5 Alarming Cyber Security Issues in Healthcare

5 Alarming Cyber Security Issues in Healthcare

1 Star2 Stars3 Stars4 Stars5 Stars (20 votes, average: 4.80 out of 5)

IBM reports that data breaches cost healthcare organizations an average of $7.13 million in their 2020 report. BitGlass reports that 67.3% of all healthcare breaches in 2020 were caused by hacking and IT incidents. With this in mind, let’s explore five of the cybersecurity challenges in healthcare to get a clearer image of the industry’s threat landscape

There’s no shortage of cyber security issues in healthcare. Say, you’re the administrative leader at a hospital. Suddenly, a message from an unknown sender says that all of your hospital’s network-connected IT systems and medical devices are now under their control. The threat actor says that the only way you’ll regain access is to pay a ransom. 

Each moment is critical, affecting not only your operations but the health and wellbeing of your patients. Do you pay the ransom? What happens if you don’t pay the ransom? And what could you have done to prevent this from happening in the first place?

This scenario (and others like it) is something that hospitals and other healthcare facilities around the world experience with increasing frequency. Comparitech reports 600 healthcare-related organizations were affected by 92 ransomware attacks in 2020 at the cost of nearly $21 billion

Cybercriminals target healthcare because it’s a lucrative industry, and the data they steal can be used or sold for many purposes. And this is just one scenario. Healthcare data can be used for many other purposes like blackmailing or phishing patients, buying prescription medicines, generating fake insurance claims, etc.

Let’s explore the biggest cyber security issues in healthcare and the challenge this industry’s organizations face.

Breaking Down 5 Examples of the Cybersecurity Challenges in Healthcare

Cyber security issues in healthcare graphic: An illustration of data binary with a keyhole to represent security

There are many IT security issues and risks that hospitals, clinics and other healthcare organizations face throughout the year. Our goal here is to inform you about these healthcare cybersecurity challenges so you can take steps to prevent them from being exploited within your own organization.

1. Weakly Protected Websites, Web Servers and Databases

Healthcare institutes’ web servers and databases contain tons of sensitive information. This includes everything from patients’ sensitive electronic health records (EHRs) and employee information to intellectual property and research. Hackers and other cybercriminals are always searching for exposed, misconfigured, or otherwise weakly protected databases and servers.

Healthcare websites and databases often become victims of brute force attacks, DDoS attacks, and SQL injections if they:

  • Aren’t protected with strong cybersecurity, threat intelligence and monitoring tools,
  • Don’t limit the number of login attempts individual IP addresses can try within certain time frames,
  • Don’t have two-factor or multi-factor authentication methods (2FA/MFA) or use methods of passwordless authentication (especially for privileged accounts),
  • Run outdated and unpatched software and hardware,
  • Have unpatched vulnerabilities in their remote desktop protocol and other systems,
  • Are running code in their web apps that’s vulnerable to SQL injections.

Security needs to be a top priority for managing websites. In some cases, just by tweaking a website’s URL, an unauthorized person can access a company’s sensitive information. For example, in LabCorp’s breach, a security researcher from TechCrunch noticed a website vulnerability that left the company’s backend system exposed. This created an opportunity for bad guys to access at least 10,000 sensitive documents simply by tweaking a few numbers in the URL.

2. A Lack of Encryption to Protect Sensitive Data

Next on our list of cyber security issues in healthcare is a topic relating to how organizations in this industry protect their data. According to HIPAA’s Security Rule, organizations handling ePHI (electronic protected health information) must have adequate “technical security measures” to secure their IT infrastructure and confidential data. Using encryption is one way to secure your organization’s sensitive data and ensure HIPAA compliance.

Encryption means scrambling data via a mathematical algorithm in a way that no unauthorized user can read it. Sometimes, healthcare institutes don’t use encryption while transferring and storing the data. This is an issue considering that the Security Rule’s Security Standards list encryption among their technical safeguards. 

The processes for encrypting data in transit and at rest encryption are different. For example, it takes an SSL/TLS certificate to encrypt users’ confidential data in transit between a browser and server. Using encryption is compulsory according to HIPPA guidelines. But many organizations dealing with protected ePHI are still not installing an SSL/TLS certificate on their websites. So, when users submit their health-related information via these unprotected websites, their data is vulnerable to hackers and other cybercriminals.

It is highly important for healthcare institutes to encrypt their files and data. But sometimes, due to lack of awareness, employees don’t secure their organization’s important data or use secure transfer mechanisms. All of this makes it easier for hackers to steal the stored content or while someone transfers these files.

There are many extensions, software programs, and email signing certificates available that provide end-to-end (E2E) email encryption. These technologies protect email data in transit and at-rest. But when healthcare institutes don’t use such protection, hackers can access, steal or even manipulate that valuable information.

One such example is a data breach involving the healthcare organizations Mednax, Inc. and its subsidiary Pediatrix Medical Group.  According to Classaction.org, unauthorized users used phishing techniques to compromise Mednax’s email accounts and access their unencrypted data. This led to the personal data exposure of nearly 1.3 million patients.

3. Medical Devices & Equipment Are Notoriously Insecure

Hospitals are a virtual jackpot of healthcare-related data. Many healthcare providers rely on connected medical devices to diagnose and treat patients. However, many of these devices are not secure due to a lack of security controls, a pack of update and patching capabilities, and the devices’ extended lifespans.

Data from Ordr shows that healthcare organizations rely heavily on IoT (Internet of Things) and IoMT (Internet of Medical Things) technologies, using an “average of 10-15 devices per bed.” This gives attackers a huge pool of insecure devices to target to penetrate their networks and IT environments.

According to their 2020 report, Ordr discovered many of the  5 million unmanaged IoT and IoMT devices they analyzed were running on outdated technology and lacked the latest threat defenses. Furthermore, they observed:

  • 95% of healthcare deployments used smart devices like Alexas and Amazon Echoes, thereby violating privacy requirements.
  • 75% demonstrated VLAN violations by having medical IoT devices on the same network as non-medical connected devices.
  • Four-in-five (86%) of healthcare deployments had 10+ known FDA recalls on their medical IoT devices.

Suppose hackers break into the hospital’s network via such insecure devices. In that case, they can move laterally throughout the network to take control of all the crucial endpoints and cripple their IT environment. They can also use this access to steal or encrypt patients’ sensitive medical to use as collateral in ransomware attacks or to sell on the dark web.

4. Healthcare Organizations Often Lack Documented Cybersecurity Policies & Procedures

Cyber hygiene is important for all organizations, healthcare providers included. According to HIPAA Security Rule § 164.316, a healthcare provider must “adopt reasonable and appropriate policies and procedures” to prevent security incidents. They also must retain six years’ of documented records relating to their:

  • Security policies and procedures,
  • Required actions,
  • Completed activities, and
  • Assessments performed and their results.

Healthcare institutes must periodically review and update their documentation when there are any environmental or organizational changes take place, and such changes affect the way they handle, transfer and store electronic protected health information.

Unfortunately, not all healthcare institutes adhere to these documentation requirements of cybersecurity policies & procedures. As a result, many security loopholes are created, and the organization remains unaware of them until it’s too late.

Let’s consider what happens when you use weak access control policies and procedures. Access controls & policies specify who can access which IT assets and how that access is managed. Sensitive health information must only be accessible to authorized individuals who need it to carry out their routine job duties. If unauthorized staff, patients, vendors, and third parties try to access such information, their access should be denied outright. But if healthcare institutions don’t set the access controls or have such policies in place, they may fall prey to internal and external threat actors.  

5. A Lack of Cyber Awareness

Cybersecurity challenges in healthcare graphic: An illustration of an employee with security knowledge swirling around in his head

This brings us to the last item on our list of cyber security issues in healthcare. It’s obvious that we can’t expect healthcare workers to be cybersecurity experts. But when healthcare institutes don’t at least provide basic awareness training to employees, one wrong click can shatter the entire cybersecurity posture.

These are some main cybersecurity issues in the healthcare industry when employees:

  • Don’t know how to identify a phishing email.
  • Download email attachments without first scanning them with strong antivirus software.
  • Can’t differentiate between a fake website and a legit website.
  • Click on malvertisements and inadvertently install malware onto their organization’s network-connected computers.
  • Don’t update or patch their devices.
  • Don’t know how to recognize the signs of malware infection, or don’t take the issues seriously until it’s too late.
  • Set weak user IDs and passwords.
  • Lose hardware devices like laptops, or USB drives.
  • Don’t wipe out the memory completely while disposing of or reselling the device.

There are two types of common threats, ransomware attacks and phishing, that frequently result from poor cyber awareness and/or a lack of training. This type of training aims to help employees and users learn to recognize many types of cyber threats and social engineering tactics.

A Lack of Cyber Awareness Leads to Ransomware Attacks

When we talk about cybersecurity challenges in healthcare, we can’t ignore ransomware attacks. It’s one of the most efficient weapons for hackers to use against healthcare organizations.

We already briefly walked you through an example of how ransomware attacks work in the healthcare industry. As you’ll remember, hackers encrypt important healthcare-related data and ask for a ransom to decrypt it (and, in some cases, may exfiltrate that data for their own uses). They also will use their access to lock users out of devices and critical IT systems until their demands are met.

All of these situations pose huge issues for businesses and their patients. Without health-related data, healthcare providers can’t safely treat their patients. As each passing minute can cost lives, the chances of them getting the ransom increase dramatically.

Threatening Patients: In addition to threatening hospitals, some hackers who steal patients’ sensitive healthcare-related information (including images, scans, and another type of media files) use it for other purposes. For example, they can blackmail patients by threatening to publish their personal health-related information if they don’t pay them in cryptocurrency.

Some patients choose to pay in an attempt to keep their health information private or to avoid embarrassment.

A Lack of Cyber Awareness Makes People More Likely to Fall for Phishing Attacks

Hackers use various phishing tactics to trick or manipulate healthcare workers, patients, pharmacy employees or vendors into sharing confidential information. They use social engineering tactics to get their targets to send information, unknowingly provide their login credentials, or by tricking users into downloading malware onto their devices. So, exactly phishing in the healthcare industry look like? Here are the two examples:

Phishing emails: Posing as a healthcare provider, pharmacy, or insurance company, attackers send phishing emails to patients. The message may ask them to provide personal information or download an attached report, bill, prescription, claim document, or receipt. In much the same way, these bad guys send phishing emails to healthcare workers posing as their colleagues or patients and ask them to click on some links or download the attachment.

Needless to say, such attachments or link contains malware like viruses. If someone replies with their confidential information, attackers misuse such information for identity theft and financial fraud.

Phishing websites: Attackers make websites that look exactly like the original healthcare providers’ site, using the same logo, color scheme, fonts, and content. Sometimes, they buy similar-looking domain names (a practice known as cybersquatting) to make the website look legit. They ask users to log in with their credentials, fill out forms inputting confidential information, or upload documents, prescriptions, and reports.

Sometimes, hackers use such phishing sites to trick people into downloading and installing malware onto their devices. For example, after logging in, the patients are asked to install a media player to view their reports. But it’s a trojan horse instead, which can corrupt your entire system once you install it.

Final Words on Cyber Security Issues & Challenges in the Healthcare Industry

This brings us to the end of our article on cyber security issues in healthcare. There’s an ongoing discussion on whether cybercriminals should be prosecuted for murder if their actions result in someone’s death. Although cybercriminals don’t intentionally and directly kill people, their activities can directly and indirectly contribute to the loss of life.

Activities such as shutting down medical equipment, halting hospital scheduling and operations, and encrypting, modifying or erasing crucial patients’ data are all ways that can deprive patients of critically necessary treatment. There is a grey area in-law whether cybercriminals can be held responsible if someone loses their lives because of such attacks. But we hope lawmakers take cyber security issues in healthcare seriously and make some strict provisions curb them.

It’s our goal to help you take steps that prevent cybercriminals’ activities from affecting your organization and patients. Hopefully, this article has provided you with useful information that you can use to address the most common cybersecurity challenges in healthcare.

About the author

Medha is a regular contributor to InfoSec Insights. She's a tech enthusiast and writes about technology, website security, cryptography, cyber security, and data protection.