In what scenario would you be willing to answer invasive and personal questions without thinking twice? That’s right, at a doctor’s appointment. Doctors are there to help you when you’re not feeling well, so of course you’ll answer any questions they have honestly and without thinking about it because they’re trustworthy right? Well, yes, they are (or at least they should be), but that doesn’t mean that this information can’t be accessed by untrustworthy people. And the healthcare industry is the worst at protecting your information, with the most data breaches occurring in this sector.
Of course, the doctors and nurses care about your well-being and this is precisely why your personal information is not as secured as you’d like it to be. The healthcare sector primarily focuses on patient care and, in turn, forgoes investing in top notch cybersecurity protection, with only 4-7% of revenue being invested in cybersecurity, compared to that of the financial sector which invests around 15%. This should not be the case since a cyberattack on a healthcare facility has the most dangerous consequences. Why? Your livelihood is at stake. What’s worse is that the healthcare industry is the most targeted; your information is a gold mine for bad actors. Think about all the fun they can have. Not only can they steal your identity, but with your Personal Health Information (PHI) malicious actors can make fake insurance claims, take advantage of any of your medical conditions or medical settlements, and purchase medication with your prescriptions. As such, PHI is valued at $363 on the black market, compared to that of Personally Identifiable Information (PII) which sells at around $2. Clearly, the healthcare industry is an attractive target for attackers and the fact that they are so poorly protected makes it that much more appealing to carry out an attack.
These data breaches might be caused by malware, but that is not the only damage malicious software can do. It can also trigger operational disruption which hinders productivity. Distributed Denial of Service (DDoS) attacks cause the server to be unable to operate. For some businesses this might be extremely annoying and frustrating, but, for the healthcare industry, this can be fatal since a lot of critical medical equipment today is actually a computer. Additionally, patient records, laboratory results, hospital elevators and more rely on technology and a DDoS attack can implicate them, too.
The healthcare industry is also no stranger to ransomware attacks. Hospitals especially, due to their large assets, are frequently targeted. These attacks prevent flies and systems from being accessed until a payment is made. And these aren’t minor payments – attackers are greedy, with the average paid ransom by healthcare firms in 2018 being just under $30,000. Paying the ransom, however, is actually not recommended as it only encourages more attacks of this type. However, whether the ransom is paid or not, there is a risk of the data never being recovered. The fact that the healthcare industry is so nonchalant about security means that they are at serious risk.
This must come as a shock since doctors often make us feel safe and protected. I mean, their job is to save lives after all. So how do these attacks get carried out? Well, as I mentioned, the healthcare industry does not prioritize cybersecurity. Of course, it is because they are prioritizing us, but we can’t be protected unless the industry is cyber protected. By prioritizing our well-being, healthcare employees lack the awareness of how risky cyberattacks are and how their actions can be the greatest cause of them. The healthcare industry is the worst offender when it comes to insider attacks, being the only industry where internal actors cause more breaches than external ones.
Yes, there might be employees acting with malicious intent, but the biggest threat comes from the fact that employees do not even know they are increasing the organization’s vulnerability to an attack or even causing one themselves. Social engineering techniques are favored by bad actors and the lack of on-the-job training means that most of them fall straight into the trap. As such, rogue links and websites can be attached on phishing emails that, when clicked, causes malware to be downloaded onto the endpoint.
Moreover, Bring Your Own Device (BYOD) policies increase the number of access points to the organization’s network, thereby increasing the number of ways a perpetrator can carry out an attack. Additionally, the healthcare industry is becoming more accepting to Internet of Things (IoT) devices, with much of the apparatus used in hospitals now being internet-connected, of which many are vitally important to a patient’s well-being, such as heart monitors and infusion pumps. These devices provide more points of entry to the organization’s network and, if hacked, can be lethal.
The lack of security, insiders’ lack of cybersecurity knowledge and increased usage of BYOD and IoT devices are allowing actors to increasingly mobilize Rogue Devices to carry out attacks; may that be a data breach, a ransomware attack or DDoS attack. The consequences of any of these attacks are extremely hazardous for the healthcare industry; mostly impacting patient safety and the reputation of the organization, not to mention the huge (and I mean huge) financial burden of remediating an attack. Because of the highly sensitive nature of data obtained by healthcare organizations, the fines imposed are often in the millions, in addition to millions spent on indirect costs over the years. As such, the financial implications of a cyberattack are almost impossible to calculate. Of course, we should still trust doctors with saving our lives, but maybe you’ll think twice about telling them every detail; only the necessary ones.