The health care industry is still having a hard time getting its cybersecurity under control, despite ongoing knowledge that the sector is among the most vulnerable to attack compared to most others. It’s worth examining why the health sector faces these challenges and what can be done to remedy the problems.
The Medical Sector Experiences Twice the Number of Attacks as Others
According to statistics, there are approximately twice the number of attacks in health care as other industries. One of the reasons for this is that many health systems have broad reach. An incident that originates in one state or country may spread much further than a single location, thereby making the results more substantial for hackers.
In January 2018, news broke of an attack on a regional health system in Norway that exposed the data of 2.8 million people. Investigators believe hackers wanted patient data in connection with an upcoming military exercise.
Research also shows that health care facilities are not adequately prepared against cyberattacks. According to one investigation, only 33 percent of local health departments had a plan to respond to cyberattacks.
Hackers Know They’ve Seized Urgently Needed Material
Due to the number of people who use health facilities and the sensitive data contained within, hackers know that these targets could result in higher-than-average payoffs for successful attacks. They also realize that, in the case of ransomware attacks, the victims may be so desperate to retrieve the data that they will pay the ransom.
When Hancock Health suffered a ransomware attack that demanded payment in four Bitcoins — approximately $55,000 at the time — the organization paid up even though it had backup files available. It would have reportedly taken weeks or longer to switch over to the backups.
There have been other instances in which the health sector was not the primary target of attacks, but was nonetheless severely affected. Such happened in the global NotPetya malware attack, which demanded that victims pay ransom to retrieve access to their systems.
Once hospitals are alerted to the issue, their systems are often completely shut down for days, forcing providers to switch to pen and paper systems. This happened with a New York facility that had no online operations for a week.
Fortunately, facilities can limit the access hackers have to patient files, such as by employing strong authentication and encrypting data that’s in transit or at rest. These steps don’t guarantee cybercriminals won’t gain access, but they could limit their damage.
These Attacks Disrupt Patient Care
Some cyberattacks are so severe that they prevent hospitals from adequately caring for patients. A ransomware attack at MedStar Washington Health Center delayed the processing of lab results and made the information on paper charts incomplete. Eventually, ambulances that arrived with patients in non-critical condition had to be diverted to other facilities.
Because of the risk of hackers targeting not only patient records but also the devices used to treat patients, the U.S. Food and Drug Administration (FDA) unveiled a new action plan to secure medical devices. The organization also aims to create more oversight in the industry and wants to enforce mandatory software patching when needed.
Health facility representatives are increasingly aware of the risks and are getting staff members more equipped to recognize the warning signs of potential hacks. The results of one survey showed 43 percent of facilities hold training events weekly or monthly.
There’s a Lack of Resources
Despite a rise in IT spending at hospitals, the average amount devoted to IT is still only from two to four percent of an overall budget. Also, many hospitals intend to implement newer, better tech but have yet to do so.
Data published in 2017 shows that there are only 5,564 medical facilities in the United States. When niche developers serve those customers, they may not have the resources to update their applications with sufficient frequency.
Attendees at a recent health tech conference for employees of Medtronic, a maker of medical devices, saw a demonstration of how quickly hackers can infiltrate unpatched software. Hospitals are at risk for that issue because it’s time-consuming and cumbersome to deploy software patches throughout an organization.
How Should Hospitals Respond?
The rising number and type of potential cyberattacks are challenging for health care facilities. However, automated threat detection could detect strange network traffic and alert IT representatives before infiltrations become more severe. It’s also necessary for health facilities to stay aware of industry trends.
For example, April was one of the worst months for health breaches in 2018. Even if organizations haven’t been hit by such attacks, they must expect them and prepare appropriately.
Communicating with vendors to be informed on the rollout of future software patches is also a good move. For example, would such fixes be implemented automatically?
Besides scheduling regular cybersecurity readiness training sessions for employees, hospitals should also conduct drills to find out how smoothly workers can implement what they’ve learned in situations they may encounter in the event of a breach.
Finally, hospitals must realize that improving cybersecurity is not something that can occur quickly or through a one-time effort. Ongoing diligence and investments are needed to keep threats at bay and reduce the likelihood of attacks that cause extensive downtime.
The Health Sector Has a Reputation for Insufficient Security
Through the years, the health care industry has earned a reputation for having security standards that were not as tight as those demonstrated by other organizations. Thankfully, many organizations are working hard to make up for lost time now, and those efforts must continue.
Hackers see the health sector as a lucrative target, and organizations must take all-encompassing steps to fight back against common issues and target weaknesses.
Kayla Matthews is a productivity and technology journalist with interests in big data, cybersecurity, IoT and other technologies. Aside from her tech blog, Productivity Bytes, you can read more of her work on CloudTweaks, Malwarebytes and IT Security Guru.