s health history is much more complex. Once the information is in the hands of bad actors, they can use it to commit medical identity theft not once, but many times over in the future.
Cybersecurity threats that compromise healthcare information can have severe consequences for the impacted organization and patients alike. In this article, we will look at recent examples of healthcare cybersecurity threats and detail the best practices to make your organization more secure.
Cybersecurity attacks against healthcare organizations
While all industries are at risk for cybersecurity incidents, the nature of the healthcare sector poses unique challenges. There is very little tolerance for downtime because system disruptions can directly impact patient care. Following a cyberattack, healthcare companies report adverse events such as increased patient mortality rates, procedural delays, and longer hospital stays.
Care delivery and patient safety are also why the healthcare sector is more likely to pay the ransom demand than any other industry. In 2021, 61% of healthcare companies paid the ransom rather than risk operational downtime that could adversely impact patient lives.
Once a company pays the ransom, there’s no guarantee they’ll get their data back. Even if they do, the data is often corrupted, creating new attack vectors for cybercriminals. In many cases, companies that pay the ransom demand are more likely to be targeted in subsequent attacks.
Healthcare companies are also vulnerable to cybersecurity threats due to outdated legacy systems. Medical equipment and devices often rely on proprietary software that focuses more on patient outcomes than cybersecurity concerns. Older equipment no longer receives vendor support, such as security patches and updates, which leaves the door open for potential threats.
For example, digital imaging equipment such as MRIs and x-ray machines tend to be in use for at least a decade, creating ample time in which modern security technologies can outpace the organization’s networks and software systems.
The healthcare sector experiences more cybersecurity incidents than any other industry. The following are just a few examples of recent attacks on healthcare entities:
In June 2022, a ransomware attack affected almost 60,000 patients of Vermont-based Lamoille Health Partners. The impacted individuals are suing the health center for allegations that it failed to properly protect patient data and then failed to notify patients of the ransomware attack.
A Texas hospital took all its systems offline in September 2022 after it was targeted in a ransomware attack. Despite efforts to contain the attack, sensitive data including personally protected information (PII) and PHI was compromised. Following the ransomware attack, it took several weeks to restore clinical systems.
Insurance provider, Florida Healthy Kids Corporation (FHKC), suffered a data breach in 2021 that compromised approximately $3.5 million records. Following the breach, FHKC discovered multiple website vulnerabilities that had gone unpatched by its hosting vendor over a 7-year period. Hackers exploited these flaws to access parts of the website and alter the data of thousands of enrollees and applications.
The health department for New Haven, a city in Connecticut, experienced a 2017 data breach that compromised the PHI of 498 individuals. The subsequent investigation found that the breach was triggered by a former employee of the New Haven Health Department. After her termination, the former employee copied sensitive data to a USB drive and continued to access the department’s networks using her login credentials. The city had to pay more than $200,000 in financial penalties for violating HIPAA rules.
Best practices for securing healthcare data
The healthcare industry is facing an uphill battle when it comes to mitigating cybersecurity threats. On average, only 4–7% of a healthcare organization’s IT budget is dedicated to cybersecurity measures. This makes it especially challenging to secure data and meet compliance objectives, but the high risk and cost of not doing so makes cybersecurity paramount in the healthcare sector.
The following best practices can help safeguard sensitive information and keep the data handled by healthcare companies secure:
Restrict access to information and applications
In 2021, nearly 20% of data breaches were caused by stolen or compromised account credentials. Access controls can help healthcare companies prevent unauthorized access to sensitive data, such as when a former health department employee compromised hundreds of PHI files.
To ensure only authorized individuals can access applications and data, access controls commonly leverage user verification practices such as multi-factor authentication (MFA). MFA uses two or more credentials to verify a user’s identity. This adds multiple layers of defense to networks, devices, and databases and makes it more difficult for unauthorized individuals to infiltrate organizational resources.
Classify and encrypt sensitive files
The Entrust 2022 Global Encryption Trends Study found that approximately 62% of companies have a consistent encryption strategy in place. According to study respondents, challenges in finding and classifying organizational data lead to gaps in data security. Data classification categorizes information based on its type, its sensitivity, and the potential consequences of its compromise. For example, PHI falls under the most sensitive data classification level and requires greater risk controls to safeguard against internal and external threats.
File-level encryption ensures that only authorized users can access and interact with the data. In the event of a data breach, encryption makes the difference in whether the affected organization is subject to HIPAA’s Breach Notification Rule. Failing to implement appropriate security measures, including encryption, can lead to costly penalties for HIPAA violations.
Leverage enterprise-level solutions
Consumer-grade software solutions are not sufficient when it comes to healthcare cybersecurity. They do not offer the same access and security controls needed to manage sensitive data and satisfy compliance requirements. In the face of ongoing cybersecurity threats, WinZip® Enterprise gives healthcare organizations a complete set of tools to secure and manage files.
A fully customizable solution, WinZip Enterprise makes it easy for admins to establish and enforce best practices such as access controls, multifactor authentication, and file encryption. It also natively integrates with several HIPAA-compliant cloud storage services, such as AWS, OneDrive, and G Suite.Find out how WinZip Enterprise keeps healthcare organizations secure from cybersecurity threats.