Cybersecurity is a critical concern for healthcare organizations. Protected health information (PHI) is more valuable than other types of personal data, making it a key target for cyber criminals. This is because healthcare records contain a variety of personal information, such as an individual’s name, social security number, financial details, and more.
Health data is around 20 times more valuable than financial data on the Dark Web. The remediation costs following a healthcare data breach are also higher. This includes expensive processes such as investigation, incident response, breach containment, and more. The cost to remediate a health data breach is around $408 per record compared to $148 per non-health record. Despite the risks, the healthcare industry falls short in terms of cybersecurity.
Fortunately, there are tools and best practices that can help prevent cyberattacks in the healthcare industry. In this article, we will detail current cybersecurity challenges in healthcare environments as well as solutions that increase the security of your organization’s healthcare data.
Healthcare cybersecurity challenges
Data breaches and other security threats have increased sharply over the past few years, fueled in large part by the rapid and necessary shift to remote working conditions in 2020 as the pandemic reshaped how people work.
In addition to the challenges posed by an expanded remote workforce, healthcare organizations were also faced with an increased patient load. Resource limitations impacted every level of patient care, including healthcare data security.
For example, elective procedures were canceled to control the spread of the virus, but this also created revenue shortages. On average, elective procedures make up 60% of total revenue for healthcare organizations. These cancellations led to a revenue loss of around $22.3 billion nationally.
With limited space, staff, supplies, and revenue, many healthcare organizations were unable to prioritize cybersecurity measures. Cyberattacks spiked as a result, with more than 1 in 3 healthcare entities experiencing a ransomware event in 2020 alone.
While the pandemic has waned, cybersecurity threats have only increased. In the first five months of 2022, the number of data security breaches in the healthcare industry almost doubled compared to the same period in 2021.
The healthcare sector’s cybersecurity challenges include the following:
Mobile access. Medical devices that run on an internet connection often lack adequate privacy and security measures. Devices such as insulin pumps, pacemakers, and wearable trackers rely on constant connectivity to work.
Without ample network and file security, this data could be compromised in a cyberattack. For example, over 61 million records related to wearable devices (e.g., Fitbit) were compromised in a database breach in 2021.
Legacy systems. Legacy systems are highly customized and designed to meet the specific goals and needs of the healthcare organization. Approximately 73% of healthcare providers use medical equipment that relies on a legacy operating system.
This outdated equipment presents a host of cybersecurity risks due to a lack of security patches or updates. For example, vulnerabilities in unpatched medical devices fueled the 2017 WannaCry global ransomware attack.
Staff shortages. Healthcare cybersecurity staff are increasingly overworked, understaffed, and undertrained. Around a third of health IT teams are not sufficiently staffed for cybersecurity, further straining existing team members.
Skills gaps further hinder healthcare IT teams. Around 40% of IT staff lack cybersecurity expertise and an additional 39% of individuals are deficient in data protection skills.
Broad attack surface. The average US hospital has 10 to 15 connected devices per hospital bed, which means large organizations could need to secure tens of thousands of medical devices.
Because these networked devices typically run on outdated software and devices, they present a number of vulnerabilities that can be exploited by cybercriminals.
Common healthcare data threats
From hospitals to pharmaceutical companies and care facilities, every aspect of the healthcare industry is susceptible to cyberattacks. Teaching and research hospitals are especially vulnerable because they manage, store, and transfer a large volume of sensitive data.
From 2018 to 2021, healthcare data breaches increased by 84%. The number of victims affected by these breaches also increased from 14 million in 2018 to 44.9 million in 2021. As of July 2022, more than 22 million health records have been breached in the US, a 4.6% increase from the same period the previous year.
Let’s look at some of the greatest threats to healthcare data security:
Phishing is a technique where malicious actors trick their victim into giving them system access. Common phishing attack vectors include emails, websites, social media, and text messages. For example, hackers accessed a Colorado-based eye care practice employee’s work email and used it to copy patient data. This phishing incident compromised more than 26,000 people’s sensitive information.
Cybercriminals often use a phishing attack to gain access to a critical network or system. Once they’re in, they can easily exfiltrate sensitive files, compromise accounts, and infect businesses with ransomware.
Because phishing seeks to obtain sensitive data, healthcare organizations account for around half of all phishing attack victims. The cost of recovering from such an attack averages around $14.8 million, which is three times greater than it was in 2015.
Third-party data breaches
A third-party data breach occurs when a malicious actor gains access to sensitive health data via third parties such as vendors, suppliers, or business partners. The healthcare industry is the most common victim of this attack vector. Attacks by third parties were responsible for 33% of healthcare cybersecurity incidents in 2021.
For example, in 2020, vulnerabilities in Accellion’s file transfer system gave cybercriminals access to the private data of millions of individuals. Numerous healthcare organizations that used the software to transfer large, sensitive files within the network were impacted by the third-party breach.
According to the settlement proposal, Accellion did not guarantee the security of the software and the clients were solely responsible for their data security practices. The last security update for the software in question was issued in February 2019, creating the vulnerabilities that gave the threat actors access to connected client networks.
Because the healthcare industry is heavily dependent on access to data to maintain operations, they are under immense pressure to recover information quickly. As a result, they are frequently targeted by ransomware groups because healthcare organizations pay the ransom demand 61% of the time.
When ransomware is used to attack a healthcare entity, the attackers successfully encrypt and subsequently ransom sensitive health data 65% of the time. This is higher than the national average of 54%, due to factors such as a reliance on legacy systems, understaffing, and resource challenges.
Ransomware attacks are costly not just in terms of the ransom demand, but also because they cause major healthcare disruptions. Hospitals across the globe have blamed a ransomware attack for patient deaths, such as when hackers compromised systems that caused a newborn’s heart monitor to fail.
The role of file security in preventing cyberattacks
Today, cybercriminals can successfully breach 93% of company networks. With the growing risk of data breaches and ransomware, it’s more important than ever for organizations to protect their critical health data.
File encryption protects against cyberattacks and data loss by rendering the data useless to anyone without the correct password key. Encrypting at the file level adds an additional layer of security as data moves between devices, networks, and databases.
WinZip® Enterprise protects healthcare data through secure file sharing, compression, encryption, and management. With centralized IT control, WinZip Enterprise can be easily customized to meet the complex needs of health data security.