Cybersecurity in Healthcare: Threats and Trends
What is a successful hospital in the modern sense? We used to think about qualified doctors, experienced nurses, clean corridors, and white walls… but today it’s not enough! Today, a vital condition is an established IT infrastructure.
Advanced healthcare organizations already have specialized information networks that help them take patient care to the next level. In fact, we see how the whole industry is embracing the Internet of Things and related technologies. As a result, hospitals are now equipped with smart elevators, smart heating and ventilation systems, remote patient monitoring devices, and more.
There is only a bit of bad news. Alas, any advance in technology opens the door to cyber scammers trying to hack into hospital networks, gaining access to clinical data, and manipulating it for their own benefit. So the problem of cybersecurity in healthcare is very acute.
Specially conducted studies covering more than 30 countries around the world show the reality of the threat and its growing scale. In 2021, hospitals were massively attacked by scammers in the US, Europe, and other countries, and the rate of attacks isn't likely to stop any time soon.
Surely, cyber risks in the healthcare sector don’t mean we have to take a step back and abandon medical innovations. Not at all, we just need to think over a cybersecurity strategy and follow the plan. And to help you, our team has prepared a guide with tips and tricks.
What is Cybersecurity in Healthcare?
Why introduce new technologies into hospital processes if they come with all sorts of risks? The answer is obvious: innovation is the best way to make treatment more effective and less dependent on external factors, whether it be human errors or the need for social distancing. In addition, healthcare workers are exempted from many bureaucratic responsibilities (digital algorithms perform them instead) and devote more time to treating patients.
Unfortunately, the use of innovation leads to attacks on healthcare organizations. Of course, these organizations make efforts to ensure information security, but this isn’t always enough. Hackers still manage to find a way to harm them, which ends with the theft of confidential data, compromise of patients and medical personnel, blackmail, or even an attempt to manipulate smart devices remotely (there are many options).
Current cybersecurity background
As studies show, the US healthcare industry is especially vulnerable to cybersecurity attacks, it is also one of the largest in the world. Perhaps that's why it is so attractive to scammers: it has the potential to bring them more profit.
Cyberattacks on healthcare have become really brutal and merciless. As cybersecurity expert Mac McMillan says, cybercriminals are now willing to risk patient safety in a way that hasn't happened before.
Ransomware has been on the rise in the last year and continues to attack the healthcare industry. According to a report by the Ponemon Institute2, nearly 45% of hospital information systems have experienced at least one ransomware attack, and 30+% have experienced two or more of them. The results of such attacks were sad:
delays in procedures and tests;
many patients were transferred to other institutions;
an increase in the number of complications after medical manipulations.
Healthcare companies still fail to protect their information systems: according to recent analyzes, at least 50% of health-related devices in the world have critical vulnerabilities, and over 30% of organizations leak data during a telemedicine session.
Key Healthcare Cybersecurity Threats
The topic is very broad, and we’d like to discuss it in detail, step by step.
What has increased cyber risks in the healthcare sector?
Total chain digitalization. All industries are moving online and mastering IT technologies. Medicine is no exception, of course. And the more actively a company uses software, the more reasons cyber scammers have to attack its system.
Pandemic. With the onset of the pandemic, the demand for telemedicine has increased. And at the same time, the number of incidents related to cybersecurity has grown too. Among other things, hackers began to receive orders to steal patient data (their clients wanted to know the medical history or causes of death of the important people).
Health sector conservatism. Many doctors and other members of the healthcare industry are used to working on the same old-fashioned scheme, they aren’t familiar with innovations and don’t know how to properly handle technology. Hence the many problems with cybersecurity.
Small budgets for cybersecurity. Some markets and industries allocate significant funds to protect their information systems. Alas, the same cannot be said about the health sector. Investments in security are growing, but not as fast as we'd like.
Types of risks & cyberattacks on healthcare
It's time to take a closer look at the cyberattacks against the healthcare sector... let’s classify and group existing risks.
Malware includes a lot of things, such as viruses, bots, rootkits, spyware, ransomware… the list goes on. The attacker finds a way to force (or convince) users to install the program and then takes control of their system.
Trojans are the most dangerous type of malware in cyberattacks on healthcare organizations (nearly 80%), followed by ransomware (close to 20%) and spyware (3%), according to recent studies.
Phishing is aimed at stealing the personal data of patients (and the rest of it). It works like this: the scammer writes a convincing text on behalf of a respectable medical company and sends it as an email or SMS message to the chosen victim. The victim (usually the patient) believes what he is reading and therefore performs an erroneous action (say, he follows a certain link). It's done!
The problem of phishing was especially acute at the peak of the pandemic: many users willingly opened emails designed as letters from healthcare institutions.
It’s not enough to invest in your own cybersecurity infrastructure. A third party may turn out to be a weak link too... To be precise, hacking the IT infrastructure of partners, patients, or drug suppliers can result in attackers penetrating the network of the chosen medical institution. Alas, cyber risks in the healthcare sector aren't so easy to avoid.
Password sniffing also poses a danger when it comes to cybersecurity in healthcare and data protection. The bottom line is that hackers try to guess passwords for multiple accounts. There are many ways to achieve this, including the rather primitive one, which involves entering a lot of usernames or email addresses into a special program, which matches the received data with commonly used passwords.
And trust us, the danger is real and not just about healthcare. There is a known case when over 500K Zoom credentials were stolen in this very way and then sold on the dark web for cheap.
Mass user attack
As you should be well aware, the simultaneous visit of the site (or app) by a huge number of people can lead to its downfall (or at least it'll work rather slowly). But it’s not the only risk. Unfortunately, sometimes cyber scammers resort to such a method to gain access to medical data: roughly speaking, they arrange a deliberate user mass attack. Of course, so-called bots are used instead of real users.
Vulnerability of healthcare devices
Now let’s talk about medical device cybersecurity. Yes, the problem is rather crucial and worth discussing.
The fact is, most medical devices are designed for a single purpose, whether it's tracking heart rate or diagnosing a patient's visual acuity. Manufacturers rarely care to protect equipment from cyber threats. “Why would I bother?” They may think. “Is it possible to hack a tomograph? Who needs hacking it anyway?”
Alas, when the tomograph is connected to the Internet of Things system, the mentioned hacking is able to compromise the entire network. That's what we're talking about.
Let's take a real-life example: one day, doctors turned off the wireless module in the pacemaker in order to save the life of Dick Cheney, the former Vice President of the United States... A strange way to save someone's life, right? But this was the only solution, as cybercriminals tried to kill a powerful politician using loopholes in the hospital's cybersecurity system.
Another example is when hackers found vulnerabilities in Verkada cameras and managed to access 150,000 of them in hospitals around the world (and not just hospitals, police stations were also affected).
We’ve described the main healthcare cybersecurity threats. But we're not done yet... to complete the topic, we need to mention the factors, which can turn a possible cyber risk into a real danger:
Human factor. We're talking about unintentional errors of medical staff when working with the digital system of the clinic. Most often, such errors occur due to the complex program interface or if the management of the healthcare institution doesn't care to show the nurses and doctors the proper way to interact with the software.
Irregular updating of IT infrastructure. Everything sooner or later becomes obsolete, including IT products. Moreover, what belongs to the digital industry is losing relevance even faster: after all, the IT world is developing by leaps and bounds. And cybercriminals find it easier to break into an old system than try doing the same with the updated one, which is protected much better.
Rejection of professional support. Many hospitals refuse the help of experts who understand the matter of cybersecurity in healthcare. They see it as a good way to save money. However, in the long run, it can result in even greater expenses (if the system is hacked and patient data is stolen).
To finally convince you that investments in cybersecurity are something to seriously think about, we’ll bring a couple of examples from the real medical practice of healthcare organizations in different parts of the world.
Cyberattacks against the healthcare sector: real-life examples
In 2020, the news portal NBC News reported on a very sad incident. Ransomware attacked an American hospital, and the attack was directed at one of the female patients. The management of the hospital found no other way but to transfer her to another medical facility. Alas, the story ended tragically, since the time spent on transportation could have been invested in treatment.
There are cases, for example, when hackers redirected an ambulance to another medical facility, and the patient who really needed health assistance received it later than desired.
Here is a great example of why you need to take care of medical device cybersecurity: some time ago, McAfee experts found vulnerabilities in B. Braun brand infusion pumps. "So what?" You can ask. “How could such a pump harm people?” But it really can! Imagine cyber-scammers forcing this device to inject an extra dose of drugs into a patient, and doing it remotely... Scary prospects, right?
Another similar case occurred with Medtronic MiniMed controllers for remote monitoring of patients. The problem was discovered by the FDA, and it did it on time. Nothing bad happened to the patients.
And let's recall another unfortunate situation, which took place when the pandemic just stroke. We're talking about the Czech Republic, which failed to protect the healthcare sector. As a result, one of the largest COVID-19 testing centers stopped working (at least for a while).
These and many other cases forced the management of medical institutions to re-evaluate the threat of сyberattacks on healthcare. This resulted in the following cybersecurity trends.
Cybersecurity in Healthcare: Relevant Trends
Focus on securing supply chains. Medical companies also deal with supplies, usually medicines, special equipment, and so on. And since, as we said, a third party can pose a threat too, the first trend concerns its protection (after all, suppliers are this very third party).
On guard of the new. Technology continues to evolve, and businesses are increasingly tracking innovations to identify those that can be applied to protect healthcare infrastructure.
One such successful innovation is AI and related machine learning.
Qualified help. We've already discussed how and why refusing professional assistance increases cyber risks in the healthcare sector. And a growing number of medical companies are realizing that saving on expert support is a bad move.
Revealing device vulnerabilities. Now we have no choice but to start thinking about cybersecurity at the level of healthcare equipment manufacturing. Luckily, manufacturers, too, understand why it needs to be done.
Global approach. And of course, we can't deal with ransomware if we don't work together, so to speak. We need joint efforts of developers and representatives of the medical sector around the world.
How to Protect the Healthcare Sector?
So far, we’ve dealt with theory, but it's time to move on to practical advice. Therefore… what steps should healthcare businesses take to ensure their patients are properly protected?
Let's start with the fact that the key task of any forward-thinking clinic is to distinguish existing healthcare cybersecurity threats from only potential ones.
Existing (direct) risks are those that have already been harming the infrastructure of a healthcare institution. That’s a bad scenario, cyber threats should be detected before damage is done.
Potential risks are various threats, which are able to damage the IT network of a medical company (which hasn't happened yet). The main task is to develop ways to approach any cyberattack and prevent potential risks from becoming real.
When we’ve classified the risks, we need to make a list of counteractive actions.
In addition, we’ll give you some useful tips to help you actively counter cyberattacks on healthcare:
Introducing a patient safety-focused culture of cybersecurity, which implies:
The head of a medical company should participate in the discussion of cybersecurity issues;
Employees must be regularly informed about proper cyber risk countermeasures. Make them aware of their obligations to protect the confidentiality of patient data. Let’s say, why not conduct some sort of training?
Preventive measures. You need to think about cybersecurity before the digitalization of the hospital system. A good option is to combine your cyber strategy with a business plan.
Instant response to an attack. If you fail to prevent one of the cyberattacks against the healthcare sector, make sure you immediately react to it and take measures to eliminate its consequences.
Following the principles of Zero Trust. Simply put, you need to delineate and separate access to the corporate network and introduce mandatory user identification.
Ease of use. And of course, using the hospital system should be simple. A doctor may be a tough medical expert, but that doesn't make him an experienced user.
Cyberattacks on Healthcare: What to Expect?
The more advanced medical technology, the more sophisticated the attacks. So the motto should be "Never lose control!".
Fortunately, today healthcare companies understand they can't let their guard down, which is confirmed by statistics. According to the latest data, almost 70% of medical organizations plan to increase investments in cybersecurity this year (compared to 55% last year).
And now… What is cybersecurity in healthcare if we’re trying to look ahead? What to expect and fear?
Complicated problems. As we said earlier, as health-focused technologies improve, so will cyber threats. Not everyone is ready to rise to new challenges.
Serial attacks. Similar cases have happened in the past years, and the trend is expected to continue. The point is a simple one: the scammers choose a victim (some kind of medical organization), which is subjected to a series of attacks using ransomware. Once an organization pays the ransom, it becomes everyone's desirable target and catches the attention of other cyber criminals too. In addition to this, a certain group of hackers can attack the healthcare company multiple times.
Vulnerabilities in the spotlight. Cyber scammers used to be looking for some vulnerabilities in medical equipment or security systems in the past too (with a view to using the loophole they found to hack into the hospital network). And they'll keep doing this in the future, moreover, their efforts will intensify (which brings us back to the need to strengthen the medical device cybersecurity).
The conservative approach is losing. Conservative healthcare companies operating in an old-fashioned way will become easy prey for cyber scammers. As a result, they'll face additional problems. The best solution is to keep abreast of the latest IT innovations.
As you now understand, today's software must be able to counteract various cyberattacks on healthcare organizations. Therefore, you should only work with experienced mobile and web development experts.
Maybe our team is what you're looking for? We have both experience and expertise and are happy to help you with your project.