Protecting patient data: Cybersecurity in the healthcare industry

In this guide

• Overview
• Breach in healthcare industry
• Solution for healthcare industry
• Challenges
• Further reading
• FAQ

Over the past decade, the cyber threat to the healthcare industry has increased dramatically, along with the sophistication of cyberattacks.

Industry and government both recognize this new era. For each improvement delivered by automation, interoperability, and data analytics, the vulnerability to malicious cyberattacks also increases. 

Cyberattacks are of particular concern for the health sector because attacks can directly threaten not just the security of systems and information but also the health and safety of patients.

Healthcare organizations are attractive targets for cybercriminals for three main reasons: 

1. Criminals can quickly sell patient medical and billing information on the darknet for insurance fraud purposes. 
2. Ransomware’s ability to lock down patient care and back-office systems makes lucrative ransom payments likely. 
3. Internet-connected medical devices are susceptible to tampering.

Related resources

• Cybersecurity in critical industries
• Cybersecurity in the time of COVID-19
• An interview with Eugene Vasserman
• Internet safety resources for students
• How to respond to cyber hacks and security breaches

Cybersecurity issues in the healthcare industry

Health organizations, large and small, are prime targets for cybercrime. The growing number of healthcare-related cyberattacks is an indication that smaller health providers are falling victim to cybercriminals at an increasing rate. 

Large healthcare providers often have the resources necessary to mount a formidable cyber defense strategy.

These large hospitals and health provider chains can often afford to hire a chief information security officer, staff a security operations center, and subscribe to the best threat intel services. 

Community hospitals, independent doctors, and dentists don’t often have the luxury of spendy cybersecurity defenses. Yet, they shoulder the same cyber risks and present an equal opportunity for criminals.

The American Medical Association states that nearly 57 percent of medical practices in the U.S. have ten or fewer physicians, and about 10 percent are solo practitioners. 

Unable or unwilling to pay exorbitant ransoms, many small healthcare providers cannot survive these attacks and feel forced to close their businesses.

These practitioners are fully aware that paying a ransom demand, by no means, guarantees that the hacker will release data or equipment. Nor does it ensure that they will not sell your patient’s data on the darknet. 

The attack focused on a dental-focused technology provider and locked dentists out of their data. A ransomware incident in August 2019 forced Wood Ranch Medical in Simi Valley, California, to close its doors on December 17, 2019.

A note on their website said,

Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there. With our backup system encrypted as well, we cannot rebuild our medical records,” the note continues. As much as I have enjoyed providing medical care to you, I will not be able to attend to you professionally after that date.

Arguably the most respected and informative security industry annual report is the Verizon DBIR (Data Breach Investigations Report). The 2020 DBIR indicates a substantial increase in the number of breaches and incidents overall in the healthcare sector.

Financially motivated criminal groups continue to target the healthcare industry primarily with ransomware attacks. Lost and stolen assets are also a problem, and human error is alive and well in this vertical.

Lest one think that most healthcare cyberattacks are launched from some clandestine bunker, it is essential to note that nearly half of the breaches in this sector come from internal bad actors. 

DBIR reported that the healthcare sector had internal actor breaches (59 percent) exceeding those by external actors (42 percent). External actor breaches are more common at 51 percent, while breaches executed by internal actors fell to 48 percent.

However, this is a small percentage, and healthcare remains the industry with the highest amount of internal bad actors.

As a glimmer of hope, the 2020 DBIR shows that privilege misuse incidents have declined across the board. In 2019 privilege misuse stood at 23 percent. This year it dropped to 8.7 percent. Privilege misuse is the direct result of poor access control.

Users have more access rights than they need to do their jobs, and the organization fails to monitor the activity of privileged accounts properly and establish appropriate controls.

The decrease in this type of event can be seen as reflecting improved security policies and training. These indicators denote an increase in security awareness within the organization. 

Privilege misuse incidents are responsible for user errors that result in data loss or unauthorized access by an adversary. Privilege misuse is not to be confused with internal bad actors.

Another change that goes along with decreased insider misuse breaches is a corresponding drop in multiple actor breaches. The healthcare sector has typically been the leader in this type of breach.

This type of breach usually occurs when external and internal actors combine forces to steal data used for financial fraud. The multiple actor breaches last year were at 4 percent, and this year dropped to 1 percent.

The top cybersecurity error experienced by the healthcare industry is misdelivery. This error tends to fall into two categories:

• When an email is sent to the wrong email address or distribution list, and sensitive data is received by unauthorized personnel.
• Snail mail equivalent; when address labels for a mass mailing get out of sync and confidential information is mailed to the wrong recipient. 

Case study: Cybersecurity breach in healthcare

In 2019 a small community health system in Wyoming fell victim to a cyberattack. Campbell County Health operates a 90-bed acute care hospital in Gillette and nearly 20 clinics across the county. Attackers locked up sensitive patient information and medical devices and then demanded a ransom. 

As a result of the attack, Campbell County Health employees found it necessary to cancel services, including radiology, endocrinology, and respiratory therapy. Reports indicate that the organization transferred patients to hospitals as far as South Dakota and Denver.

Cash registers, email, and fax were all unavailable. Doctors had to resort to pen and paper to document medical conditions, and with prescription records inaccessible, patients were required to bring medication bottles to visits.

Many security professionals see the eventuality of a cyberattack against any given healthcare organization as a matter of when – not if. 

In a video address to the community, Andy Fitzgerald, Chief Executive Officer of Campbell County Health, said,

CCH is not the first organization, hospital or otherwise, to be hit with a ransomware attack. Every organization is subject to this type of cybercrime. We were not the first, and, unfortunately, we won’t be the last to experience this.

Individuals, as well as organizations, must remain constantly vigilant, at home and at work, to avoid becoming a victim of this kind of crime. CCH had strong systems in place before the attack, and we have invested in additional measures, but the threat remains for all of us.

What makes cybersecurity challenging within the healthcare field?

The healthcare sector has all the cybersecurity challenges facing any business, plus unique challenges all their own. They must protect their networks, databases, and endpoints from attack. They are responsible for protecting private financial and medical information about their patients and employees.

They often protect valuable intellectual property. Additionally, they have challenges few other businesses encounter. The number of connected medical devices has exploded over the last ten years. Nearly every conceivable piece of medical equipment is now web-enabled or connected to the organization’s operational network. 

The prevalence of medical device hijacking has spawned the use of the term “medjacking” to describe these attacks aimed specifically at connected medical devices.

These connected devices are often necessary to sustain the life of the patient. Disabling them, or modifying their functionality, can mean the difference between life and death. Like any digital device, updates are needed to keep them running and safe. 

Connected devices include patient-tracking wristbands, equipment tracking for crash carts, ventilators, portable X-ray machines, and vital sign monitors. All of these devices communicate across the hospital network providing doctors with valuable patient information entered into electronic health records.

The transmitted data allows doctors to provide more affordable care. Clinicians can work faster and in safer conditions. And each of those devices acts as an entry point for cybercriminals to exploit.

In 2020, Black Book Market Research LLC surveyed over 2,800 security professionals from 733 organizations to identify gaps, vulnerabilities, and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.

The report showed healthcare’s cybersecurity struggles are caused by budget constraints. It is costly to replace legacy software. Past reports from security researchers show that the majority of healthcare medical devices operate on legacy platforms.

Fifty-six percent of healthcare providers still rely on legacy Windows 7 operating systems. Many of these providers struggle with understanding or performing necessary patches.

Nothing could be of higher priority than the health and well-being of patients, and communication between healthcare providers and patients or between the various healthcare functions has been refined to an art. So, why does the healthcare profession struggle with cybersecurity?

The top cybersecurity challenges facing the healthcare industry are:

• Patient information is valuable on the darknet.
• Medical devices often lack adequate security controls.
• Medical professionals need the ability to access medical data remotely.
• Insufficient cyber risk training among healthcare workers.
• Outdated technology is used in many healthcare facilities.

Very few healthcare providers are oblivious to the extraordinary cybersecurity risks shouldered by the industry. Their position as the most attacked business sector has not escaped notice.

The issue of cybersecurity has risen to the forefront of concerns for this sector. There are seminars, conferences, white papers, and myriad cybersecurity training opportunities for healthcare professionals.

Like any other business sector, efficiencies are introduced to enhance competitive advantage. One of the significant efficiencies leveraged by healthcare providers is how much time they spend with each patient. Too much time with one patient means someone else’s medical needs may not receive attention. 

Dr. Christian Dameff is the Medical Director of Cybersecurity at the University of California, San Diego. In a November 2019 Ars Technica article, he states,

“I have a lot of patients that I need to take care of, and I have only a finite amount of time to take care of them. Even with my cybersecurity expertise and my understanding of these problems, I still really wrestle with the thought of, ‘If I’m only going to see this patient for 15 minutes and might not ever see them again, do I talk to them about patching their pacemaker, or do I talk to them about their horribly uncontrolled diabetes and high blood pressure?

Ideally, those things would not be mutually exclusive, but that’s just not the reality of modern medicine and modern healthcare.”

Dr. Dameff is required to prioritize healthcare over cybersecurity. No one would want it any other way, but the necessity to make such a choice highlights the need for this sector to find new solutions to their unique needs.

Cybersecurity solutions for the healthcare industry

Currently, the healthcare industry is losing ground in its battle against cybercrime. Antiquated computing systems and too few trained cybersecurity professionals combined with an increase in connected medical devices have left this sector vulnerable.

Technological advances in patient care equipment, systems, and processes have outstripped improvements in backend support systems where valuable patient information is stored. 

The current global pandemic only exacerbates these problems. In May 2020, Bitdefender Labs, a leading cybersecurity vendor, reported,

“With healthcare systems under constant strain amid the SARS-CoV-2 global pandemic, hospitals and healthcare facilities around the world have also been hit by a wave of cyberattacks, including ransomware attacks.

While officials have already issued warnings that hospitals, governments, and universities may be more conscious about losing data and access to critical systems, Bitdefender telemetry reveals that the number of cyberattacks and ransomware incidents directly targeting healthcare significantly increased over the past couple of months.

The number of cyberattacks detected at hospitals in March increased by almost 60 percent from February, according to Bitdefender telemetry.

This is the highest spike in our global evolution of cyberattacks detected at hospitals reported over the past 12 months, showing that cybercriminals have clearly leveraged the pandemic to launch these campaigns.”

Cybersecurity solutions for healthcare organizations should provide safeguards that exceed those of most businesses. Arguably, these systems and devices should be equal to or surpass those used in financial organizations in terms of the level of protection provided. 

To achieve this goal, healthcare institutions must look at each new platform proposed in terms of the medical benefits provided to their patients and the risk of cyberattacks.

According to the Forrester New Wave: Connected Medical Device Security, Q2 2020 Report, any security platform under consideration for introduction into the medical environment should be thoroughly evaluated against the following criteria.

Conclusion

Architecture	– Where do sensors and appliances need to be placed in the network for typical operation? – How many sensors or appliances does the typical hospital require? – What information does the vendor’s product require to be transmitted off-premises? – How is this data secured (both in transit and at rest)?
Analytics and Reporting	– Does the vendor produce dynamic reports that effectively communicate risks associated with a medical device environment?
Attack Response	– What are all the remediation and response actions available to customers when a security attack is identified (e.g., configuration changes, device quarantine, behavioral block, device removal from network, etc.)?
Threat Research	– How does the vendor discover new medical device threats and vulnerabilities?
Device Visibility	– How granular is the classification taxonomy of the devices in the environment (i.e., device function, type, OS/firmware, vendor, and model)? – How does the vendor ensure that classification taxonomy remains current in light of new devices, vendors, models, etc.?
Vulnerability Management	– Does the product track medical device vulnerabilities (i.e., CVEs and medical device security advisories)? – How are these reported on, and what actions can be taken from the admin console?
Integrations	– What are all of the native, out-of-the-box integrations with third-party security and IT operations tools? – Which are bidirectional, and what are the specific benefits to customers?
Vision	– How well does the vendor’s product vision align to address the major customer requirements for medical device security?
Roadmap	– What are the vendor’s short-term and long-term product roadmaps? – How differentiated is the roadmap from the competition? – Are the planned features expected to contribute meaningfully to customer and product success?

Cybersecurity influences every aspect of the Healthcare industry, from the confidentiality of sensitive health information to insurance rates to patient care.

Industry and government leaders acknowledge that healthcare trials should be in cybersecurity technologies, standards, and processes. 

While some call for additional governmental regulation to ensure patients and their data are protected, many healthcare leaders understand that voluntary compliance with the strictest standards is the only way to stave off further, and sometimes, onerous compliance regulations. 

As concerning as today’s known healthcare cybersecurity threats are, the scariest of all cyber threats may still lie ahead. Researchers in Israel announced that they have created a computer virus capable of adding tumors to CT and MRI scans. In the wild, this malware could fool doctors into misdiagnosing patients, according to a story by Kim Zetter in The Washington Post.

The healthcare industry faces significant cybersecurity challenges unique to that sector. When lives, not just fortunes, are at stake, the best and brightest in computer science, medical science, and business must work in concert to find innovative solutions to address the threats bearing down on medical care as we know it.

Further reading 

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• 50 things to know about healthcare data security & privacy
• Medical & IoT Device Security for Healthcare
• HIPAA Journal – Healthcare/cybersecurity

Frequently asked questions